MS-047.102002: MyCERT Summary Q3 2002Original Issue Date: 24th October 2002
Each quarter, MyCERT issues the MyCERT Quarterly Summary to highlight the types of attacks reported to us, as well as other noteworthy incidents and vulnerabilities information.
The summary includes pointers to sources of information for dealing with the problems, which includes patches.
The number of incidents reported to MyCERT for this quarter has dropped to about 10 percent compared to the previous quarter. The number of reports we received on security incidents involving worm has dropped to about 30 percent compared to previous quarter. We also received about 18 cases of web defacements where about 95 percent of it involved servers running unpatched and improperly configured Windows operating system and IIS web server, and about 5 precent involving unpatched Redhat Linux version 6.2. We also received a huge number of spamming cases, a total of 27 spamming cases for this quarter.
A new outbreak worm was discovered in early July 2002, the W32.Frethem@MM. MyCERT really had a hectic time dealing with the incidents and to produce an advisory to guide Internet users and organisations to deal with this worm. A total number of about 37 incidents were reported to MyCERT on this worm. The outbreak was damaging for a few organisations which were badly affected by this worm.
The Apache worm also emerged in July 2002. However MyCERT did not receive any reports/incidents on this worm although attacks were detected on our sensors. Thus an advisory on this worm was made available at: http://www.mycert.org.my/en/services/advisories/mycert/2002/main/detail/108/index.html
There has been more frequent outbreaks of blended malicious code attacks, with features of Internet worms, email worms and password stealing Trojans. MyCERT do not deal with viruses in general, but such blended attacks are under our observation.
Probably due to the many tools available now in the market, many organisations now have network monitoring devices and going through their logs. Recently many begin to notice anomalous activities within their network such as high bandwidth utilisation even during weekends and unauthorised traffic into the network. In some of these incidents we discovered the problem is due to mis-configuration of devices or abuse of network.
Frethem Worm Attack
The Frethem@MM worm has 12 variants with different characteristics known so far as (A-L). The K variant of the worm was discovered on 12th July 2002 EST time and became wildspread. The earlier variants were discovered in early June. The worm uses both an IFRAME exploit and a MIME exploit, which allow the virus to be executed when you read or even preview the file.
MyCERT has received reports from a few organisations badly affected by this W32.Frethem.K@MM variant which was spreading vigorously.
The advisory on this worm is available at; http://www.mycert.org.my/en/services/advisories/mycert/2002/main/detail/107/index.html
We noticed that for this quarter we have been receiving a high number of incidents on port scannings, about 78 incidents, involving home PCs and organizations' machines. The most targeted ports for scannings are FTP (Port 21), Netbios (Port 137, 138, 139), RPC (Port 111) and SSH (Port 22). Port scannings are done to look for any open ports in order to manipulate the open port into compromising the machine. It is recommended for home users, whose PCs are targeted for port scannings to install personal firewalls in order to alert the owner of any unauthorised scannings to their machine, and to block the IP address where the scanning was made from.
Details on Home User PC protection can be referred at:
Organisations can install network based or host based IDS as a safe protection against such scannings.
MyCERT also received reports on vulnerability scannings which involve mostly scanning for unicode vulnerabilities on IIS servers. Thus it is critical for IIS server owners to take proper measures to patch their servers in order to prevent any compromises of the servers.