MS-048.012003: MyCERT Quarterly Summary (Q4) 2002Original Issue Date: 24th January 2003 Each quarter, MyCERT issues the MyCERT Quarterly Summary to highlight the types of attacks reported to us, as well as other noteworthy incidents and vulnerabilities information. The summary includes pointers to sources of information for dealing with the problems, which includes patches. Recent ActivityThe number of incidents reported to MyCERT for this quarter has dropped to about 1.3 percent compared to the previous quarter, which is a very small percentage. In overall the total number of incidents received for this quarter is 182 incidents.The number of reports we received on security incidents involving worm has dropped to about 2.3 percent compared to previous quarter. We did not receive any cases of web defacements however we received 6 cases on intrusion involving Linux servers where about 95 percent of it involved compromises of unpatched services on Redhat Linux version 6.2 which included rootkit attacks. We also received a huge number of spamming cases, a total of 34 spamming cases for this quarter, an 11.5% in increase compared to previous quarter. Other incidents such as mailbomb, forgery, DOS, destruction, harassment remain low in number of incidents reported with average 2 incidents for each category. For details on the Abuse Statistic released by MyCERT monthly is available at:
http://www.mycert.org.my/en/services/statistic/mycert/2003/main/detail/349/index.html A new worm outbreak was discovered on 30th September 2002 EST time, the W32.Bugbear@MM which became an epidemic in early October and throughout October. About 97% of the total number of incidents received on worm involved the W32.Bugbear@MM worm.The outbreak was prevalent that many anti-virus vendors graded it as HIGH risk. In addition, we had also produced an advisory to guide Internet users and organizations to deal with this worm more effectively. Currently, with the availability of many tools in the market, quite a number of organizations have installed network monitoring devices and are checking their logs more regularly. In addition, more and more organizations are now becoming more alert of any anomalous activities within their networks, ie bandwidth utilization even during weekends and any kind of unauthorized traffic flow into the networks. However, we discovered the source of some incidents are due to misconfiguration of devices or internal abuse of network. Bugbear Worm AttackThe W32.Bugbear is an internet worm discovered on 30th September 2002 EST time. It is just like any other mass mailing worm which has its own SMTP engine and attempts to spread via email and network. Only that the Bugbear worm has a backdoor and key logging capabilities and propagates by exploiting the MIME MS01-020 vulnerability in Microsoft Outlook and Microsoft Outlook Express. MyCERT has received reports from a few organizations and individuals affected by this worm which was spreading quite vigorously in Malaysia. However, we believe the attack was under control as we did not receive reports of any organizations/individuals severely affected as with previous worm attacks. A complete SOP on worm handling for organizations is available at:
http://www.mycert.org.my/en/services/advisories/mycert/2002/main/detail/111/index.html The advisory on this worm is available at:
http://www.mycert.org.my/advisory/en/services/advisories/mycert/2002/main/detail/106/index.html Port/Vulnerability ScanningAs in previous quarter, we continue to receive more reports on port scanning and attempts (under Hack Threat category), about 99 incidents for this quarter, an 11.3 % increase compared to previous quarter involving mostly organizations' machines. We observed, the increase could be due to more and more organizations are reporting to MyCERT on such activities. We believe organizations are becoming more aware of any unusual attempts and activities launched to their server. The top targeted ports for scanning are FTP (Port 21), Netbios (Port 137, 138, 139), RPC (Port 111) and SSH (Port 22). Port scanning is done to look for any open ports in order to identify vulnerable services to enable remote exploit of the vulnerability. Some of the exploits can cause complete machine compromise. Port scanning activities are done more actively especially when new exploits or vulnerabilities are discovered. MyCERT recommends System Administrators should close all ports or unneeded services except http service and if other ports that need to be opened should be filtered and patched accordingly. Organizations can install network based or host based IDS as a safe protection against such scanning. It is recommended for home users, whose PCs are targeted for port scanning to install personal firewalls in order to alert the owner of any unauthorized scanning to their machine, and to block the source IP address where the scanning originated. Home Users may install personal firewalls as a protection against such scanning. You may refer at:
http://www.mycert.org.my/en/resources/home_user/pc_security/main/detail/520/index.html MyCERT also received reports on vulnerability scanning which involve mostly scanning for unicode vulnerabilities on IIS servers. Thus it is critical for IIS server owners to take proper measures to patch their servers in order to prevent any compromises of the servers.
|
