The MyCERT Quarterly Summary is issued quarterly to highlight the statistics of attacks/incidents reported, as well as other noteworthy incidents and vulnerability information.

The quarterly summary also points to resources in dealing with problems related to security incidents, inclusive of patches and hardenings.

Recent Activities

For the second quarter of 2003, a total of 271 incidents were received from local and foreign organizations/users. This figure is more than double compared to previous quarter. Hack threat and virus/worm incidents top the list as compared to the rest. This is evidenced by an increase of 33.3% of hack threat and a triple rise in the number of worm/virus reported as compared to the previous Quarter.

The number of intrusions reported has tripled as compared to previous quarter. Out of the total 19 reports, 90% involved unpatched Microsoft IIS web servers and the rest on older versions of Linux Red Hat machines. 21 spamming cases were reported which is 50% higher compared to Quarter 1. Additionally, MyCERT also received 7 reports on Harassment where majority of them were referred to law enforcement agencies for further investigation. There were 7 reports on forgery cases and 3 reports on Denial of Service. With regards to mailbomb and destruction, no incidents was reported.

For complete figures and slides on the Abuse Statistic released by MyCERT monthly, pls refer to: http://www.mycert.org.my/en/services/statistic/mycert/2003/main/detail/349/index.html

1. W32.Sobig.B Worm Attack

   MyCERT received few reports of W32.Sobig.B worm activities, a new worm discovered on 18th May 2003 EST time. The W32.Sobig.B is a mass mailing worm that sends itself to all the email addresses found in the Windows Address Book. The worm seemed to have been sent by Microsoft (support@microsoft.com). This worm has strong similarities to W32/Sobig@MM. It is written in MSVC and is packed with UPX. The worm propagates via email and over network shares. It has its own SMTP engine for constructing outgoing messages. The worm file has a .PIF extension, with 52,898 bytes attachment.

   The propagation of the worm in Malaysia was not considered serious as no severe damages were reported to MyCERT.

   The advisory is available at:
   http://www.mycert.org.my/en/services/advisories/mycert/2003/main/detail/101/index.html

2. Web Defacements

   During this quarter, we received 16 reports of web defacements involving various local organizations where 80% of it involved private sectors. About 90% were due to unpatched IIS servers while the remaining involved older versions of Red Hat Linux machines.

3. Port/Vulnerability Scanning

   We continue to receive reports on port scannings and attempts (under Hack Threat category). About 125 incidents reported, were targeting organizations' network. This is an 89.3 % increase compared to previous Quarter. The top targeted ports for scannings are FTP (Port 21), Netbios (Port 137, 138, 139), RPC (Port 111), SSH (Port 22) and http (Port 80).

   Port scanning is a method of reconnaissance to look for open ports in order to identify vulnerable services to enable remote exploit of the vulnerability. Some of the exploits can cause complete machine compromise.

   MyCERT recommends the followings:

   1. Close all ports or unneeded services except http service and other required ports/services should be filtered and patched accordingly.

   2. Organizations can install network based or host based IDS to alert scannings and other malicious attempts to their hosts.

   3. It is recommended for home users to install personal firewalls in order to alert the owner of any unauthorized scanning to their machine, and to block any penetration into their system.

   More information on home PC security is available at:
   http://www.mycert.org.my/en/resources/home_user/pc_security/main/detail/520/index.html