Original Issue Date: 19th January 2004
The MyCERT Quarterly Summary is issued quarterly to wrap up incidents reported to us for the quarter with some brief description and analysis of major incidents observed for the quarter. Highlights on the statistics of attacks/incidents reported to us, as well as other noteworthy incidents and new vulnerability information are inclusive.
Additionally this summary also directs to resources in dealing with problems related to security incidents, including patches, service packs, upgrades and hardenings.
The fourth quarter of 2003 was not as hectic as the previous quarter. However, we observed some significant incidents which worth to be pointed out here. The total number of incidents received for this quarter has increased to a total of 2,188 incidents, which represents 28% increases compared to the previous quarter.
Towards the end of December 2003, the Internet community of Malaysia was shocked with the circulation of a suspicious email with misleading contents which requests recipients to click to a website attached in the email. The misleading contents associated Malaysia with terrorism.
MyCERT took the initiative and pro-active roles to investigate on this email. Our analysis made on those emails proved that once clicked on "this site", 5 malicious files believed to be Trojan will be dropped in the user's local drive. Once dropped in the local drive, the Trojan made attempts to connect to three (3) foreign hosts and one (1) of the connections was to the SMTP of the foreign host.
With regards to this email, we had produced an immediate alert published on our websites, mailing lists and local press. We also received overwhelming response and applauses from foreign CERTs and Anti -virus vendors for our initiatives and analysis.
Detail information on this malicious email is available in our alert at:
For this quarter, we also noticed a significant increase in web defacements with a total of 29 involving private and governments domains, compared to previous quarter which was only 6. Surprisingly, for this quarter, we observed an increase in web defacements involving Linux machines running Apache web servers. About 16 web defacements out of 29 involved Linux machines. Previously, we observed majority of web defacements involved Microsoft IIS web servers. But, the trend has changed now to Linux machines. Looks like hackers are preying more on Linux machines. This may indicate that 'this OS' is no more secure than the 'that OS'. It is our initiative and attitude as to how to handle and secure the machines.
Our analysis showed that majority of web defacements were due to vulnerable and unpatched services running in the server. Web defacements involving Linux machines are due to running older versions of Apache servers, PHP scripts and Open_SSL. As for IIS web servers, web defacements were commonly due to Microsoft IIS extended Unicode directory traversal vulnerability, Microsoft Frontpage Server Extension vulnerability and WEBDAV vulnerability.
Details of the vulnerabilities and solutions are available at:
Apache Web Server Chunk Handling Vulnerability
Vulnerabilities in PHP File upload
Vulnerabilities in SSL/TLS Implementation
Microsoft IIS extended Unicode directory traversal vulnerability.
We wish to encourage all System Administrators to upgrade and patch softwares/services/applications they're currently running on. In addition, it is also recommended for them to disable unnecessary/unneeded default services supplied by vendor. Currently, we are noticing growing number of web defacements of Malaysian website with an average of 3 websites per day and web defacements involving Linux machines is on the rise.
Spam incidents still remain on top with a total of 2, 060 incidents for this quarter, representing 0.6% increase compared to the previous quarter. It is almost impossible to completely eradicate spamming activities; however it can be minimized to a certain extent. Users may refer to the following tips and guidelines to minimize the daily annoying spam emails they received.
Tips and help for regular users can be found at http://spam.abuse.net/userhelp/
Virus/worm activities seemed to have slowed down for this quarter. We received a total of 65 incidents involving virus/worm incidents, which is a decrease by 80% compared to the previous quarter. This is a good sign showing that Nachi and Blaster worm activities are seemed to be reducing vigorously, as in previous quarter the high in number was due to Nachi and Blaster worm activities.
MyCERT received 9 reports on harassment, a 20% increase compared to previous quarter, where majority of them were referred to law enforcement agencies for further investigation. Reports on forgery including Internet scams and phishing scams have decreased to about 50% compared to previous quarter, with a total of 8 reports received for this quarter. With regards to Internet scam or phishing scam emails, user may refer to the following website for verification.
We received only one report on Denial of Service for this quarter. This quarter had witnessed no mailbomb and destruction.
MyCERT continues to receive reports on port scannings and attempts (under Hack Threat category). Port scanning is a method of reconnaissance to look for open ports in order to identify vulnerable services to enable remote exploit of the vulnerability. Some of the exploits can cause complete machine compromise.
However, for this quarter we observed a decrease to about 76% on hack threat incidents. We received a total of 16 reports on port scannings targeting mainly organizations' networks.
MyCERT's findings shows that the top targeted ports for scannings are FTP (Port 21), Netbios (Port 137, 138, 139), RPC (Port 111), SSH (Port 22) and http (Port 80). And Windows machines have been a major target for vulnerability scannings.
MyCERT recommends the following preventive measures:
Close all ports or unneeded services except http service and other required ports/services should be filtered and patched accordingly.
All machines/systems are properly patched and upgraded with latest patches, service packs and upgrades to fix any vulnerability that may present in the machines/systems.
Organizations can install network based or host based IDS to alert scannings and other malicious attempts to their hosts.
It is recommended that home users install personal firewalls in order to alert the owner of any unauthorized scanning to their machine, and to block any penetration into their system.
More information on home PC security is available at:
For complete figures and slides on the Abuse Statistic released by MyCERT monthly, please refer to:
Situational report on major worm outbreaks up to year 2003 in Malaysia is available at: