MyCERT Advisories

MyCERT Advisories, Alerts and Summaries for the year 2006
Bookmark and Share

MS-099.012006: MyCERT Quarterly Summary (Q4) 2005

20th January 2006

The MyCERT Quarterly Summary is a report which includes some brief descriptions and analysis of major incidents observed during that quarter. This report also features highlights on the statistics of attacks/incidents reported, as well as other noteworthy incidents and new vulnerability information.

Additionally this summary also directs to resources in dealing with problems related to security incidents, including patches, service packs, upgrades and hardenings.

Recent Activities

The fourth quarter 2005 was more hectic compared to the previous quarter. There was no significant outbreak in this quarter, but we saw an increase in majority of incidents. Generally, there was a more than 100% increase in the number of incidents in this quarter as compared to the previous quarter. The number of incidents reported for this quarter is 3374 with a majority of incidents were contributed from reports on spam.

Surge in Malicious Codes Incidents

The fourth quarter of 2005 saw a surge in virus/worm incidents with a total of 30 incidents, which is about 87.5% higher than the previous quarter. This was due to the increase in worm activities in December 2005, with the release of W32.Dasher worm.

W2.Dasher is a mass mailing worm that spreads by exploiting Microsoft Windows Vulnerabilities in MSDTC and COM+ (as described in Microsoft Security Bulletin MS05-051) on TCP port 1025, TCP port 53 (W32.Dasher.B and W32.Dasher.C ) and TCP port 21211 (W32.Dasher.B and W32.Dasher.C) after deploying itself on a vulnerable host.

Based on number of reports received, currently no strong evidence indicating widespread infection or scanning activity relating to W32.Dasher worm and its variants in our constituency, but MyCERT advises users and organizations to patch vulnerable systems and take the prevention actions as provided below to prevent against the worm infection and future incidents that may targets this vulnerability.

MyCERT had released an immediate alert to the MyCERT Announcement List as well on its website on this worm. The alert is available at:

MyCERT Special Alert: MA-098.122005: MyCERT Special Alert - W32.Dasher Worm
http://www.mycert.org.my/en/services/advisories/mycert/2005/main/detail/47/index.html

MyCERT advise users to always take precautions against worms activities, even though no worm outbreaks was observed within our constituency this quarter. Some of the precautions that users can take are:

  • Email Gateway Filtering

    Sites are encouraged to apply filters at email gateways to block any attachments associated to the worm.

  • System/Host

    1. Users must make sure that their PCs are installed with anti-virus softwares and are updated continuously with the latest signature files. Users who do not have an anti-virus installed on their PCs may download an anti-virus from the following site:

      http://www.mycert.org.my/en/resources/malware/av_sites/main/detail/528/index.html

    2. Users need to make sure that their PCs/machines are always updated with the latest service packs and patches as some worms propagate by exploiting unpatched programs present in PCs/machines.

    3. Users are also advised to install personal firewalls, such as Zone Alarm on their PCs/machines.

    4. Organizations are also advised to close unnecessary services and ports except for http port. If other services/ports need to be utilized, then they should be filtered to allow authorize users only.

  • Safe Email Practices

    MyCERT strongly advice users not to open any unknown attachments that they receive via emails. Any suspicious emails shall be deleted or forwarded to the respective ISPs or CERTs for verification. Users may refer to the following guidelines on safe email practices:

    http://www.mycert.org.my/en/resources/email/email_practices/main/detail/512/index.html

Continuous Phishing Activities with More Local Machines Becoming Targets

Forgery incidents is still on continuous with a slight increase compared to previous quarter. A total of 48 incidents were received compared to 35 in previous quarter, which represents a 37.1% increase. Majority of Forgery incidents were phishing activities which mainly involved foreign financial institutions such as the Ebay and Paypal. As was in previous quarter, in this quarter we continued to receive series of reports from foreign financial organizations and foreign CERTs regarding phishing sites hosted on Malaysian servers. MyCERT responded to the reports by communicating with the respective ISPs, Data Centers and Organizations to remove the phishing sites and within 6 hours or less the phishing sites were removed successfully. We had also advised the respective ISPs, Data Centers and Organizations to investigate the affected machines and rectify them as we believe the machines were compromised due to some unfixed/unpatched vulnerability.

MyCERT strongly urges users who receive emails purportedly from financial institutions requesting to change their logon and password to ignore/delete such emails immediately. Users are also advised to refer and verify any such emails with their ISPs, CERTs or with the Particular Financial institutions mentioned.

In addition, MyCERT also advise organizations to secure and harden their servers to prevent their servers from compromised and used for malicious purposes, such as to run phishing sites.

Besides phishing reports, MyCERT also received few reports from our constituency regarding internet scams, that worth to be highlighted here. We received reports of users being cheated over the internet of some scams that promise high return of money. Users had been cheated after they had made deposits to the fraudsters accounts but did not receive anything in return.

We also found out that some scams had manipulated names of some local Law Enforcement Agencies in convincing users to believe in their activity. Based on our analysis, we found the websites used to run the scams are registered and hosted in foreign countries, however we believe some of the actual operators of the scams are based in Malaysia, by looking at the nature and modus operandi of the scams. Most of the internet scam cases are referred to the Law Enforcement Agencies, such as the Police and the Bank Negara Malaysia.

MyCERT advise users not to deposit or pay any amount of money to another party except to licensed financial institutions. Users who receive any such scam/suspicious emails that requests users to bank in certain amount of money to an account to ignore the email. Users may also verify such emails with their ISPs, CERTs or with Bank Negara Malaysia.

Increase in Harrassment

Incidents on harassment had increased to 100%, with 14reports received for this quarter compared to 7 reports on previous quarter.

Majority of harassment incidents received, involved harassments committed via emails, chat forums and web forums. Most of harassment reports were referred to the Law Enforcement Agencies for further investigation. MyCERT had also assisted the Law Enforcement Agencies, such as the police in investigating some harassment incidents that were reported to the police.

MyCERT advise users who are harassed via Internet or any individuals who observed any kind of harassments via web forums, which has religious, social, political or economic implications to report to MyCERT for further analysis.

In addition, we also advise users to be more careful while communicating on the net, either via emails, chat forums or web forums. They should never reveal or upload their personal information such as their contact numbers, home/office address, photos/pictures on the net or to untrusted parties as these information could be abused by irresresponsible people for malicious purposes.

Significant Drop in Intrusion Incidents

Incidents on Intrusion had dropped to 22 for this quarter from 86 in the previous quarter. It represents a significant 74.4% decrease. Web defacements still remain the top Intrusion incident compared to other Intrusions such as root compromise. However, the figure had dropped compared to previous quarter. We noticed no alarming increase in web defacements since the mass defacements in March 2005.

Nevertheless, users/organizations must be vigilant with the latest statistics on intrusions. System Administrators must always upgrade and patch softwares/services/applications they're currently running. In addition, it is also recommended to disable unneeded default services supplied by vendors, such as the FTP, TELNET, otherwise they must filter those services to authorized users only. Our analysis showed that majority of Intrusions reported to us were mostly due to vulnerable and unpatched services running on the server, besides due to some scripting and programming flaws.

Web defacements involving Linux machines were mainly due to running of older versions of the Apache servers, PHP scripts and OpenSSL. As for IIS web servers, web defacements were commonly due to Microsoft IIS extended Unicode directory traversal vulnerability, Microsoft Frontpage Server Extension vulnerability and WEBDAV vulnerability.

Details of the vulnerabilities and solutions are available at:

  1. Apache Web Server Chunk Handling Vulnerability
    http://www.cert.org/advisories/CA-2002-17.html

  2. Vulnerabilities in PHP File upload
    http://www.cert.org/advisories/CA-2002-05.html

  3. Vulnerabilities in SSL/TLS Implementation
    http://www.cert.org/advisories/CA-2003-26.html

  4. WEBDAV Vulnerability
    http://www.cert.org/advisories/CA-2003-09.html

  5. Microsoft IIS extended Unicode directory traversal vulnerability
    http://www.mycert.org.my/en/services/advisories/mycert/2001/main/detail/127/index.html

Web servers running Windows IIS servers, may use the IIS Lockdown tool to harden their server.

IIS Lockdown Wizard version 2.1 works by turning off unnecessary features, thus reducing attack surface available to attackers.

The IIS Lockdown tool can be downloaded at:
http://www.microsoft.com/downloads/details.aspx?FamilyID=dde9efc0-bb30-47eb-9a61-fd755d23cdec&DisplayLang=en

Web server running on Linux, may use the TCP filtering mechanism such as TCP Wrappers at the server or gateway level. TCP Wrappers is a tool commonly used on UNIX systems to monitor and filter connections to network services.

TCP Wrapper can be downloaded free at:
http://www.cert.org/security-improvement/implementations/i041.07.html

Decrease in Hack Attempts

Incidents on hack attempts showed a decrease of 18.8% in this quarter. A total of 13 reports were received on hack attempts for this quarter compared to 16 in the previous quarter, which targets mainly on organizations' systems and networks. Home users PCs are also becoming the attackers target on port scannings. Besides reports from our constituency, we also received reports from foreign complainants regarding hack attempts originating from local IP addresses.

MyCERT's findings for this quarter showed that the top targeted ports for scanning are SSH (TCP/ 22), HTTP (TCP/ 80), MS SQL (TCP/1433), which could be possibly due to newly discovered vulnerability on that services. Port scannings are actively carried out, using automated or non-automated tools once a new bug or exploit is released to the public. Besides scanning for open ports, scannings are also actively done to detect any machines running vulnerable programs and scripts, such as scanning for Unicode vulnerability on IIS web servers and scanning machines running vulnerable PHP scripts.

  • Close all ports or unneeded services except http service and other required ports/services should be filtered and patched accordingly.

  • All machines or systems are properly patched and upgraded with latest patches, service packs and upgrades to fix any vulnerability that may present in the machines or systems.

  • Organizations can install network based or host based IDS to alert scannings and other malicious attempts to their hosts.

  • Home users are recommended to install personal firewalls in order to alert the owner of any unauthorized scanning to their machine, and to block any penetration into their system.

More information on home PC security is available at: http://www.mycert.org.my/en/resources/home_user/pc_security/main/detail/520/index.html

Other Activities

Spam

Spam incidents still remain on top with a total of 3247 reports which represents a more than 100% increase compared to previous quarter. The main reason for this significant increase is because more and more sophisticated techniques are being used by spammers in carrying their activities. Some spam techniques can even bypass spam filters. The spammers have learned to combine many techniques to improve their activities, often called blended techniques, which are more effective.

Spam has developed from a mere nuisance into an epidemic that threatens all enterprise messaging.There is no perfect technique/tool to eradicate spams totally however there are techniques that can be used to minimize spam emails. Organizations are advised to install anti-spam filters at their email gateways to minimize spam emails and end users are also advised to apply appropriate filters at their PCs to minimize spam emails.

Denial of Service

In this quarter, we did not receive any reports on Denial of Service as was in previous quarter.

Conclusion

Overall, the number of incidents reported to us had increased to more than double compared to the previous quarter. In this quarter we also observed increases in most of security incidents. Forgery, Harassment incidents continued to increase and malicious code incidents had increased significantly compared to previous quarter. Spam incidents had increased to more than 100% compared to previous quarter. Incidents on Intrusion had decreased tremendously compared to previous quarter. Generally, no crisis or sigificant attack/incident was observed for this quarter that caused severe impact to the constituency. Nevertheless, we advise users and organizations to take precautious measures to protect their sytems and networks from security incidents.

Complete figures and statistics graph on the Abuse Statistic released by MyCERT monthly is available at:
http://www.mycert.org.my/en/services/statistic/mycert/2006/main/detail/346/index.html