MS-125.022008: MyCERT Quarterly Summary (Q4) 2007

Original Issue Date: 15th February 2008

The MyCERT Quarterly Summary includes some brief descriptions and analysis of major incidents observed during that quarter. This report highlights statistics of attacks or incidents reported to MyCERT, as well as other noteworthy incidents and new vulnerability information. MyCERT believes these statistics are only a tip of the iceberg. Internet users are encouraged to report computer security incidents to MyCERT in order for us to assist those affected.

In addition, this summary also directs to resources in dealing with problems related to security incidents, including patches, service packs, upgrades and hardening techniques.

Recent Activities

In the quarter Q4 2007, a total of 9086 incidents were reported to MyCERT representing a 3.37 increase compared to Q3 2007, where we saw a decrease in incidents. About 95.92% of total incidents reported this quarter is contributed by spam reports. No major outbreak was observed this quarter and no significant increase in any particular incidentWe observed 3 types of incidents reported increased and another 3 types of incidents reported had decreased. The other 1 incident remained same as was in previous quarter. Incidents that had increased in this quarter are fraud, malicious code and spam. Other incidents that showed decrease in this quarter are harassment, hack threat and denial of service. Intrusion remained same as was in previous quarter.

Attached is the table of figure:

Table of Figure for Q1 2007 and Q2 2007

Graph on Harassment, Fraud, Hack Threat, Malicious Code, Denial of Service, Intrusion for Q2 and Q3

Graph on Spam Incident for Q2 and Q3

Increase in Fraud Incidents

This quarter saw an increase in fraud incidents to 18.99%, which comprised of 94 reports compared to 79 reports in previous quarter. The majority of the fraud incident reported to us are mainly phishing incidents impersonating local and foreign financial institutions, with majority of the phishing sites impersonating foreign banks. Other types of fraud incidents reported to us are suspicious online investments, suspicious ponzi or pyramid schemes and misuse of organization's Intellectual Property such as logo, URL, domain name for promoting illegal activities on the net.

In this quarter we received several reports from foreign observers regarding suspicious ponzi schemes sites, about 15 sites hosted in our constituency. However, MyCERT had escalated the reports to the Enforcements for investigation/verification of such schemes before the closure of the sites. Other than that MyCERT also received several reports from home users on suspicious online investment schemes and online fraud activities. More than 10 such reports were received.

In this quarter, we also received several reports regarding Intellectual Property infringement. Several organizations logo/trademark/domains/URLs were misused without the owners’ permission for suspicious activities on the net.

MyCERT had notified the respective ISPs, in which the sites are hosted, mainly in foreign countries for removal of materials that infringes the Intellectual Property. In addition, the respective organizations were also advised to refer to their Legal Departments.

As precautions against online fraud activities, computer users should be careful about disclosing confidential, personal or financial information online unless they know that the request for such is legitimate and users are also advised not to deposit or make payment to unknown third party's account.

User may refer to the following guide on safeguarding against fraudulent emails and phishing attempts:

http://www.mycert.org.my/en/resources/email/email_tips/main/detail/513/index.html

Increase in Malicious Code Incidents

Malicious code incidents continue to increase in this quarter compared to previous quarter. A total of 72 incidents were reported compared to 58 in previous quarter. In this quarter, we received many reports from foreign CERTs and foreign security organizations regarding drones/bots, control & command (C&C) server of botnets and malicious files hosted on machines hosted in Malaysia. Some of these reports contained IPs that had been repeatedly reported to us previously . In all of the instances, MyCERT had notified the respective machines’ administrators.

When it comes to botnet activities,There were only a handful of cases involving botnet C&C hosted in Malaysia. The majority of the reports involved bot infected computers, most of which are home user machines. Since these bots are normally used to carry out malicious activities such as spamming, ddos attacks, phishing and spreading malware.

In this quarter, MyCERT also received several reports from a foreign CERT regarding some details found on servers at their side which was used by keylogging trojans to log keystrokes. This is made possible when PCs are compromised with keylogging trojans, that captures users keystrokes, primarily user ID and password. These keylogging trojans will send out information captured to specific servers. The particular account usernames/passwords captured belong to critical industries, such as ISPs and internet bankings.

We advise users to safe-guard their PCs against Trojan, backdoor and worm infections. Users may refer to the below guidelines:

1. Ensure computers are installed with anti-virus software and are frequently updated with the latest virus signatures. Users without anti-virus installed on their PCs may download commercial or free anti-virus from the following site:
   
   http://www.mycert.org.my/en/resources/malware/av_sites/main/detail/528/index.html
   
   
2. Ensure computers are always updated with the latest service packs and patches, as some worms propagate by exploiting unpatched programs present in computers.
   
   
3. Enable personal/host-based firewalls on PCs.
   
   
4. PC users are also advised not to view, open or execute any e-mail attachment unless it is expected or its purpose known to the recipient.

Decrease in Hack Threat Activities

Incidents involving hack threat decreased to 8.3343% in this quarter. A total of 11 reports were received on hack attempts for this quarter compared to 12 in the previous quarter. Majority of hack threat reports were received from foreign organizations with the source of the hack threats are from IPs belonging to our constituency. Hack threats targeted mainly organizations' systems/networks involving network and host scanning activities. Besides organisations’ systems/network, home PCs are also becoming popular targets of hack threat activities.

MyCERT's findings for this quarter, as was in previous quarter showed top ports commonly targeted were SSH (TCP/ 22), FTP (TCP/21) and HTTP (TCP/ 80). Port scans are actively done once a new bug or exploit is released publicly, using either automated or non -automated tools. Attackers are also scanning for programmes and applications that are vulnerable or exploitable.

Decrease in Denial of Service Incidents

In this quarter, reports on denial of service had decreased to about 85.71%. The number had decreased from 7 incident in previous quarter to 1 incident in this quarter. The denial of service attack consists of sending huge, continuously to a system, causing the system to slowdown or choked. In distributed denial of service attacks, the source of the attacks mostly come from various multiple IPs and majority of denial of service attacks originate from 1 single IP address.

Decrease in Harassment Incidents

Number of incidents received on harassment had decreased to 12 compared to 15 in previous incidents which represents 20% decrease. Harassment incidents reported to us this quarter involved harassments via emails, web forums. This involves sending of constant threatening or defamatory emails to victims and posting defamatory pictures and messages on web forums against victims with malicious intent. In most incidents, the defamatory pictures and messages were removed after MyCERT notified the respective ISPs and source of most harassing emails were traced by the ISP. However, majority of harassment incidents were referred to the Law Enforcement Agencies for their further investigation.

Intrusion Incidents Remains

Incidents on intrusion remained same as was in previous quarter, with 216 reports. Majority of intrusion incidents are web defacements which mainly involve .my sites. Some of the web defacements are re-defacements of the same sites over the year.

In this quarter, we also received several reports on intrusion involving .my websites that especially exploited the RFI as well as the SQL injection and PHP.

Some quick workarounds that can be done to prevent future web defacements are:

[1] Using mod_security to prevent generic attacks - SQL injection, XSS, and (RFI). On Apache web server.

Pls refer at:
Modsecurity http://www.modsecurity.org/

[2] Checking permission - making sure directories have correct permissions.

2.1 To Check Permision on Linux

shell> ls -alh
shell> drwxrwxrwx owner owner_group size_of_file date_created file_name/dir_name

Please make sure the permission files is not configure to allow all permission

(rwxrwxrwx)

2.2 To Check Permision on Windows

Right click and select properties

Pls refer at:

Checking web permission
http://www.w3.org/Security/Faq/wwwsf3.html

[3] Pls refer to PHP security checklist for workarounds on PHP.

PHP security checklist
http://aymanh.com/checklist-for-securing-php-configuration

[4] Secure the webserver byreferring to the below checklist.

Web server security checklist

IIS:
http://msdn2.microsoft.com/en-us/library/aa302351.aspx

Apache:
http://httpd.apache.org/docs/2.0/misc/security_tips.html

[5] We also advise you to audit your web applications to check if there are any flaws on them and reectify them immediately, if yes.

[6] If you are running SQL, we advise you to use input VALIDATION to prevent your website being defaced via the SQL Injection.

[7] If you are running an older version of PHP Script, you need to patch or upgrade it to the latest version which is PHP 4.3.10. The latest version of PHP can be downloaded at:

http://www.php.net/downloads.php

In addition to the above preventive measures, we also advise System Administrators to check their system in case it has been installed with any backdoors or Trojan programs.

Simple guides are as follows:

1. System administrators are advised to regularly monitor / check their systems.
   
   
2. Check for any newly added user account in the userlist. You may check at the shadow file, sam file etc.
   
   
3. Check for any suspicious connection on the open ports, esp on bigger port number.
   
   
4. Scan your server for any kind of backdoor. Use tripwire to check for any signs of backdoor or trojan. This will only be effective if your version of the software is clean prior to applying tripwire.
   
   Pls refer to:
   http://www.tripwiresecurity.com
   
   
5. Check and look for any suspicious shell programs.
   
   
6. Use URLScan to filter HTTP requests. Many IIS exploits, the Code Red family, use maliciously formed HTTP requests in directory traversal or buffer overflow attacks. The URLScan filter can be configured to reject such requests before the server attempts to process them.
   
   The URLScan filter can be downloaded separately from Microsoft at
   
   URLScan Filter
   http://www.microsoft.com/technet/security/tools/urlscan.asp
   
   
7. Download and use IIS Lockdown Tool version 2.1.Running the IIS Lockdown Wizard in "custom" or "expert" mode will allow you to make the following recommended changes to an IIS installation:
   

   a. Disable WebDAV (unless your environment absolutely requires it for web content publishing).
   
   b. Unmap all unnecessary ISAPI extensions (including .htr, .idq, .ism, and .printer in particular).
   
   c. Eliminate sample applications.
   
   d. Forbid the web server from running system commands commonly used in a compromise (e.g., cmd.exe and tftp.exe).
   

   IIS Lockdown can be downloaded
   http://www.microsoft.com/technet/security/tools/locktool.mspx

   
   

Note: If some applications requires these services which had beenpreviously removed by Lockdown, the setup can be restored by having the undo files located at n32\inetsrv\oblt-log can be used to recover previous settings.

1. Close all unnecessary services or ports.
   
   
2. Close all unnecessary applications.
   

Pls check on the above vulnerabilities and make sure measures are taken to fix any such vulnerability that may present in your system. We advise/urge System Administrators to contact MyCERT immediately if they detected defacement to their websites or detected any attempts to deface their sites and forward us a copy of the "intrusion log" for analysis and consolidation.

Other Activities

Spam

Spam incidents had increased slightly to 3.31% in this quarter compared to the previous quarter. A total of 9400 reports were received compared to 9099 reports in previous quarter. Spam incidents remains as the incident with highest number of reports received compared to other incidents. Spam has developed from a mere nuisance into an epidemic that threatens end users and organizations. Spam threats are also fast developing with sophisticated spam techniques and tools moreover with programs like spambots designed to collect email addresses from the Internet. The email addresses are collected in order to build mailing lists for sending unsolicited e-mail/spams. A spambot is a type of webcrawler that can gather e-mail addresses from Web sites, newsgroups, special-interest group (SIG) postings, and chat-room conversations. Because e-mail addresses have a distinctive format, spambots are easy to write.

There are also spambots used to post spam links to guestbooks, wikis, blogs, forums and any other web forms to boost search engine ranking. This category of spambot has gained considerable notoriety since November of 2006, with the introduction of XRumer a forum and wiki spambot which can often bypass many of the safeguards administrators use to reduce the amount of spam posted.

There are no perfect techniques or tools to completely eradicate spams, however there are techniques that end users and organizations can implement to minimize them, such as installing anti-spam filters at email gateways and applying appropriate email filters at end users’ email clients. Users are also advised not to respond nor purchase products promoted via spams.

Graph on Spam

Alerts & Advisories

In this quarter, we had released two advisories related to critical vulnerabilities that exist in two commonly used softwares, the Apply Quicktime and the RealPlayer. They are the Apple Quicktime - RTSP "Content-Type" Header Buffer Overflow and the RealPlayer - ActiveX Arbitrary Command Execution.

The advisories are available at:

• Apple Quicktime - RTSP "Content-Type" Header Buffer Overflow
  http://www.mycert.org.my/en/services/advisories/mycert/2007/main/detail/501/index.html
  
  
• RealPlayer - ActiveX Arbitrary Command Execution
  http://www.mycert.org.my/en/services/advisories/mycert/2007/main/detail/488/index.html

Research Network Activities

The CyberSecurity Research Network monitoring objectives are:

• To monitor the network for suspicious traffic as well as to monitor for the occurrence of known malicious attacks.
  
  
• To observe attacker behaviour in order to learn new techniques being deployed, to determine the popular techniques that are currently being used as well as to confirm the continued use of old and well known attack techniques.
  
  
• To compile and analyse sufficient relevant information of which the results can be used to alert the community at large to the possibility of imminent cyber attacks on local networks.
  

Attached some traffic analysis that we produced based on our observation on our Research Network for this quarter.

Top Ten Attacking IPs by Countries

Top Ten Alert Generate

Conclusion

Overall, the number of incidents reported to us had increased to 3.20% compared to previous quarter with incidents mainly contributed from spam incidents. Other reports that contributed highly to the number of incidents received are frauds consistingof phishings, suspicious online investments, ponzi schemes and malicious codes which consists of reports of botnets, control & command server, drone activities hosted on local machines. We advise System Administrators to take precautions on these activities and prevent their machines to become targets. Neither crisis nor outbreak was observed this quarter. Nevertheless, users and organizations are advised to always take measures to protect their systems and networks from threats. We strongly advise users/organizations to report and seek assistance from MyCERT in the event of any security incidents.