MS-130.022008: MyCERT Quarterly Summary (Q1) 2008 Original Issue Date: 21st April 2008
Last Updated: 23 May 2008 1.0 Introduction The MyCERT Quarterly Summary includes some brief descriptions and analysis of major incidents observed during that quarter. This report highlights statistics of attacks or incidents reported to MyCERT, as well as other noteworthy incidents and new vulnerability information. MyCERT believes these statistics are only a tip of the iceberg. Internet users are encouraged to report computer security incidents to MyCERT in order for us to assist those who are affected. In addition, this summary also directs to resources in dealing with problems related to security incidents. 2.0 Incident Reports In the first quarter of 2008 (Q1), a total of 10354 incidents, inclusive of spam incidents, were reported to MyCERT representing a 5.59% increase of incidents compared to Q4 in 2007. The majority of the incidents reported this quarter is contributed by spam reports. There were no critical o outbreaks in terms of malware or exploitation nor significant increase in any particular incidents that had raised alerts in our constituency. All categories of incidents classified by MyCERT -such as intrusion, hack threat, malicious code, denial of service and spam had an increasing number of incidents. On the other hand, fraud and harassment . Attached is the table of figure showing number of reports received for all types of incidents in Q1 2008: 
2.1 Malicious Codes Malicious code incidents continue to increase in this quarter compared to previous quarter. A total of 79 incidents were reported compared to 72 in previous quarter. In this quarter, we received many reports from foreign CERTs and security organizations regarding bot infected machines (drones), control & command (C&C) server of botnets and malicious files hosted on machines in Malaysia. Some of these reports contained IP addresses, most of which are on home users network, that had been reported to us previously. In all of the instances, MyCERT had notified and assisted the respective ISPs on bot removal and mitigation strategies These bots are normally used to carry out malicious activities such as spamming, executing denial of service attacks, hosting phishing sites and spreading malware. In this quarter, MyCERT observed and reported 2,429 IP addresses that are believed to be infected with bots and being used as drones of one or more botnets. The following graph shows the number of IP addresses in Malaysia infected with bots in Q1, 2008.
MyCERT had also responded to 10 incidents involving botnet command and control infrastructure operating in Malaysia. Other incidents in this category include the discovery of servers storing confidential information such as usernames and passwords, mostly from internet banking accounts, from unsuspecting end users. MyCERT dealt with such incidents by notifying the organisations that manage the accounts credentials. The following graph shows breakdowns of malware incidents received in this quarter:
 We advise users to safe-guard their computers against malware infection. Please visit the following URL: http://www.esecurity.org.my/adult-malware.htm to view some tips on this topic. 2.2 Hack Threat MyCERT received 15 reports for the category of hack threats. mycomment again. Most of the hack threat reports were received from foreign security organizations where the sources of the attack are from Malaysian IP addresses. Some of the common attacks observed are ssh brute-force attacks, scanning and other malicious or suspicious activities that had triggered alerts. MyCERT's findings for this quarter, as was in previous quarter showed top ports commonly targeted were SSH (TCP/ 22), FTP (TCP/21) and HTTP (TCP/ 80). 2.3 Denial of Service In this quarter, reports on denial of service had increased to about more than 100%. The number had decreased from 1 incident in previous quarter to 5 incidents in this quarter. The denial of service attack consists of sending huge traffics, continuously to a system, causing the system to slowdown or choked. In distributed denial of service attacks, the source of the attacks mostly come from various multiple IPs and majority of denial of service attacks originate from 1 single IP address. Majority of denial of service attacks we receive are syn attacks which were successfully handled or stopped by blocking the source of the attacks at customers' upstream router. 2.4 Intrusion Incidents MyCERT received 37 reports related to intrusion in this quarter. The majority of the incidents in this category were defacements (or re-defacements in some incidents) of websites hosted in Malaysia. Most of these defacements were caused by web application vulnerabilities such as remote file inclusion and sql injection. In the previous quarterly report, MyCERT had discussed possible workarounds to prevent these kinds of attacks and can be viewed at: http://www.mycert.org.my/en/services/advisories/mycert/2008/main/detail/564/index.html 2.5 Harassment MyCERT had responded to 8 incidents under the category of harassment. The cases range from email threats to defamatory messages on internet forums on social networks. In handling harassment incidents, MyCERT works closely with relevant ISPs and law enforcement agencies. 2.6 Fraud This quarter saw a decrease in fraud incidents to 6.38%, which comprised of 88 reports compared to 94 reports in previous quarter. Majority of fraud incidents reported were phishing incidents involving local and foreign financial institutions or brands The breakdown of the local and foreign phishing sites is shown below:
 Other types of fraud incidents reported to us are suspicious online investments, ponzi or pyramid schemes and misuse of organization's Intellectual Property such as logo, url, domain name for promoting illegal activities on the net. In this quarter we received 22 reports from security agencies and local home users regarding businesses that are promoting - get rich quick schemes that are suspicious. MyCERT had escalated the reports to the relevant enforcement agencies for verification and investigation of such schemes before the closure of the sites. Other than that MyCERT also received 4 reports from home users on suspicious online investment schemes and online fraud activities. In this quarter, MyCERT had handled 4 incidents involving domain names disputes. Several domains were registered by unknown parties impersonating some well known organizations' domain name. The domains were mostly set for suspicious activities. MyCERT had advised the affected organizations to refer the matter to their Legal Departments to refer to the relevant domain dispute resolution policies before taking any action. Attached is the graph showing the breakdowns of types of fraud incidents that we received in this quarter:
 As precautions against online fraud activities, computer users should be careful about disclosing confidential, personal or financial information online unless they know that the request for such is legitimate and users are also advised not to deposit or make payment to unknown third party's account. User may refer to the following guide on safeguarding against fraudulent emails and phishing attempts: http://www.mycert.org.my/en/resources/email/email_tips/main/detail/513/index.html 2.7 Vulnerabilities Reported In this quarter MyCERT also received 23 reports from various sources regarding web application vulnerabilities found on Malaysian websites. The vulnerabilities include sql injection, directory listing, and weak administrator's passwords. In such instances, MyCERT would verify and inform the respective system administrator to fix the vulnerabilities before any untoward incidents occur. Attached below are some steps that Administrators can take to prevent against sql injection attacks. http://www.mycert.org.my/en/resources/web_security/main/main/detail/572/index.html For choosing strong passwords, Administrators may refer to the below guidelines: http://www.us-cert.gov/cas/tips/ST04-002.html
http://www.microsoft.com/protect/yourself/password/create.mspx 2.8 Spam Incidents MyCERT had observed that spam related incidents had increased slightly to 7.68% in this quarter compared to the previous quarter. A total of 10122 reports were received compared to 9400 reports in previous quarter. Spam incidents remains as the incident with highest number of reports received compared to other incidents. Based on our observation of the monthly spam statistics, we noticed spam emails were recorded higher with the outbreak of a certain security threat. For example in January spam recorded 3600. This was due to the circulation of spam emails related to the malicious new year e-card. Then in February spam recorded 3400 and in March spam emails increased to 3760. This was due to to the circulation of the malicious april fool emails. There are no perfect techniques or tools to completely eradicate spams, however there are techniques that end users and organizations can implement to minimize them, such as installing anti-spam filters at email gateways and applying appropriate email filters at end users email clients. Users are also advised not to respond nor purchase products promoted via spams. Attached graph on number of spams recorded by months in this quarter. 
3.0 Alerts & Advisories
In this quarter, MyCERT had released 1 advisory related to critical vulnerabilities that exist in Linux kernel and 2 alerts related to malware activities, the new storm worm and the new year malicious e-card. The advisory and alerts are available at: MyCERT have have also forwarded three advisories and alerts from various other sources to ur constituency as below: 4.0 Activities from Research Network The CyberSecurity Research Network monitoring objectives are: To monitor the network for suspicious traffic as well as to monitor for the occurrence of known malicious attacks.
To observe attacker behaviour in order to learn new techniques being deployed, to determine the popular techniques that are currently being used as well as to confirm the continued use of old and well known attack techniques.
To compile and analyse sufficient relevant information of which the results can be used to alert the community at large to the possibility of imminent cyber attacks on local networks.
The following is a summary derived from MyCERT's research network for Quarter 1 2008. Top Ten Alerts Generated by Traffic to Research Network 
5.0 Conclusion Overall, the number of incidents reported to MyCERT had increased to 5.59% compared to previous quarter with incidents mainly contributed from spam incidents. Other reports that contributed highly to the number of incidents received are malicious codes which consists of reports of botnets, command and control & command server, drone activities hosted on local machines and intrusions. MyCERT would like to advise system and security administrators S to take precautions on these activities and prevent their machines to become targets. Neither crisis nor outbreak was observed in this quarter. Nevertheless, users and organizations are advised to always take measures to protect their systems and networks from threats. MyCERT strongly advise users/organizations to report and seek assistance from us in the event of any security incidents. MyCERT can be reached for assistance at:
Tel: 03-89926969
Fax: 03-89960827
Email: mycert@mycert.org.my
Web: http://www.mycert.org.my/report_incidents/online_form.html
Hp: 019-2665850
SMS: 019-2813801 Feedbacks can be directed to MyCERT. Produced in 8 April 2008 by MyCERT, CyberSecurity Malaysia, an agency under the Ministry of Science, Technology and Innovation (MOSTI). Revision History: Initial Release: 21st April 2008 Please refer to MyCERT's website for latest updates of this Quarterly Summary. MyCERT
http://www.mycert.org.my |
