MS-137.082008: MyCERT Quarterly Summary (Q2) 2008 Original Issue Date: 27 August 2008 1.0 Introduction The MyCERT Quarterly Summary includes some brief descriptions and analysis of major incidents observed during that quarter. This report highlights statistics of attacks or incidents reported to MyCERT, as well as other noteworthy incidents and new vulnerability information. MyCERT believes these statistics are only a tip of the iceberg. Internet users are encouraged to report computer security incidents to MyCERT in order for us to assist those who are affected. In addition, this summary also directs to resources in dealing with problems related to security incidents. 2.0 Incident Reports In the second quarter of 2008 (Q2), a total of 16958 incidents, inclusive of spam incidents, were reported to MyCERT representing a 63.88% increase of incidents compared to Q1 in 2008 . The majority of the incidents reported this quarter is contributed by spam reports. There were no critical outbreaks in terms of malware or exploitation nor significant increase in any particular incidents that had raised alerts in our constituency. All categories of incidents classified by MyCERT such as intrusion, hack threat, malicious code, denial of service and spam had an increasing number of incidents. On the other hand, malicious code and denial of service incident had decreased . Attached is the Table of Figure showing the comparisons between number of reports received in Q1 2008 and Q2 2008. 
Attached is the graph showing number of reports received for types of incidents in Q1 2008 and Q2 2008: 
2.1 Malicious Codes
Malicious code incidents had decreased slightly in this quarter compared to previous quarter. A total of 71incidents were reported compared to 79 in previous quarter. In this quarter, we received several reports from foreign CERTs and security organizations regarding bot infected machines (drones), control & command (C&C) server of botnets and malicious files hosted on machines in Malaysia. Some of these reports contained IP addresses, most of which are on home users network, that had been reported to us previously . In all of the instances, MyCERT had notified and assisted the respective ISPs on bot removal and mitigation strategies. These bots are normally used to carry out malicious activities such as spamming, executing denial of service attacks, hosting phishing sites and spreading malware. MyCERT had also responded to 29 incidents involving drones and botnet command & control infrastructure operating in Malaysia. Machines infected with bots were successfully notified and rectified accordingly. Other incidents that we received include the discovery of 3 drop sites or servers storing credentials such as usernames and passwords, hosted in our constituency. The credentials were stolen mostly from machines/PCs infected with malicious codes. MyCERT had notified respective parties and the drop sites were managed to shutdown. MyCERT received 4 reports received from a foreign CERT regarding some details found on a server which was used by a trojan to log keystrokes. The keylogger Trojan, named the Nethell Trojan, had successfully captured keystrokes of usernames/passwords belonging to various internet account in our constituency, which includes banks, ISPs and government agencies. MyCERT had notified the respective parties for immediate rectifications on the compromised passwords. The following graph shows breakdowns of malware incidents received in this quarter: 
We advise users to safe-guard their computers against malware infection . Please visit the following URL: http://www.esecurity.org.my/adult-malware.htm to view some tips on this topic.
2.2 Hack Threat MyCERT received 16 reports for the category of hack threats, 1 report more than in previous quarter. Most of the hack threat reports were received from foreign security organizations where the sources of the attack are from Malaysian IP addresses. Some of the common attacks observed are ssh brute-force attacks, port scannings and other malicious or suspicious activities that had triggered alerts. MyCERT's findings for this quarter, as was in previous quarter showed top ports commonly targeted were SSH (TCP/ 22), FTP (TCP/21) and HTTP (TCP/ 80). 2.3 Denial of Service In this quarter, reports on denial of service had decreased to about 3% compared to previous quarter. The number had decreased from 5 incidents in previous quarter to 2 incidents in this quarter. The denial of service attack consists of sending huge traffics, continuously to a system, causing the system to slowdown or choked. In distributed denial of service attacks, the source of the attacks mostly come from various spoofed multiple IPs and majority of denial of service attacks originate from 1 single IP address. Majority of denial of service attacks were successfully handled or stopped by blocking the source of the attacks at customers' upstream router. 2.4 Intrusion MyCERT received 103 reports related to intrusion in this quarter. The majority of the incidents in this category were web defacements (or re-defacements in some incidents) of .my websites hosted in Malaysia. In this quarter a total of 97 .my sites belonging to various sectors and running on various platforms were defaced. Most of these defacements were caused by web application vulnerabilities such as remote file inclusion, sql injection and unpatched third party add-ons. MyCERT was able to contact the respective Administrators of the websites and advised on recovery and mitigations. In the previous quarterly report, MyCERT had discussed possible workarounds to prevent these kinds of attacks and can be viewed at: http://www.mycert.org.my/en/services/advisories/mycert/2008/main/detail/564/index.html In this quarter, we also received report on a large number of websites around the globe being targeted by a mass SQL injection attack. This attack causes the contents of the websites to be modified with codes that will redirect users to another server which contain malicious codes and exploits. The malcious codes or exploit will then allow the attacker to gain control of the victim's computer. Based on our assessment, we have only detected very few Malaysian sites that have been affected by this mass SQL injection attack. However, MyCERT encourages administrators to be vigilant and alert of this attack or attempts of exploitation. Most of the servers hosting the malicious scripts and exploits are using the .CN domain and located in various countries. MyCERT had released an advisory on the attack available at: Mass SQL Injection Attack
http://www.mycert.org.my/en/services/advisories/mycert/2008/main/detail/577/index.html 2.5 Harassment MyCERT had responded to 18 incidents under the category of harassment compared to 8 incidents in the previous quarter. The harassment cases include email threats to defamatory messages/pictures/photos on internet forums and social networking websites. Majority of harassment cases were handled successfully in which the defamatory messages/pictures/photos were able to be removed from the respective forums/sites. And source of email threats were able to be traced and handed to the respective Law Enforcement Agency. Users who are harassed via Internet or who observed any kind of harassments on web forums, which has religious, social, political or economic implications are advised to report to MyCERT for further analysis, besides reporting to the police. Users are also advised not to reveal or upload their personal information such as their contact numbers, home address, photos on the net or transmit to untrusted parties as these information could be abused by irresponsible parties. 2.6 Fraud This quarter saw a tremendous increase in fraud incidents to about more than 100%, which comprised of 206 reports compared to 88 reports in previous quarter. Majority of fraud incidents reported were phishing incidents -involving local and foreign financial institutions or brands. We observed a surge on phishing reports with 52 reports received on phishings in this quarter. This includes reports on phishing emails and phishing sites impersonating local/foreign financial institutions or brands. MyCERT had handled the phishing reports by communicating with respective parties and the phishing sites were abled to shutdown within 24 hours and less. The breakdown of phishing sites between local and foreign brands is shown below: 
In this quarter we also observed a surge on SMS scam cases due to the recent wide coverage by the local media that had raised awareness among the public on reporting SMS scams as well as reporting other types of scams. In the month of June, we received 19 reports of SMS scams from the public. MyCERT had responded to the reports by escalating to the Law Enforcement Agency and providing advises on scam preventions for the public.
Other types of fraud incidents reported to us besides the SMS scam reports are suspicious online investments, ponzi or pyramid schemes, Nigerian scams, Lottery scams, cheatings and misuse of organization's Intellectual Property such as logo, url, domain name for promoting illegal activities on the net. With the increase of scam activities on the net, MyCERT had released a guideline on scam preventions which is available at: Tips and Guidelines on Scam Preventions
http://www.mycert.org.my/en/resources/fraud/main/main/detail/588/index.html In this quarter, MyCERT had handled 7 incidents involving domain names disputes which were mostly set up for suspicious activities. MyCERT had advised the affected organizations to obtain Legal advises from their Legal Department by referring to the relevant domain dispute resolution policies before taking any action. Attached is the graph showing the breakdowns of types of fraud incidents that we received in this quarter: 
2.7 Vulnerabilities Reported
In this quarter MyCERT also received 58 reports from various sources regarding web application vulnerabilities found on Malaysian websites. The vulnerabilities include sql injection, directory listing and weak administrator's passwords. MyCERT had verified the reported vulnerabilities at the said websites and inform the respective system administrator to fix the vulnerabilities before any unwanted incidents occur. Some of the steps that Administrators can implement are: To prevent against sql injection attacks. http://www.mycert.org.my/en/resources/web_security/main/main/detail/572/index.html For choosing strong passwords, Administrators may refer to the below guidelines: http://www.us-cert.gov/cas/tips/ST04-002.html
http://www.microsoft.com/protect/yourself/password/create.mspx To fix directory browsing, Administrators may refer to the below guides: For sites running on Apache web servers By removing Indexes directive in Apache configuration (httpd.conf) can disable directory browsing. If it is needed, it can be secured by using htaccess file. Search the line where Indexes is located and then remove the Indexes. For sites running on IIS web servers By deselect Directory Browsing if it is selected at the Web directory. Sample of the properties can be found here: http://microsoft.apress.com/images/articles/articles_20011130_1.gif 2.8 Spam Incidents MyCERT had observed that spam related incidents had increased to 63.43% in this quarter compared to the previous quarter. A total of 16542 reports were received compared to 10760 reports in previous quarter. Spam incidents remains as the incident with highest number of reports received compared to other incidents. Based on our observation of the monthly spam statistics, we noticed spam emails were recorded higher with the outbreak of a certain security threat. Based on our observation, majority of spam emails are related to scam emails such as the Nigerian scam, Lotterry scam, get rich schemes, Trojan Dropper, Virus and Phishing. Promoting and selling of products/services still remain as one of the main contributor to spam. There are no perfect techniques or tools to completely eradicate spams, however there are techniques that end users and organizations can implement to minimize them, such as installing anti-spam filters at email gateways and applying appropriate email filters at end users email clients. Users are also advised not to respond nor purchase products promoted via spams. Attached graph on number of spams recorded by months in this quarter and spam payload detected by ClamAV. 
3.0 Alerts & Advisories
In this quarter, MyCERT had released 6 alerts related to critical vulnerabilities and mass SQL injection attacks. The advisory and alerts are available at: MyCERT have have also forwarded three advisories and alerts from various other sources to ur constituency as below: 4.0 Activities from Research Network The CyberSecurity Research Network monitoring objectives are: To monitor the network for suspicious traffic as well as to monitor for the occurrence of known malicious attacks.
To observe attacker behaviour in order to learn new techniques being deployed, to determine the popular techniques that are currently being used as well as to confirm the continued use of old and well known attack techniques.
To compile and analyse sufficient relevant information of which the results can be used to alert the community at large to the possibility of imminent cyber attacks on local networks. The following is a summary derived from MyCERT's research network for Quarter 2 2008. Top Ten Alerts Generated by Our Sensor 
Top Ten TCP Ports 
5.0 Conclusion Overall, the number of incidents reported to MyCERT had increased to 63.88% compared to previous quarter with incidents mainly contributed from spam incidents. Other reports that contributed highly to the number of incidents received are fraud incidents, malicious codes which consists of reports of botnets, command and control & command server, drone activities hosted on local machines and intrusions. MyCERT would like to advise system and security administrators to take precautions on these activities and prevent their machines to become targets. Neither crisis nor outbreak was observed in this quarter. Nevertheless, users and organizations are advised to always take measures to protect their systems and networks from threats. MyCERT strongly advise users/organizations to report and seek assistance from us in the event of any security incidents. MyCERT can be reached for assistance at: Tel: 03-89926969
Fax: 03-89960827
Email: mycert@mycert.org.my
Web: http://www.mycert.org.my/report_incidents/online_form.html
Hp: 019-2665850
SMS: 019-2813801 Feedbacks can be directed to MyCERT. Produced in 26 August 2008 by MyCERT, CyberSecurity Malaysia, an agency under the Ministry of Science, Technology and Innovation (MOSTI). Revision History: Initial Release: 26 August 2008 Please refer to MyCERT's website at http://www.mycert.org.my for latest updates of this Quarterly Summary. MyCERT
http://www.mycert.org.my |
