MS-141.102008: MyCERT Quarterly Summary (Q3) 2008 Original Issue Date: 14th October 2008 1.0 Introduction The MyCERT Quarterly Summary includes some brief descriptions and analysis of major incidents observed during the quarter. This report highlights statistic of attacks or incidents reported to MyCERT, as well as other noteworthy incidents and new vulnerabilities information. MyCERT believes these numbers are only the tip of the iceberg. Internet users are encouraged to report computer security incidents to MyCERT in order for us to assist those who are affected and escalate the matter to our partners. Finally, this summary also directs to resources in dealing with problems related to security incidents. 2.0 Incident Reports In the second quarter of 2008 (Q3), a total of 21661 incidents, inclusive of spam incidents, were reported to MyCERT representing a 26.73% increase of incidents compared to Q2 in 2008 . The majority of the incidents reported this quarter is contributed by spam reports. There was a tremendous increase in intrusion incidents involving web defacements, which exploited various flaws in web applications. However, there was no critical outbreaks in terms of malware or exploitation that had raised red alert or crisis in our constituency. Most categories of incidents reported to had increased and on the other hand, malicious code and harassment incidents had decreased. Denial of Service incident remained same as was in previous quarter. Attached is the Table of Figure showing the comparisons between number of reports received in Q2 2008 and Q3 2008. 
The following is the graph showing number of incidents handled according to the different categories in Q2 2008 and Q3 2008: 
2.1 Malicious Codes A total of more than 1000 Malaysian IP addresses were handled, in the 69 incidents reported to MyCERT. In this quarter, we received several reports from foreign Computer Emrgency Response Teams (CERTs) and security organizations regarding bots infected machines (drones), command & control server of botnets and malicious files hosted on computers in Malaysia. Some of these reports contained IP addresses, most of which are on home users network, that had been reported to us previously. In all of the instances, MyCERT had notified and assisted the respective ISPs on bot removal and mitigation strategies. These bots or zombies are normally used to carry out malicious activities such as spamming, executing denial of service attacks, hosting phishing sites and spreading malware. In this quarter, MyCERT received reports of 1716 IP addresses that were believed to be infected with bots and being used as drones of one or more botnets. The following graph shows the number of IP addresses belonging to Malaysian constituency that had been infected with bots in Q3, 2008. 
MyCERT received 19 reports from a foreign CERT regarding some details found on a server which was used by a trojan to log keystrokes. The keylogger Trojan, named the Nethell Trojan, had successfully captured keystrokes of usernames/passwords belonging to various internet account in our constituency, which includes accounts belonging to internet bankings, webmails, entertainments, e-commerce and other online services. In this quarter we observerd 120 accounts related to above categories were compromised in keylogger activities as shown in the below graph. 
MyCERT had notified the respective parties for immediate rectifications on the compromised passwords. The following graph shows breakdown of malware incidents received in this quarter: 
We advise users to safe-guard their computers against from being infected by malicious software. Please visit the following URL: http://www.esecurity.org.my/adult-malware.htm to view some tips on this topic. 2.2 Hack Threat MyCERT received 24 reports for the category of hack threats in this quarter which represents 50% increase compared to previous quarter. Most of the hack threat reports were received from foreign security organizations where the sources of the attack are from Malaysian IP addresses. Some of the common attacks observed are ssh brute-force attacks, port scannings and other malicious or suspicious activities that had triggered alerts. MyCERT's findings for this quarter, as was in previous quarter showed top ports commonly targeted were SSH (TCP/ 22), FTP (TCP/21) and HTTP (TCP/ 80). 2.3 Denial of Service In this quarter, MyCERT received 2 reports on denial of service which is same as were the same as in previous quarter. The denial of service attack consists of sending huge traffic, continuously to a system, causing the system to slowdown or choked. In distributed denial of service attacks, the source of the attacks mostly come from various spoofed multiple IPs and majority of denial of service attacks originate from 1 single IP address. The majority of denial of service attacks were successfully handled or stopped by blocking the source of the attacks at the customers' upstream router. 2.4 Intrusion MyCERT had received 331 reports related to intrusion in this quarter, which represents a more than 100% increase compared to previous quarter. The majority of the incidents in this category were web defacements (or re-defacements in some incidents) of .my websites hosted in Malaysia. Besides that, there were also reports of mass defacements of .MY websites hosted on virtual hosting servers. In this quarter a total of 322 .my sites belonging to various sectors and running on various platforms were defaced. Majority of the web defacements in this quarter was due to Joomla! reset password vulnerability. Joomla! is a popular content management systems based on PHP and is widely used to deploy portals in the country. MyCERT had released an alert on this vulnerability to all System and Web Administrators to patch or upgrade to the latest version of Joomla! The alert is available at: MA-136.082008 : MyCERT Special Alert - Critical Joomla! reset password vulnerability http://www.mycert.org.my/en/services/advisories/mycert/2008/main/detail/595/index.html Besides the above vulnerabilities, some of these defacements were also caused by other web application vulnerabilities such as remote file inclusion, sql injection and unpatched third party add-ons. MyCERT was able to contact the respective Administrators of the websites and advised on recovery and mitigations. In the previous quarterly report, MyCERT had discussed possible workarounds to prevent these kinds of attacks and can be viewed at: http://www.mycert.org.my/en/services/advisories/mycert/2008/main/detail/564/index.html MyCERT had also produced a statistic on breakdown of defaced .MY sites by domains, as attached below: 
2.5 Harassment MyCERT had handled 12 incidents under the category of harassment this quarter. The nature of the harassment cases include email threats to defamatory messages/pictures/photos on internet forums and social networking websites. The majority of harassment cases were handled successfully. 2.6 Fraud There is an increase in terms of the number of reports involving fraud reported to MyCERT this quarter with an increase to about 26.21%, which comprised of 260 reports compared to 206 reports in previous quarter. Majority of fraud incidents reported were phishing incidents -involving local and foreign financial institutions or brands. In this quarter, we observed a surge on phishing reports which includes reports on phishing emails and phishing sites impersonating local/foreign financial institutions or brands. 
A tremendous increase in phishing sites that targeted local financial institutions was recorded in this quarter with more than 50 phishing sites. We observed phishers actively using the fast-flux techniques for a more advanced and sophisticated phisihng tactics. In normal phisihng attacks, the domain in the phishing link for example www.abc.com will resolve to IP w.x.y.z, which is the IP address of the evilserver. When users click the phisihng link, they'll be connected directly to it. However, in fast-flux, attackers can abuse round-robin DNS, sending responses for www.abc.com and mapping the site to several IP addresses. Details on fast-flux is available at:
http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1288441,00.html MyCERT had handled the phishing reports by communicating with respective parties and in most instances, the phishing sites were put offline or removed to shutdown within 24 - 48 hours. We also observed in this quarter, 35 IP addresses belonging to local constituency were found to be hosting phishing sites that imitated foreign financial institutions and 85 IP addresses belonging to foreign constituency were found to be hosting phishing sites imitating local financial institutions, as shown in the below graph. 
Based on our observation, we believe majority of IP addresses hosting phishing sites belong to compromised hosts and may had been infected with bots. We had advised the respective Admins to investigate and rectify the affected hosts accordingly before it is put online. Other types of fraud related incidents reported to us are the SMS scam reports, suspicious online investments, ponzi or pyramid schemes, Nigerian scams, Lottery scams, cheating and misuse of organization's Intellectual Property such as logo, url, domain name for promoting illegal activities on the net. In this quarter, we had also received several reports on cheating cases involving online transactions. MyCERT would like to advise users to be extra careful when they plan to purchase items online to avoid being cheated by irresponsible parties. They must be extra careful with whom they are dealing when purchasing the item. It is also advisable to purchase items with authorized or licensed online traders who can guarantee the delivery of items to buyers. Besides this, we had also received several reports involving "Nigerian scam" . MyCERT advise users to be extra precautious when dealing with people who request cash or deposits as pre-requisites for a particular transaction. They must not bank-in any money to unknown parties without proper verification. With the increase of scam activities on the net based on reports recieved, MyCERT had released a guideline on scam preventions which is available at: Tips and Guidelines on Scam Preventions
http://www.mycert.org.my/en/resources/fraud/main/main/detail/588/index.html In this quarter, MyCERT had handled 7 incidents involving issues or disputes related to domain names. The issues/disputes involve mainly of suspicious activities. MyCERT had advised the affected organizations to obtain Legal advises from their Legal Department by referring to the relevant domain dispute resolution policies before taking any action. Attached is the graph showing the breakdown of types of fraud incidents that we received in this quarter: 
2.7 Vulnerabilities Reported In this quarter MyCERT also received 9 reports from various sources regarding web application vulnerabilities found on Malaysian websites. The vulnerabilities include SQL injection, directory listing and weak administrator's passwords. MyCERT had verified the reported vulnerabilities at the said websites and inform the respective owner to fix the vulnerabilities to prevent untoward incidents. Steps that administrators can implement to fix the above vulnerabilities are available in the MyCERT Q2 Summary Report: http://www.mycert.org.my/en/services/advisories/mycert/2008/main/detail/596/index.html 2.8 Spam Watch MyCERT had observed that spam related incidents had increased to 26.73% in this quarter compared to the previous quarter. A total of 20963 incidents were received compared to 16542 reports in previous quarter. Spam incidents remains as the incident with highest number of reports received compared to other incidents. Based on our observation of the monthly spam statistics, we noticed spam emails were recorded higher with the outbreak of a certain security threat. The top categories of spam emails detected for this quarter are the mass mailer worm emails which recorded the highest, trojan emails and phishing emails. Majority of mass mailer worm emails are related to the different variants of Mytob worm, the Mytob.KQ and Mytob.NK. Most of Trojan emails are related to the Trojan.Fakealert and Trojan.Goldrun. Phishing emails mainly involved spoofed domains related to banks. Other categories of spams are related to scam emails such as the Nigerian scam, Lotterry scam, get rich schemes. Promoting or selling of products/services still remain as one of the main contributor to spam. There are no perfect techniques or tools to completely eradicate spams, however there are techniques that end users and organizations can implement to minimize them, such as installing anti-spam filters at email gateways and applying appropriate email filters at end users email clients. Users are also advised not to respond nor purchase products promoted via spams as this serves only to further propagate spam activities. MyCERT encourages users to report spam so that proper action can be taken against the owner of the computer sending out the spams 
3.0 Alerts & Advisories In this quarter, MyCERT had released 6 alerts related to critical vulnerabilities and mass SQL injection attacks. The advisory and alerts are available at: MyCERT have have also forwarded three advisories and alerts from various other sources to your constituency as below: 4.0 Activities from Research Network The CyberSecurity Research Network monitoring objectives are: 4.1 To monitor the network for suspicious traffic as well as to monitor for the occurrence of known malicious attacks. 4.2 To observe attacker behaviour in order to learn new techniques being deployed, to determine the popular techniques that are currently being used as well as to confirm the continued use of old and well known attack techniques. 4.3 To compile and analyse sufficient relevant information of which the results can be used to alert the community at large to the possibility of imminent cyber attacks on local networks.
The following is a summary derived from MyCERT's research network for Quarter 3 2008. The top alert generated by our research network are FTP Login Attempt (non-anonymous), Attack Response Unusual FTP Server Banner (freeFTPd) and Attack Response Unsual FTP Server Banner (warFTPd). While the top ten TCP Destination Port Scanned graph show FTP port is the highest port being scanned at the Research Network environment. Based on our observation, this is a common port that is constantly scanned by attackers. It showed that port FTP is the most common port targeted for malicious or hacking activities. Port FTP is being targeted because of being part of the most popular file upload mechanism while misconfigured FTP servers can turn global /tmp directory for people to share data with each other for example "warez". Top Ten Alerts Generated by Our Sensor 
Top Ten TCP Destination Ports Scanned 
5.0 Conclusion Overall, the number of incidents reported to MyCERT had increased to 27.73% compared to previous quarter with incidents mainly contributed from spam incidents. Other reports that contributed highly to the number of incidents received this quarter are intrusion, fraud, malicious codes which consists of reports of botnets, command and control & command server, drone activities hosted on local machines. MyCERT would like to advise system and security administrators to take precautions on these activities and prevent their machines to become targets. Neither crisis nor outbreak was observed in this quarter. Nevertheless, users and organizations are advised to always take measures to protect their systems and networks from threats. MyCERT strongly advise users/organizations to report and seek assistance from us in the event of any security incidents. MyCERT can be reached for assistance at: Tel: +603 - 8992 6969
Fax: +603 - 8996 0827
Email: mycert@mycert.org.my
Web: http://www.mycert.org.my/report_incidents/online_form.html
Hp: +6019 - 266 5850
SMS: +6019 - 281 3801 Produced in 14 October 2008 by MyCERT, CyberSecurity Malaysia, an agency under the Ministry of Science, Technology and Innovation (MOSTI). Revision History: Initial Release: 14 October 2008 Please refer to MyCERT's website at http://www.mycert.org.my for latest updates of this Quarterly Summary. MyCERT
http://www.mycert.org.my |
