MS-146.022009: MyCERT Quarterly Summary (Q4) 2008 Original Issue Date: 07th January 2009 1.0 Introduction The MyCERT Quarterly Summary includes some brief descriptions and analysis of major incidents observed during the quarter. This report highlights statistic of attacks or incidents reported to MyCERT, as well as other noteworthy incidents and new vulnerabilities information. MyCERT believes these numbers are only the tip of the iceberg. Internet users are encouraged to report computer security incidents to MyCERT in order for us to assist those who are affected and escalate the matter to our partners. Finally, this summary also directs to resources in dealing with problems related to security incidents. 2.0 Incident Reports In the fourth quarter of 2008 (Q4), a total of 33036 incidents, inclusive of spam incidents, were reported to MyCERT representing a 52.51% increase of incidents compared to Q3 in 2008 . The majority of the incidents reported this quarter is contributed by spam reports. There was a tremendous increase in fraud incidents which mainly involving phishings, cheatings, Nigerian scams. No critical outbreaks in terms of malware or exploitation that had raised red alert or crisis in our constituency was reported in this quarter. Most categories of incidents reported to MyCERT had increased. However, malicious code and intrusion incidents had decreased in this quarter. Attached is the Table of Figure showing the comparisons between number of reports received in Q3 2008 and Q4 2008. 
The following is the graph showing number of incidents handled according to the different categories in Q3 2008 and Q4 2008: 
2.1 Malicious Codes A total of more than 1000 Malaysian IP addresses were handled, in the 58 incidents reported to MyCERT. In this quarter, we received several reports from foreign Computer Emergency Response Teams (CERTs) and security organizations regarding bots infected machines (drones), command & control server of botnets and malicious files hosted on computers in Malaysia. Some of these reports contained IP addresses, most of which are on home users network, that had been reported to us previously. In all of the instances, MyCERT had notified and assisted the respective ISPs on bot removal and mitigation strategies. These bots or zombies are normally used to carry out malicious activities such as spamming, executing denial of service attacks, hosting phishing sites and spreading malware. In this quarter, MyCERT received several reports of IP addresses that were believed to be infected with malicious files and being used as drones of one or more botnets. The following graph shows the number of IP addresses running drones belonging to Malaysian constituency in Q4, 2008. 
MyCERT received 6 reports from a foreign CERT regarding some details found on a server which was used by a trojan to log keystrokes. The keylogger Trojan, named the Nethell Trojan, had successfully captured keystrokes of usernames/passwords belonging to various internet account in our constituency, which includes accounts belonging to internet bankings, webmails, entertainments, e-commerce and other online services. MyCERT had notified the respective parties for immediate rectifications on the compromised passwords. In this quarter we also receive several reports regarding machines within our constituency hosting RFI scripts. We had advised the respective machines' Admins to clean up and rectify the affected machines. The following graph shows breakdown of malware incidents received in this quarter: 
2.2 Hack Threat MyCERT received 34 reports for the category of hack threats in this quarter which represents 41.67% increase compared to previous quarter. Most of the hack threat reports were received from foreign security organizations where the sources of the attack are from Malaysian IP addresses. Some of the common attacks observed are similar to attacks reported in previous quarter which are ssh brute-force attacks, port scannings and other malicious or suspicious activities that had triggered alerts. MyCERT's findings for this quarter, as was in previous quarter showed top ports commonly targeted were SSH (TCP/ 22), FTP (TCP/21) and HTTP (TCP/ 80). 2.3 Denial of Service In this quarter, MyCERT received 3 reports on denial of service which is slightly higher than in previous quarter. The denial of service attack consists of sending huge traffic, continuously to a system, causing the system to slowdown or choked. In distributed denial of service attacks, the source of the attacks mostly come from various spoofed multiple IPs and majority of denial of service attacks originate from 1 single IP address. The majority of denial of service attacks were successfully handled or stopped by blocking the source of the attacks at the customers' upstream router. 2.4 Intrusion MyCERT had received 295 reports related to intrusion in this quarter, which represents a 10.88% decrease compared to previous quarter. The majority of the incidents in this category were web defacements (or re-defacements in some incidents) of .my websites hosted in Malaysia . belonging to various sectors and running on various platforms. Based on our analysis, majority of these defacements were caused by web application vulnerabilities such as remote file inclusion, sql injection and unpatched third party add-ons. MyCERT was able to contact the respective Administrators of the websites and advised on recovery and mitigations. In the previous quarterly report, MyCERT had discussed possible workarounds to prevent these kinds of attacks and can be viewed at: http://www.mycert.org.my/en/services/advisories/mycert/2008/main/detail/564/index.html MyCERT had also produced a statistic on breakdown of defaced .MY sites by domains, as attached below: 
2.5 Harassment MyCERT had handled 34 incidents under the category of harassment this quarter which represents a more than 100% increase. The nature of the harassment cases include email threats to defamatory messages/pictures/photos on internet forums and social networking websites. In this quarter, we observed a surge on harassments using stolen social networking IDs for malicious purposes such as using stolen IDs to post defamatory messages, threatenings and pictures on webs against a particular individual, groups and religion. In majority of cases, MyCERT managed to communicate with the respective social networking sites to get the defamatory messages, threatenings and pictures were removed. In some cases, the matter had been referred to the Law Enforcement Agencies. 2.6 Fraud There is an increase in terms of the number of reports involving fraud reported to MyCERT this quarter with an increase to about 35.77%, which comprised of 353 reports compared to 260 reports in previous quarter. Majority of fraud incidents reported were phishing incidents -involving local and foreign financial institutions or brands. In this quarter, we observed a surge on phishing reports, with 242 reports, which includes reports on phishing emails and phishing sites impersonating local/foreign financial institutions or brands. Upon repoted to MyCERT, the phishing sites were put offline or removed to shutdown within 24 - 48 hours. As was in previous quarter, we observed phishers actively using the fast-flux techniques for a more advanced and sophisticated phisihng tactics. MyCERT had handled the phishing reports by communicating with respective parties and in most instances, the phishing sites were put offline or removed to shutdown within 24 - 48 hours. Other types of frauds that worth to be highlighted in this quarter are Nigerian scams, cheating and stolen information/data/accounts. Nigerian scams had increased in this quarter with 51 reports mostly from home users. In some cases, users had fall victim to this scam which led to huge monetary loss. MyCERT advise users to be extra precautious when dealing with people who request cash or deposits as pre-requisites for a particular transaction. They must not bank-in any money to unknown parties without proper verification. We also observed an increase on cheatings this quarter with 15 reports. Majority of the cheating cases involve online purchasings in which users who paid for products they ordered online but never received the products. Most of these cases were referred to the Law Enforcement Agencies as well as to the respective banks. MyCERT would like to advise users to be extra careful when they plan to purchase and pay for items online to avoid being cheated by irresponsible parties. They must be extra careful with whom they are dealing when purchasing the item. It is also advisable to purchase items with authorized or licensed online traders who can guarantee the delivery of items to buyers otherwise they should deal offline. Attached is the graph showing the breakdown of types of fraud incidents that we received in this quarter: 
2.7 Vulnerabilities Reported In this quarter MyCERT also received 19 reports from various reliable sources regarding web application vulnerabilities found on Malaysian websites. The vulnerabilities include SQL injection, directory listing and weak administrator's passwords. MyCERT had verified the reported vulnerabilities at the said websites and informed the respective owners to fix the vulnerabilities to prevent untoward incidents. Steps that administrators can implement to fix the above vulnerabilities are available in the MyCERT Q2 Summary Report at: http://www.mycert.org.my/en/services/advisories/mycert/2008/main/detail/596/index.html 2.8 Spam Watch MyCERT had observed that spam related incidents had increased to 53.89% in this quarter compared to the previous quarter. A total of 32261 incidents were received compared to 20963 reports in previous quarter. Spam incidents remains as the incident with highest number of reports received compared to other incidents. Based on our observation of the monthly spam statistics, we noticed spam emails were recorded higher with the outbreak of a certain security threat. The top categories of spam emails detected for this quarter are the phishing emails which recorded the highest and trojan emails. Phishing emails mainly involved spoofed domains related to banks. Majority of Trojans are the Trojan.Agent, Trojan.Dropper and Trojan.Goldrun. 
Other categories of spams are related to scam emails such as the Nigerian scam, Lotterry scam, get rich schemes. Promoting or selling of products/services still remain as one of the main contributor to spam. There are no perfect techniques or tools to completely eradicate spams, however there are techniques that end users and organizations can implement to minimize them, such as installing anti-spam filters at email gateways and applying appropriate email filters at end users email clients. Users are also advised not to respond nor purchase products promoted via spams as this serves only to further propagate spam activities. MyCERT encourages users to report spam so that proper action can be taken against the owner of the computer sending out the spams 3.0 Alerts & Advisories In this quarter, MyCERT had released 3 alerts related to critical vulnerabilities on Mozilla Firefox and Microsoft Internet Explorer. The alerts are available at: MyCERT have have also forwarded three advisories and alerts from various other sources to your constituency as below: 4.0 Activities from Research Network The CyberSecurity Research Network monitoring objectives are: 4.1 To monitor the network for suspicious traffic as well as to monitor for the occurrence of known malicious attacks. 4.2 To observe attacker behaviour in order to learn new techniques being deployed, to determine the popular techniques that are currently being used as well as to confirm the continued use of old and well known attack techniques. 4.3 To compile and analyse sufficient relevant information of which the results can be used to alert the community at large to the possibility of imminent cyber attacks on local networks. The following is a summary derived from MyCERT's research network for Quarter 3 2008. 
5.0 Conclusion Overall, the number of incidents reported to MyCERT had increased to 52.51% compared to previous quarter with incidents mainly contributed from spam incidents. Other reports that contributed highly to the number of incidents received this quarter are fraud, harassment and hack threats. MyCERT would like to advise Internet users and System Administrators to take precautions against the above activities. Neither crisis nor outbreak was observed in this quarter. Nevertheless, users and organizations are advised to always take measures to protect their systems and networks from threats. MyCERT strongly advise users/organizations to report and seek assistance from MyCERT, CyberSecurity Malaysia in the event of any security incidents. MyCERT can be reached for assistance at: Tel: +603 - 8992 6969
Fax: +603 - 8996 0827
Email: mycert@mycert.org.my
Web: http://www.mycert.org.my/report_incidents/online_form.html
Hp: +6019 - 266 5850
SMS: +6019 - 281 3801 Produced in 06 January 2009 by MyCERT, CyberSecurity Malaysia, an agency under the Ministry of Science, Technology and Innovation (MOSTI). Revision History: Initial Release: 06 January 2009 Please refer to MyCERT's website at http://www.mycert.org.my for latest updates of this Quarterly Summary. MyCERT
http://www.mycert.org.my |
