MA-289.102011: MyCERT 2nd Quarter 2010 Summary Report
06 July 2010
Introduction The MyCERT Quarterly summary provides an overview of activities carried out by Malaysia CERT (MyCERT), a department within Cybersecurity Malaysia. The activities are related to computer security issues and trends based on security incidents handled by MyCERT. The summary highlights statistics of incidents according to categories handled by MyCERT in Q2 2010, security advisories released by MyCERT, and other activities carried out by MyCERT staff. The statistics provided in this report reflect only the total number of incidents handled by MyCERT and not elements such as monetary value or repercussion of incidents. Computer security incidents handled by MyCERT are those that occur or originate within the Malaysian domain or IP space. MyCERT works closely with other local and global entities to resolve computer security incidents.
Incidents Trends Q2 2010
From April to June 2010, MyCERT, via its Cyber999 service, handled a total of 1662 incidents representing a 21.31% increase compared to the previous quarter. Generally, all categories of incidents saw an increase in this quarter compared to the previous quarter. The incidents were reported to MyCERT by various parties within the constituency, which includes home users, private sectors, government sectors, security teams from abroad, foreign CERTs, and Special Interest Groups, in addition to MyCERT's proactive monitoring efforts.
Figure 1 illustrates the incidents received in Q2 2010, classified according to the type of incidents handled by MyCERT.
Figure 2 illustrates the incidents received in Q2 2010 classified according to the type of incidents handled by MyCERT and its comparison with the number of incidents received in the previous quarter.
Figure 3 shows the percentage of incidents handled according to categories in Q2 2010.
In Q2 2010, System Intrusion recorded the highest number of incidents with a total of 581 cases, recording a 15.28% increase compared to the previous quarter, with 1555 Malaysian websites defaced. The majority of System Intrusion incidents are web defacements followed by system compromise and account compromise. Web defacements refer to unauthorised modifications to a website due to certain vulnerable web applications or unpatched servers. This includes web servers running on various platforms such as IIS, Apache and others.
MyCERT observed that the majority of web defacements were done via the SQL injection attack technique. SQL injection is a technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements, or when user input is not strongly typed and thereby unexpectedly executed. More information on the SQL injection attack technique and fixes is available at:
http://www.mycert.org.my/en/resources/web_security/main/main/detail/573/index.html
There were several reports of mass defacements, as also occurred in the previous quarter, involving virtual hosting servers belonging to local web hosting companies. MyCERT has advised the System Administrators on steps for rectifying cases of mass defacement.
Figure 4 shows the breakdown of domains defaced in Q2 2010. Out of the total websites defaced in Q2 2010, 75% of them are those with a .com and .com.my extensions.
Fraud incidents in this quarter decreased to about 4.9% compared to the previous quarter. Some of the fraud incidents MyCERT handled were Nigerian scams, lottery scams and cheating, mainly with phishing involving foreign and local brands. A total of 298 phishing websites were reported to us, that mostly targeted local brands such as Maybank2U.com, Cimbclicks.com and Pbebank.com. In this quarter, we received significant reports of more than 50 phishing sites that targeted a particular local brand only and we assisted in the removal of those phishing sites by communicating with the affected Internet Service Providers (ISPs).
Based on our analysis, the majority of phishing sites are hosted on compromised machines, besides phishers, who host them on purchased or rented domains. The machines could have been compromised and used to host phishing websites and other malicious programs.
Cheating activities are still prevalent on the net just as in the previous quarter. Most involve online scams and fraud purchases. Cheating cases are usually escalated to Law Enforcement Agencies for further investigation. We advise Internet users to be very careful when they make purchases online and with regards to whom they deal with.
Reports on harassment had also increased this quarter with a total of 62 reports representing an 8.77% increase. Harassment reports mainly involve cyberstalking, cyberbullying and threatening. In this quarter, MyCERT received several reports of messages posted on social networking sites that may raise racial and religious tension in our society. The messages were removed after MyCERT communicated with the respective Internet Service Provider. We also continue to receive reports of identity thefts at social networking sites. MyCERT advises Internet users to be more careful on what they release and expose about themselves on social networking sites as all information can be manipulated for identity theft purposes.
Under the classification of malicious codes, in Q2 2010, MyCERT handled 277 reports representing 18.37% out of the total number of incidents. Some of the malicious code incidents we handled are active botnet controllers, hosting of malware or malware configuration files on compromised machines, and malware infections to computers.
Advisories and Alerts
In Q1 2010, MyCERT issued a total of 12 advisories and alerts for its constituency. Most of the advisories in Q1 involved popular end user applications such as Adobe PDF Reader, Adobe Shockwave player, Multiple Apple Product Vulnerabilities, Multiple Microsoft Vulnerabilities and Microsoft Internet Explorer. Attackers often compromise end users computers by exploiting vulnerabilities in the users' application. Generally, the attacker tricks the user into opening a specially crafted file (i.e. a PDF document) or web page. Readers can visit the following URL on advisories and alerts released by MyCERT in Q2 2010.
Other Activities
MyCERT staff were invited to conduct talks and training in various locations in Q2 2010 and a total of 17 talks and trainings were conducted by MCERT staff at different locations in local as well as in overseas. Majority of the talks and trainings were related to Incident Handling, Malicious Traffics Analysis, Analysis of Malicious File, Hacking Anatomy, Internet Security, Log Analysis, Web Security, Open Source and MyCERT's Case Studies. Some of the prominent talks that MyCERT staff had conducted were "Malaysia National Report and Case Study" at Anti-phisihng Working Group in Brazil, "Pkaji: Analysing Malicious PDF Files" at The Honeynet Project 9th Annual Workshop in Mexico and "Interception and Analysis of Malicious Traffic based on NDIS Intermediate Driver" at SIGNIT 2010, Chaos Computer Club in Germany
MyCERT had also conducted trainings on Incident Handling, Log Analysis and Web Security at the OIC-CERT Regional Workshops held in Tunisia and Morroco. Other significant talks and trainings conducted by MyCERT staff were held in various locations in Malaysia.
Conclusion Overall in Q2 2010, the number of computer security incidents reported to us increased to 21.31% compared to the previous quarter, and most categories of incidents reported also increased. The increase is a reflection that more Internet users are reporting incidents to CyberSecurity Malaysia. However, no severe incidents were reported to us, and we did not observe any crisis or outbreak in our constituency. Nevertheless, users and organisations must be constantly vigilant of the latest computer security threats, and are advised to always take measures to protect their systems and networks from threats. Internet users and organisations may contact MyCERT for assistance at our contacts below:
Malaysia Computer Emergency Response Team (MyCERT)
E-mail: mycert@mycert.org.my
Cyber999 Hotline: 1 300 88 2999
Phone: (603) 8992 6969
Fax: (603) 8945 3442
Phone: 019-266 5850
SMS: Type CYBER999 report to 15888
http://www.mycert.org.my/ Please refer to MyCERT's website for latest updates of this Quarterly Summary
|
