MyCERT Advisories
MyCERT Advisories, Alerts and Summaries for the year 2012
Bookmark and Share
MA-333.092012: MyCERT 2nd Quarter 2012 Summary Report

10 July 2012

Introduction

The MyCERT Quarterly Summary Report provides an overview of activities carried out by the Malaysian Computer Emergency Response Team (hereinafter referred to as MyCERT), a department within CyberSecurity Malaysia. These activities are related to computer security incidents and trends based on security incidents handled by MyCERT. The summary highlights statistics of incidents according to categories handled by MyCERT in Q2 2012, security advisories and other activities carried out by MyCERT personnel. The statistics provided in this report reflect only the total number of incidents handled by MyCERT and not elements such as monetary value or repercussions of the incidents. Computer security incidents handled by MyCERT are those that occur or originate within the Malaysian constituency. MyCERT works closely with other local and global entities to resolve computer security incidents.

Incidents Trends Q2 2012

Incidents were reported to MyCERT by various parties within the constituency as well as from foreign, which include home users, private sectors, government sectors, security teams from abroad, foreign CERTs, Special Interest Groups including MyCERT’s proactive monitoring on several cyber incidents.

From April to June 2012, MyCERT, via its Cyber999 service, handled a total of 2441 incidents representing 22.33 percent decrease compared to Q1 2012. In Q2 2012, incidents such as Cyber Harrasment, Denial of Service and Vulnerabilities Report had increased while other incidents had decreased tremendously.

Figure 1 illustrates incidents received in Q2 2012 classified according to the type of incidents handled by MyCERT.




Figure 2 illustrates the incidents received in Q2 2012 classified according to the type of incidents handled by MyCERT and its comparison with the number of incidents received in the previous quarter.


Figure 3: Shows the percentage of incidents handled according to categories in Q2 2012.


In Q2 2012, a total of 1095 incidents were received on Intrusion representing a 1.17 percent decrease compared to previous quarter. The Intrusion incidents reported to us are mostly web defacements or known as web vandalism followed by account compromise. Based on our findings, majority of the web defacements were due to vulnerable web applications or unpatched servers involving web servers running on IIS and Apache.

In this quarter, we received a total of 844 .MY domains defaced belonging to various sectors such as private and government sectors compared 689 .MY defaced domains in Q1 2012. The increase in web defacements in this quarter maybe due to a recent issue presented in local media that caught attention to many Internet users. MyCERT had responded to web defacement incidents by notifying respective Web Administrators to rectify the defaced websites by following our recommendations.

Figure 4 shows the breakdown of domains defaced in Q2 2012.




Account compromise incidents still prevails in this quarter as was in previous quarter however the number had decreased to 44 incidents compared to 68 incidents in Q1 2012. The decrease may indicate a positive sign that Internet users are aware of the threat and taking preventive measures to safeguard their accounts.The trend we observed in Q1 2012 still prevails in Q2 2012 in which unscrupulous individuals are taking advantage of various techniques to compromise legitimate accounts belonging to other Internet users. Majority of account compromise incidents involved email and social networking accounts. Account compromise incidents could be prevented if users practice good password management such as using strong passwords and safeguard their passwords.

Users may refer to the below URL on good password management practise:

  • http://www.auscert.org.au/render.html?it=2260
  • http://www.us-cert.gov/cas/tips/ST04-002.html


    • Incidents involving fraud had decreased to about 36.42 percent in this quarter compared to previous quarter but continue to be a trend in this quarter and is one of the most frequently reported incidents to Cyber999.

    A total of 948 Fraud incidents were received in this quarter, from organizations and home users. Phishing incidents involving foreign and local brands continues in this quarter along with other types of frauds. Incidents on job scams had also increased targeting other industries such as hospitals and Specialist Centre.

    Cyber harassment incidents had increased in this quarter with a total of 93 incidents representing 16.25% increase. Harassment incidents generally involved cyberstalking, cyberbullying, threatening done via emails and social networking sites. We advise users to be very precautious with whom they communicate on the net especially with unknown people and be ethical on the net.

    In Q2 2012, MyCERT had handled 164 incidents on malicious codes, which represents 13.23 percent decrease compared to previous quarter. Some of the malicious code incidents we handled are active botnet controller, hosting of malware or malware configuration files on compromised machines and malware infections to computers.

    In this quarter, we had issued an Advisory on the DNSChanger malware affecting computers worldwide, which started propagation since November 2011. DNSChanger is a type of malware that infect computers with the purpose of diverting traffic to potentially illegal and malicious websites. The malware modifies the infected computer's DNS server setting replacing it with DNS server belonging to the attackers.

    MyCERT had come up with a tool that can detect computers infected with DNS changer malware and clean up the infected computer.

    More information on the DNSChanger malware is available at:

  • http://www.mycert.org.my/en/services/advisories/mycert/2012/main/detail/855/index.html

    •


    Advisories and Alerts

    In Q1 2012, MyCERT had issued a total of 16 advisories and alerts for its constituency which involved popular end user applications such as Adobe PDF Reader and Multiple Microsoft Vulnerabilities. Attacker often compromise end users computers by exploiting vulnerabilities in the users’ application. Generally, the attacker tricks the user in opening a specially crafted file (i.e. a PDF document) or web page.

    Readers can visit the following URL on advisories and alerts released by MyCERT


    Other Activities

    In May 2012, MyCERT staff had conducted training at Ministry of Higher Education, Putrajaya on Web Security. Similar training on DNS Security was conducted in June 2012 at Ministry of Domestic Trade, Co -operatives and Consumerism, Kuantan.

    MyCERT staff had also conducted a presentation on Reverse Engineering Encryption Routine Inside Android Malware and Training on Dissecting Malicious PDF in June 2012 in Taiwan.

    Conclusion

    In conclusion, the number of computer security incidents reported to us in this quarter had decreased slightly compared to the previous quarter. However, some categories of incidents reported to us continue to increase. The slight decrease could be a positive indication that more Internet users are aware of current threats and are taking proper measures against them. No severe incidents were reported to us in this quarter and we did not observe any crisis or outbreak in our constituencies. Nevertheless, users and organizations must be constantly vigilant of the latest computer security threats and are advised to always take measures to protect their systems and networks from these threats.

    Internet user and organizations may contact MyCERT for assistance at the below contact:

    Malaysia Computer Emergency Response Team (MyCERT)
    E-mail:     mycert@mycert.org.my
    Cyber999 Hotline: 1 300 88 2999
    Phone: (603) 8992 6969
    Fax: (603) 8945 3442
    Phone: 019-266 5850
    SMS: Type CYBER999 report to 15888
    http://www.mycert.org.my/


    Please refer to MyCERT's website for latest updates of this Quarterly Summary.