MS-095.102005: MyCERT Quarterly Summary (Q3) 200512th October 2005
The MyCERT Quarterly Summary is a report, which includes some brief descriptions and analysis of major incidents observed during that period. This report also features highlights on the statistics of attacks and incidents reported, as well as other noteworthy incidents and new vulnerability information.
Additionally, this summary also directs to resources in dealing with problems related to security incidents, including patches, service packs, upgrades and hardenings.
The Third Quarter 2005 is less hectic as compared to the previous quarter. There were no significant incidents or surge for this quarter, but we see a drop in all incidents. Generally, there is a 30.3% decrease in the number of incidents in this quarter as compared to the previous quarter. The number of incidents reported for this quarter is 1107 as compared to 1589 in the previous quarter.
Local Machines Compromised to Set Up Foreign Banking Phishing Sites
Forgery incidents continue on though this quarter shows a slight decrease on these activities, with a total of 35 incidents compared to 36 in previous quarter, which represents a 2.8% decrease. Majority of forgery incidents are phishing activities involving foreign financial institutions. In this quarter, MyCERT received series of reports from foreign financial organizations and CERTs regarding phishing sites hosted on Malaysian servers. MyCERT responded to the reports by communicating with the server owners to remove the phishing sites and within 6 hours the sites were removed successfully. Upon analysis, we found that the affected servers were compromised and was used to set up phishing sites. In fact, we found a single server having more than 2 phishing sites belonging to foreign online banking, running on the server.
MyCERT strongly urges users who receive emails purportedly from a bank requesting to change their logon and password to ignore and delete such emails immediately. Users are also advised to refer and verify any such emails with their ISPs, CERTs or with the particular financial institutions mentioned.
In addition, MyCERT also advise organizations to secure and harden their servers to prevent the servers from being compromised and used for malicious purposes, such as running phishing sites.
Malicious Code Incidents on Continuous
The second quarter of 2005 indicates a slight decrease in virus or worm incidents with a total of 16 incidents, which is about 15.8% lower than the previous quarter. This number is relatively low considering that there are new worms and Trojans released to the net. Most of the worm incidents reported involved new variants of mass mailing worms such as the W32.Zotob and Trojan activities. However, this quarter remained peaceful with no significant worm outbreak or severe damages due to worm activities were reported.
MyCERT advise users to always take precautions against worm incidents, even though there are no worm outbreaks observed within our constituency. Some of the precautions that can be taken are:
Email Gateway Filtering
Sites are encouraged to apply filters at email gateways to block any attachments associated to the worm.
Users must make sure that their PCs are installed with anti-virus software and are updated continuously with the latest signature files. Users who do not have an anti-virus installed on their PCs may download an anti-virus from the following site:
Users need to make sure that their PCs or machines are always updated with the latest service packs and patches, as some worms propagate by exploiting unpatched programs present in PCs or machines.
Safe Email Practices
MyCERT has strongly advice users not to open any unknown attachments, which they have received via emails. Any suspicious emails shall be deleted or forwarded to the respective ISPs or CERTs for verification. Users may refer to the following guidelines on safe email practices:
More New .MY Sites Defaced
Incidents on Intrusion have dropped to 86 for this quarter from 103 in the previous quarter. It represents a 16.5% decrease. Web defacements still remain the top Intrusion incident compared to other Intrusions such as root compromise, with a total of 83 .my websites defaced for this quarter. However, no mass defacements were observed in this quarter.
Our finding indicates that majority of defaced websites for this quarter are from .com.my domains compared to other domains. As was in previous quarter with re-defacements, in this quarter we found more new .my sites being defaced. Thus, we would like to urge System Administrators and Web Administrators to take serious action on securing and hardening their server to prevent re-defacements.
MyCERT would like to advise all System Administrators and owners of systems and networks to upgrade and patch soft wares, services and applications they are currently running. In addition, it is also recommended to disable unnecessary or unneeded default services supplied by vendors. Our analysis shows that majority of previous Intrusions such as web defacements were due to vulnerable and unpatched services running on the server. Web defacements involving Linux machines are due to running of older versions of the Apache servers, PHP scripts and Open SSL. As for IIS web servers, web defacements were commonly due to Microsoft IIS extended Unicode directory traversal vulnerability, Microsoft Frontpage Server Extension vulnerability and WEBDAV vulnerability.
Details of the vulnerabilities and solutions are available at:
Apache Web Server Chunk Handling Vulnerability
Vulnerabilities in PHP File upload
Vulnerabilities in SSL/TLS Implementation
Microsoft IIS extended Unicode directory traversal vulnerability
Slight Drop in Hack Attempts
Incidents on hack attempts shows a decrease of 5.9% in this quarter. A total of 16 reports were received on hack attempts for this quarter compared to 17 in the previous quarter, which target mainly on organizations' systems and networks. Home users PCs are also becoming the attackers target on port scannings. Most of reports on hack attempts were received from foreign complainants on hack attempts originating from Malaysia.
MyCERT's findings for this quarter show that the top targeted ports for scanning are SMB (TCP/445), SSH (TCP/ 22), HTTP (TCP/ 80), MS SQL (TCP/1433), Netbios (TCP/137, TCP/138, TCP/139), which could be possibly due to newly discovered vulnerability on that services. Port scannings are actively carried out, using automated or non-automated tools once a new bug or exploit is released to the public. Besides scanning for open ports, scannings are also actively done to detect any machines running vulnerable programs and scripts, such as scanning for Unicode vulnerability on IIS web servers and scanning machines running vulnerable PHP scripts.
MyCERT recommends the following preventive measures:
All ports or unneeded services should be closed except http services and other required ports or services should be filtered and patched accordingly.
All machines or systems are properly patched and upgraded with latest patches, service packs and upgrades to fix any vulnerability that may present in the machines or systems.
Organizations can install network based or host based IDS to alert scannings and other malicious attempts to their hosts.
Home users are recommended to install personal firewalls in order to alert the owner of any unauthorized scanning to their machine, and to block any penetration into their system.
More information on home PC security is available at: http://www.mycert.org.my/en/resources/home_user/pc_security/main/detail/520/index.html
Drop in Harassment Incidents
Incidents on harassment have decreased to 30%, with 7reports received for this quarter compared to 10 reports on previous quarter.
Majority of harassment incidents received, involved harassments committed via emails, chat forums and web forums, where majority of them were referred to the law enforcement agencies for further investigation. MyCERT has also assisted the Law Enforcement Agencies, such as the police in investigating some harassment incidents.
We are not sure the reason for this significant drop but we advise users who are harassed via Internet or any individuals who observed any kind of harassments via web forums, which has religious, social, political or economic implications to report them to MyCERT for further analysis.
Spam incidents still remain on top with a total of 952 incidents for this quarter, despite the drop in the number of spam reports we received, with a 32% drop from the previous quarter. The main reason for this significant decrease is because more and more local ISPs are applying anti -spam filter at their gateways to prevent spam emails from dropping into end -users' mailbox. We see this as a positive measure in minimizing and eradicating spam activities in the country.
In addition, end users are also taking measures at their site, by applying appropriate filters at their PCs to minimize spam emails.
Denial of Service
In this quarter, we did not receive any reports on Denial of Service compared to 4 reports in the previous quarter.
Overall, the number of incidents reported to us has dropped to more than a quarter compared to the previous quarter. In this quarter, we observed drop in all security incidents too. We hope the drop is due to proper security measures, which are being implemented to prevent incidents rather than saying the drop is due to less hacking activities in this quarter. Spam incidents have dropped to more than 30% as a result of preventive measures taken by most ISPs through the application of spam filters at their gateways as well other measures by end users. Generally, no crisis or significant attack or incident was observed for this quarter that has caused severe impact to the constituency as was in the previous quarter. This scenario indicates a less hectic quarter compared to the previous quarter.
Complete figures and statistics graph on the Abuse Statistic released by MyCERT monthly is available at: