MS-093.072005: MyCERT Quarterly Summary (Q2) 2005
The MyCERT Quarterly Summary is a report, which includes some brief descriptions and analysis of major incidents observed during that period. This report also features highlights on the statistics of attacks/incidents reported, as well as other noteworthy incidents and new vulnerability information.
Additionally this summary also directs to resources in dealing with problems related to security incidents, including patches, service packs, upgrades and hardenings.
The Second Quarter 2005 is less hectic as compared to the previous quarter. There were no significant incidents or surge for this quarter. Generally, there is a 60.7% decrease in the number of incidents in this quarter as compared to the previous quarter. The number of incidents reported for this quarter is 1589 as compared to 4042 in the previous quarter. The incidents have increased for this quarter is Malicious Code and Forgery. The rest of the incidents have dropped as opposed to the previous quarter.
The Increase in Forgery Incident
This quarter shows a slight increase on Forgery, with a total of 36 compared to 30 incidents in previous quarter, which represents more than a 20% increase. Majority of Forgery incidents are phishing activities involving local and foreign financial institutions. A serious well-organized phishing attack occurred in May 2005 involving four well-known local internet banking. The phishing email requested users/recipients to login to the links attached in the email for the four targeted banks. One click on the link featured in the email will lead the user to a Google search string link, which then re-directs to the phishing site. The site will prompt a pop-up window to request users to enter their username and passwords of their internet banking account and to verify the website of the bank. Our analysis indicates that the phishing sites of the four banks are hosted on a single machine with the IP address 126.96.36.199 located in Russia.
Most of the defaced sites were left with hatred/dissatisfaction against the Government of Malaysia and its Ministers/Ministries. A total of 216 Malaysian websites were defaced during this period, which began on March 6th until 21st March 2005.
MyCERT has responded successfully to the phishing incident by communicating the incident to our Russian counterpart The CERT Russia has managed to shutdown the site within 2 days.The alert on the recent phishing attack is available at:
http://www.mycert.org.my/en/services/advisories/mycert/2005/main/detail/53/index.html (Released on 11th March 2005)
MyCERT strongly urges users who receive emails purportedly from a bank requesting to change their logon and password to ignore/delete such emails immediately. Users are also advised to refer and verify any such emails with their ISPs, CERTs or with the Particular Financial institutions mentioned.
Increase on Malicious Code Incidents
The second quarter of 2005 indicates a slight increase in virus/worm incidents with a total of 19 incidents, which is about 11.8% higher than the previous quarter. Most of the worm incidents reported involved new variants of mass mailing worms such as the W32.Mytob, W32.Sober, W32.Sasser, Backdoor.Berbew.N, W32.Ifbo and Pwsteal.Banker.B Trojan activities. However, there was no significant worm outbreak or severe damages due to worm activities were reported in this quarter.
MyCERT advise users to always take precautions against worm incidents, even though no worm outbreaks observed within our constituency. Some of the precautions that users can take are:
Email Gateway Filtering
Sites are encouraged to apply filters at email gateways to block any attachments associated to the worm.
Users must make sure that their PCs are installed with anti-virus software and are updated continuously with the latest signature files. Users who do not have an anti-virus installed on their PCs may download an anti-virus from the following site:
Users need to make sure that their PCs/machines are always updated with the latest service packs and patches as some worms propagate by exploiting unpatched programs present in PCs/machines.
Users are also advised to install personal firewalls, such as Zone Alarm on their PCs/machines.
Organizations are also advised to close unnecessary services and ports except for http port. If other services/ports need to be utilized, then they should be filtered to allow authorize users only.
Safe Email Practices
MyCERT strongly advice users not to open any unknown attachments that they received via emails. Any suspicious emails shall be deleted or forwarded to the respective ISPs or CERTs for verification. Users may refer to the following guidelines on safe email practices:
Significant Drop on Intrusion Incidents
Incidents on Intrusion have dropped to103 for this quarter from 256 in the previous quarter. It represents a 59.8% decrease. Web defacements still remain the top Intrusion incident compared to other Intrusions such as root compromise. However, no mass defacements were observed for this quarter.
Our finding indicates that majority of defaced websites for this quarter is from .com.my domains compared to other domains. A significant finding indicates about 75% of web defacement occurred in this quarter are re-defacements of websites that has previously been defaced. Our finding also indicates that some websites were defaced more than twice within this year. This occurred in spite of our notification and guidance to the System Administrators on their first defacement. Thus, we would like to urge System Administrators/Web Administrators to take serious action on securing and hardening their server to prevent re-defacements.
MyCERT would like to advise all System Administrators and owners of systems/networks to upgrade and patch softwares/services/applications they're currently running. In addition, it is also recommended to disable unnecessary/ unneeded default services supplied by vendors. Our analysis showed that majority of previous Intrusions such as web defacements were due to vulnerable and unpatched services running on the server. Web defacements involving Linux machines are due to running of older versions of the Apache servers, PHP scripts and OpenSSL. As for IIS web servers, web defacements were commonly due to Microsoft IIS extended Unicode directory traversal vulnerability, Microsoft Frontpage Server Extension vulnerability and WEBDAV vulnerability.
Details of the vulnerabilities and solutions are available at:
Apache Web Server Chunk Handling Vulnerability
Vulnerabilities in PHP File upload
Vulnerabilities in SSL/TLS Implementation
Microsoft IIS extended Unicode directory traversal vulnerability
Web servers running Windows IIS servers, may use the IIS Lockdown tool to harden their server.
IIS Lockdown Wizard version 2.1 works by turning off unnecessary features, thus reducing attack surface available to attackers.
The IIS Lockdown tool can be downloaded at:
Web server running on Linux, may use the TCP filtering mechanism such as TCP Wrappers at the server or gateway level. TCP Wrappers is a tool commonly used on UNIX systems to monitor and filter connections to network services.
TCP Wrapper can be downloaded free at:
Drop in Hack Attempts
Incidents on hack attempts shows a decrease of 58.5% in this quarter. A total of 17 reports were received on hack attempts for this quarter compared to 41 in the previous quarter, which targets mainly on organizations' systems and networks. Home users PCs are also becoming the attackers target on port scannings.
MyCERT's findings for this quarter shows that the top targeted ports for scanning are SMB (TCP/445), SSH (TCP/ 22), HTTP (TCP/ 80), MS SQL (TCP/1433), Netbios (TCP/137, TCP/138, TCP/139), which could be possibly due to newly discovered vulnerability on that services. Port scannings are actively carried out, using automated or non-automated tools once a new bug or exploit is released to the public. Besides scanning for open ports, scannings are also actively done to detect any machines running vulnerable programs and scripts, such as scanning for Unicode vulnerability on IIS web servers and scanning machines running vulnerable PHP scripts.
MyCERT recommends the following preventive measures:
Close all ports or unneeded services except http service and other required ports/services should be filtered and patched accordingly.
All machines/systems are properly patched and upgraded with latest patches, service packs and upgrades to fix any vulnerability that may present in the machines/systems.
Organizations can install network based or host based IDS to alert scannings and other malicious attempts to their hosts.
It is recommended that home users install personal firewalls in order to alert the owner of any unauthorized scanning to their machine, and to block any penetration into their system.
More information on home PC security is available at:
High Surge in TCP/445 Port Scannings
In this quarter there is also a significant increase in TCP/445 port scannings, which is associated with Microsoft Windows' Server Message Block (SMB) Protocol. This port could potentially be used to exploit the Microsoft Incoming SMB Packet Validation Remote Buffer Overflow Vulnerability (MS05-27), a critical flaw for which, Microsoft released a patch on June, 14 2005. Our research network has recorded a high increase in port TCP/445 scannings for this quarter as indicated in the graph below:
The phenomenon of a surge in TCP/445 scannings for this quarter has also been observed globally. Research firm Gartner published a report warning that a vulnerability found in Microsoft's SMB (server message block) file-sharing protocol could be used in a new attack. Because Due to the rise in activity relating to the TCP/IP port 445 observed by security vendors, which is associated with SMB, Gartner concluded that a "mass attack" could be imminent. Ports are special numbers used by the Internet protocols to route messages to different applications. Gartner recommended that users apply the Microsoft patches as soon as possible to ensure that port 445 was blocked via a firewall.
The Drop in Harrassment
Incidents on harassment have decreased to 16.7%. Majority of harassment incidents received, involved harassments committed via emails, chat forums and web forums, where majority of them were referred to the law enforcement agencies for further investigation. MyCERT has also assisted the Law Enforcement Agencies, such as the police in investigating some harassment incidents.
An interesting finding indicates that majority of email harassment victims are single, unmarried or divorced females who have been harassed for quite some time before they report to us. We advise users who are harassed via Internet or any individuals who observed any kind of harassments via web forums, which has religious, social, political or economic implications to report to MyCERT for further analysis.
Spam incidents still remain on top with a total of 1400 incidents for this quarter. However it does show a 62% drop from the previous quarter.. The main reason for this significant decrease is because more and more local ISPs are applying anti-spam filter at their gateways to prevent spam emails from dropping into end-users. mailbox. We see this is as a positive measure in minimizing and eradicating spam activities in the country.
Denial of Service
We have received 4 reports on Denial of Service compared to 3 reports in previous quarter, which shows a 33.3% increase. Majority of Denial of service attacks reported to us are due to heavy port scannings to the organizations. networks. This had caused high consumption of bandwidth and resulted in disruption to their service/performance. Some of the port scannings detected were associated to worm activities and the rest are mere port scannings looking for open ports and vulnerable services/programs.
Overall, the number of incidents reported to us has dropped to more than half compared to the previous quarter. Spam incidents have dropped to more than 50% as a result of preventive measures taken by most ISPs through the application of spam filters at their gateways. Generally, no crisis or significant attack/incident was observed for this quarter that caused severe impact to the constituency as was in the previous quarter and this scenario indicates a less hectic quarter compared to the previous quarter.
Complete figures and statistics graph on the Abuse Statistic released by MyCERT monthly is available at:
Reference to past years' Abuse Statistics is also available at the above URL.