MyCERT Advisories


MyCERT Advisories, Alerts and Summaries for the year 2005

MS-086.012005: MyCERT Quarterly Summary (Q4) 2004

Original Issue Date: 17th January 2005

The MyCERT Quarterly Summary is a quarterly report to wrap up incidents reported to us with some brief descriptions and analysis of major incidents observed during that period. Included are highlights on the statistics of attacks/incidents reported, as well as other noteworthy incidents and new vulnerability information are inclusive.

Additionally this summary also directs to resources in dealing with problems related to security incidents, including patches, service packs, upgrades and hardenings.

Recent Activities

The 4th Quarter of 2004 was less hectic as compared to previous quarters for MyCERT. During this period, there were no major outbreaks that had any severe impact to the network infrastructure of the country. Majority of security incidents had dropped or remained the same as compared to the previous quarter, except for Forgery, Harassment and Spam incidents.

Forgery and Harassment Incidents on the Rise

This quarter also saw a significant increase on Harassment, with a total of 26 incidents compared to 12 incidents in previous quarter, which represents more than a 100% increase. Majority of Harassment incidents received, involved harassments committed via email and web forum where majority of them were referred to the law enforcement agencies for further investigation./

MyCERT were also involved in assisting Law Enforcement Agencies, such as the police, Attorney General, Malaysian Communications and Multimedia Commission (MCMC) in investigating some harassment incidents, including the country's high-profile incidents.

It is worth highlighting here that harassment incidents are on the rise with more and more irresponsible Internet users abusing web forums, Internet Relay Chat (IRC) and emails for malicious purposes to harassing other users.

We advise users who are harassed via emails or any individuals who observed any kind of harassments via web forums, that has implications to religion, social, politic and economy of the country to report to MyCERT for further analysis.

This quarter also witnessed an increase of 51.9% in Forgery incidents compared to previous quarter to about 51.9%. We received 41 reports on Forgery for this quarter which includes phishing scams and email forgery with a majority comes from the former, with a total of 35 reports. MyCERT observed an increase on phishing activities for this quarter, involving local and foreign banks. The phishing activities reported to us includes local and foreign banks becoming victim of phishing scams and users who receive phishing emails purportedly from trusted banks>

MyCERT strongly urge users who receive emails purportedly from a bank requesting to change their logon and password to ignore/delete such emails immediately.Users are also advised to refer and verify any such emails with their ISPs, CERTs or with the Particular Financial institutions mentioned.

Incidents involving Intrusion have dropped to about 57.6% compared to the previous quarter, with a total of 42 reports. However, this does not mean our systems/networks are safe from any threats. Though, Intrusions incidents have dropped for this quarter, we predict, there may be more Intrusion incidents occuring in early 2005. We also advise System Administrators to take note of the hackers global game of Capture the Flag in February 2005. The news was released by CNET News on 2nd August 2004 as below

Hackers plan global game of 'capture the flag'
http://news.com.com/Hackers+ plan+global+game+of+%27capture+the+flag%27/2100-7349_3-5291107.html?tag=sas.email

MyCERT would like to advise all System Administrators and owners of systems/networks to upgrade and patch softwares/services/applications they're currently running. In addition, it is also recommended to disable unnecessary/ unneeded default services supplied by vendors. Our analysis showed that majority of previous Intrusions such as web defacements were due to vulnerable and unpatched services running on the server. Web defacements involving Linux machines are due to running of older versions of the Apache servers, PHP scripts and OpenSSL. As for IIS web servers, web defacements were commonly due to Microsoft IIS extended Unicode directory traversal vulnerability, Microsoft Frontpage Server Extension vulnerability and WEBDAV vulnerability.

Details of the vulnerabilities and solutions are available at:

  1. Apache Web Server Chunk Handling Vulnerability
    http://www.cert.org/advisories/CA-2002-17.html

  2. Vulnerabilities in PHP File upload
    http://www.cert.org/advisories/CA-2002-05.html

  3. Vulnerabilities in SSL/TLS Implementation
    http://www.cert.org/advisories/CA-2003-26.html

  4. WEBDAV Vulnerability
    http://www.cert.org/advisories/CA-2003-09.html

  5. Microsoft IIS extended Unicode directory traversal vulnerability
    http://www.mycert.org.my/en/services/advisories/mycert/2001/main/detail/127/index.html

Web servers running Windows IIS servers, may use the IIS Lockdown tool to harden their server.

IIS Lockdown Wizard version 2.1 works by turning off unnecessary features, thus reducing attack surface available to attackers.

The IIS Lockdown tool can be downloaded at:

http://www.microsoft.com/downloads/details.aspx?FamilyID=dde9efc0-bb30-47eb-9a61-fd755d23cdec&DisplayLang=en

Web server running on Linux, may use the TCP filtering mechanism such as TCP Wrappers at the server or gateway level. TCP Wrappers is a tool commonly used on UNIX systems to monitor and filter connections to network services.

TCP Wrapper can be downloaded free at:

http://www.cert.org/security-improvement/implementations/i041.07.html

The quarter 4 of 2004 saw a decrease in virus/worm incidents with a total of 32 incidents which is about 41.8% decrease compared to previous quarter. No significant worm outbreak was reported in this quarter. Though we received information of worm outbreaks in overseas, we were not affected by it.

MyCERT advise users to always take precautions against worm incidents, eventhough no worm outbreaks observed within our constituency. Some of the precautions that users can take are:

a) Email Gateway Filtering
Sites are encouraged to apply filters at email gateways to block any attachments associated to the worm.

b) System/Host
i) Users must make sure that their PCs are installed with anti-virus software and are updated continuously with the latest signature files. Users who do not have an anti-virus installed on their PCs may download an anti-virus from the following site:
http://www.mycert.org.my/en/resources/malware/av_sites/main/detail/528/index.html

ii) Users need to make sure that their PCs/machines are always updated with the latest service packs and patches as some worms propagate by exploiting unpatched programs present in PCs/machines.

iii) Users are also advised to install personal firewalls, such as Zone Alarm on their PCs/machines.

iv) Organizations are also advised to close unnecessary services and ports except for http port. If oth er services/ports need to be utilized, then they should be filtered to allow authorize users only.

c) Safe Email Practices

MyCERT strongly advice users not to open any unknown attachments that they receive via emails. They should delete any suspicious emails or they may forward to the respective ISPs or CERTs for verification. Users may refer to the following guidelines on safe email practices:

http://www.mycert.org.my/en/resources/email/email_practices/main/detail/512/index.html

Other Activities

Spam incidents still remain on top with a total of 3623 incidents for this quarter, representing 8% decrease compared to the previous quarter.

It is almost impossible to completely eradicate spamming activities; however it can be minimized to a certain extent by following tips, spam filters for end users and guidelines to minimize the daily annoying spam emails they received which is available freely in the Internet.

We received only 1 report on Denial of Service and no reports on mailbomb and destruction. Denial of service, mailbomb and destruction attacks have become less popular nowadays compared to years ago, which makes less incidents related to these categories.

MyCERT continues to receive reports on port scanning and attempts (under Hack Threat category). Port scanning is a method of reconnaissance to look for open ports in order to identify vulnerable services to enable remote exploit of the vulnerability. Some of the exploits can cause complete machine compromise.

However, for this quarter we observed a significant decrease to about 16% compared to the previous quarter on hack threat incidents. We received a total of 21 reports on port scanning, targeting mainly on organizations' systems/networks. Home users PCs are also becoming a target among attackers on port scannings.

MyCERT's findings shows that the top targeted ports for scanning are Netbios (Port 137, 138, 139), HTTP (80) and SSH (Port 22). Port scannings are actively carried out once a new bug or exploit being released to the public. Besides scanning for open ports, scannings are also actively done to detect any machines running vulnerable programs and scripts, such as scanning for Unicode vulnerability on IIS web servers and scanning machines running vulnerable PHP scripts.

MyCERT recommends the following preventive measures:

  • Close all ports or unneeded services except http service and other required ports/services should be filtered and patched accordingly.

  • All machines/systems are properly patched and upgraded with latest patches, service packs and upgrades to fix any vulnerability that may present in the machines/systems.

  • Organizations can install network based or host based IDS to alert scannings and other malicious attempts to their hosts.

  • It is recommended that home users install personal firewalls in order to alert the owner of any unauthorized scanning to their machine, and to block any penetration into their system.

More information on home PC security is available at:
http://www.mycert.org.my/en/resources/home_user/pc_security/main/detail/520/index.html

Complete figures and statistics graph on the Abuse Statistic released by MyCERT monthly is availabe as below:

JanFebMarAprMayJunJulAugSepOctNovDec
Mailbomb010100000000
Spam640784822126111271540111812401265155416721348
Harassment211212246989
Forgery91218537713102110
Hack Threat1528179171314832910
Virus262342202621271411101012
Denial of Service001110010010
Destruction000000000000
Intrusion1648182197455403534
TOTAL
856857902132311861586117213291338162017241393