Original Issue Date: 17th Jan 2007 The MyCERT Quarterly Summary includes some brief descriptions and analysis of major incidents observed during that quarter. This report highlights statistics of attacks or incidents reported to MyCERT, as well as other noteworthy incidents and new vulnerability information. MyCERT believes these statistics are only the tip of the iceberg. Internet users are encouraged to report computer security incidents to MyCERT in order to enable us to assist those affected.
In addition, this summary also directs to resources in dealing with problems related to security incidents, including patches, service packs, upgrades and hardenings.
Recent Activities
In this quarter, a total of 11008 incidents were received which is 96.96% increase compared to Q3. About 95% is contributed by spam reports. No major outbreak was observed this quarter but majority of incidents had slightly increased. However, we saw a tremendous increase in intrusion incidents mainly involving mass web defacements on virtual hosts running Cpanel applications. Other incidents that had increased are spam, harassment and denial of service. Other incidents showed slight decrease in this quarter.
| | Q3 2006 | Q4 2006 | % | | Intrusion | 99 | 424 | 328.29% | | Denial of Service | 2 | 4 | 100% | | Malicious Code | 13 | 11 | -15.38% | | Hack Threat | 20 | 14 | -30% | | Fraud | 86 | 58 | -32.55% | | Harassment | 13 | 25 | 92.31% | | Spam | 5356 | 10472 | 95.52% | | TOTAL | 5589 | 11008 | 96.96% |
|
Mass Defacements of Websites Hosted on Virtual Hosting Server
As was in previous quarter, the fourth quarter of 2006 also saw increased number of mass defacements of websites hosted on virtual hosting servers. In this quarter we observed a host compromised resulting in about 203 websites defaced. Overall, there was increase in intrusion incidents with a total of 424 incidents compared to 99 incidents in previous quarter, more than three folds from previous quarter. Intrusions reported mainly involved web defacements of various domains belonging to our constituency and mass defacements of websites hosted on virtual hosting servers running Cpanel application. Most of these hosts are located at data centres by Internet service providers.
With the tremendous increase in intrusion, MyCERT would like to urge all system administrators and virtual host administrators to upgrade and patch systems, services and applications they are currently using as and when new security they are made available. In addition, it is also recommended to disable unnecessary or unneeded default services on the systems. More detail steps in securing UNIX and Windows Servers are available at http://www.mycert.org.my/en/resources/links/main/main/detail/554/index.html
Increase in Harassment Incidents
Number of incidents received on harassment increased to 25 compared to 13 incidents which represents 92.31%. Majority incidents involved email harrassment from disgruntled employees or former employees, expressing their dissatisfaction towards their employer. Most of the harassment cases were referred to the law enfrocement agencies.
Other types of harassments are sending of constant threatening or defamatory emails to victims with malicious intent.
Increase in Harassment Incidents
Malicious code incidents slightly decreased compared to previous quarter. A total of 11 incidents were reported compared to 13 in previous quarter, which represents a 15.38% decrease. In this quarter, we received two different reports from foreign organizations of keylogger Trojan called Goldun and Haxdoor. The trojan capture some details from end user computers which was sent and stored in a remote attacker’s server.
The Haxdoor Trojan captures keystrokes from infected machines which includes usernames and passwords, and sends them to remote attacker’s server.
The Goldrun Trojan specifically steals usernames, passwords and bank details from infected computers and sends the information to a remote malicious server.
Based on the report received, more then 50 online accounts such as usernames and passwords belonging to local customers were captured by the Trojan.
We advise users to safe-guard their PCs against Trojan, backdoor and worm infections. Users may refer to the below guidelines:
Ensure computers are installed with anti-virus software and are frequently updated with the latest virus signatures. Users without anti-virus installed on their PCs may download an anti-virus from the following site:
http://www.mycert.org.my/en/resources/malware/av_sites/main/detail/528/index.html
Ensure computers are always updated with the latest service packs and patches, as some worms propagate by exploiting unpatched programs present in computers.
Enable personal/host-based firewalls on PCs.
Guidelines on safe Internet banking is available at ??? (Philip, we need to publish the guideline).
Slight Decrease in Fraud Incidents
This quarter saw a slight drop in fraud incidents to 32.55%, which comprises of 58 reports compared to 86 reports in previous quarter. About 25.71% of fraud incidents reported were phishing incidents impersonating local financial institutions.
The respective ISPs, data centers and organizations have been alerted to remove the relevant websites and to investigate the affected machines and rectify them accordingly. In some cases, these hosts had been infected with bots and require thorough clean-up.
As was in previous quarter, MyCERT continues to receive reports from local users regarding Internet scams. These includes the Nigerian Scam, Cheatings and Get Rich Scams. The mode of operations of the scams involves the use of spam to lure Internet users to visit specific websites and eventually request deposit of a certain amount of money to the fraudsters' accounts. Users are advised not to deposit or make payment to unknown third party's account.
User may refer to the following guide on safeguarding against fraudulent emails and phishing attempts:
http://www.mycert.org.my/en/resources/email/email_tips/main/detail/513/index.html
Other Activities
Spam
Spam incidents increased by one fold to a total of 10472 incidents in this quarter compared to 5356 in previous quarter. Spam has developed from a mere nuisance into an epidemic that threatens end users and organizations. There are no perfect techniques or tools to completely eradicate spams, however there are techniques that end users and organizations can implement to minimize them, such as installing anti-spam filters at email gateways and applying appropriate email filters at end users’ email clients. Users are also advised not to respond nor purchase products promoted via spams.
Denial of Service
During this quarter, four reports were received involving denial of service incidents compared to two in previous quarter. Reports on denial of service involved mailbombs and inaccessibility to certain sites due to traffic congestion. Main cause of the surge in traffic was identified to be due to unstable systems.
Hack Threat
Incidents involving hack threat decreased to about 30% in this quarter. A total of 14 reports were received on hack attempts for this quarter compared to 20 in the previous quarter. The threats involved unauthorized scanning of networks and systems.
MyCERT's findings for this quarter showed top ports commonly targeted were SSH (TCP/ 22), FTP (TCP/21), HTTP (TCP/ 80), MS SQL (TCP/1433). Port scannings were actively done once a new bug or exploit is released publicly, using either automated or non-automated tools. Residue of worm traffics from infected hosts are still prevalent in the network.
