MS-118.102007: MyCERT Quarterly Summary (Q2) 2007 Original Issue Date: 10th July 2007 The MyCERT Quarterly Summary includes some brief descriptions and analysis of major incidents observed during that quarter. This report highlights statistics of attacks or incidents reported to MyCERT, as well as other noteworthy incidents and new vulnerability information. MyCERT believes these statistics are only a tip of the iceberg. Internet users are encouraged to report computer security incidents to MyCERT in order for us to assist those affected. In addition, this summary also directs to resources in dealing with problems related to security incidents, including patches, service packs, upgrades and hardenings. Recent ActivitiesIn this quarter, a total of 9599 incidents were received which is 7.66% decrease compared to Q1 2007. About 97.33% of total incidents reported this quarter is contributed by spam reports. No major outbreak was observed this quarter. Majority of incidents had increased in this quarter which are hack threat, harassment, fraud and malicious code. Other incidents that showed decrease in this quarter is spam. Other incidents such as intrusion, denial of service remain the same. Attached is the figure for Q1 2007 and Q2 2007: | Type | Q1 2007 | Q2 2007 | % | | Intrusion | 74 | 74 | 0% | | Denial of Service | 0 | 0 | 0% | | Malicious Code | 13 | 39 | +200% | | Hack Threat | 1 | 7 | +600% | | Fraud | 70 | 121 | +72.86% | | Harassment | 19 | 22 | +15.79% | | Spam | 10503 | 9599 | -8.6% | | TOTAL | 10680 | 9862 | -7.66% |
|
Tremendous Increase in Fraud IncidentsThis quarter saw a tremendous increase in fraud incidents to 72.86%, which comprised of 121 reports compared to 70 reports in previous quarter. About 39.67% of fraud incidents reported were phishing incidents impersonating local and foreign financial institutions, with majority of the phishing sites impersonating foreign banks. In this quarter, we received several reports on suspicious online investment schemes. This probably due to issues on illegal online investments schemes had been broadly broadcasted on local media that had actually raised the people’s concern and awareness of such schemes. About 57 reports were received for this quarter from the public regarding online investment schemes and all the reports were forwarded to the respective Law Enforcement Agencies for their further investigation. As was in previous quarter, besides phishing and online investment schemes, MyCERT continued to receive reports from local users regarding Internet scams. These included the Nigerian Scam, Cheatings and Illegal Online Job offer Schemes. The mode of operations of the scammers involved the use of spam to lure Internet users to visit specific websites and eventually request money deposit to the fraudsters' accounts. As precautions, computer users should be careful about disclosing confidential, personal or financial information online unless they know that the request for such is legitimate and users are also advised not to deposit or make payment to unknown third party's account. User may refer to the following guide on safeguarding against fraudulent emails and phishing attempts: http://www.mycert.org.my/en/resources/email/email_tips/main/detail/513/index.html Alarming Increase in Malicious Code IncidentsMalicious code incidents had increased alarmingly compared to previous quarter. A total of 39 incidents were reported compared to 11 in previous quarter, which had tripled the number of reports received in previous quarter. In this quarter, we received many reports from foreign CERTs regarding Control & Command server of botnets running on local machines. Some of these reports contained IPs that had been repeatedly reported to us previously of botnets activities. The respective machines’ Administrators were notified and advised to clean up the affected machines. Besides reports on botnets activities, we also received report of a keylogger Trojan activities from a foreign CERT, classified as BZub by some anti-virus vendors, which had captured username/password information belonging to a customer of telecommunications in our constituency. Besides the above reports, we also received reports from home users regarding their PCs infected with the mass mailing worms, namely the W32.Brontok worm, Backdoor.Win32.mIRC and VBS script worm. The complainants were advised on removal procedures accordingly. We advise users to safe-guard their PCs against Trojan, backdoor and worm infections. Users may refer to the below guidelines: Ensure computers are installed with anti-virus software and are frequently updated with the latest virus signatures. Users without anti-virus installed on their PCs may download commercial or free anti-virus from the following site:
http://www.mycert.org.my/en/resources/malware/av_sites/main/detail/528/index.html Ensure computers are always updated with the latest service packs and patches, as some worms propagate by exploiting unpatched programs present in computers. Enable personal/host-based firewalls on PCs. PC users are also advised not to view, open or execute any e-mail attachment unless it is expected or its purpose known to the recipient.
Tremendous Increase in Hack Threat ActivitiesIncidents involving hack threat showed a tremendous increase of more than 100% in this quarter. A total of 7 reports were received on hack attempts for this quarter compared to 1 in the previous quarter. Hack threats targeted mainly organizations' systems and networks involving network and host scanning activities. Besides organisations' systems/network, home PCs are also becoming popular targets of hack threat activities. MyCERT's findings for this quarter showed top ports commonly targeted were SSH (TCP/ 22), FTP (TCP/21) and HTTP (TCP/ 80). Port scannings are actively done once a new bug or exploit is released publicly, using either automated or non -automated tools. Ports scannings are also carried out to look for machines that are running vulnerable programs or scripts, such as the vulnerable Unicode or the vulnerable PHP scripts. Increase in Harassment IncidentsNumber of incidents received on harassment had increased to 22 compared to 19 incidents which represents 15.79%. Majority of incidents involved harassments via emails and web forums, in which false/misleading information were circulated via emails with malicious intention against the victim. Defamatory picture and messages were also posted on web forums against victims with malicious purpose. The particular false/misleading information was removed within 1 – 3 days after MyCERT notified the respective ISPs where the forums hosted and for harassment via email were referred to the Law Enforcement Agency for their further invetsigation. Other ActivitiesSpamSpam incidents had decreased slightly to 8.6% in this quarter compared to the previous quarter. A total of 9599 reports were received compared to 503 reports in previous quarter. Though spam incidents had dropped slightly in this quarter, however it remains as the incident with highest number of reports received compared to other incidents. Spam has developed from a mere nuisance into an epidemic that threatens end users and organizations. There are no perfect techniques or tools to completely eradicate spams, however there are techniques that end users and organizations can implement to minimize them, such as installing anti-spam filters at email gateways and applying appropriate email filters at end users’ email clients. Users are also advised not to respond nor purchase products promoted via spams. Denial of ServiceDuring this quarter, no report were received on denial of service as was in previous quarter. IntrusionThe number of reports received on Intrusion remains the same as was in previous quarter, with a total of 74 reports. Majority of the intrusion were web defacements of .my websites, consists various sectors. Though the number of reports received on Intrusion this quarter remained the same as was in previous quarter, MyCERT would like to urge all system administrators and virtual host administrators to upgrade and patch their systems, services and applications they are currently using as and when new security patch/upgrade are made available. In addition, it is also recommended to disable unnecessary or unneeded default services on the systems. More detail steps in securing UNIX and Windows Servers are available at http://www.mycert.org.my/en/resources/links/main/main/detail/554/index.html ConclusionOverall, the number of incidents reported to us had decreased to 7.66% compared to previous quarter with incidents mainly contributed from spam incidents. Other reports that contributed highly to the number of incidents received are fraud with majority contributed from phishings and online investment schemes. In this quarter we also received alarming number of reports of botnets activities hosted on local machines and we advise System Administrators to take precautions on the botnet activities and prevent their machines to become targets. Neither crisis nor outbreak was observed this quarter. Nevertheless, users and organizations are advised to always take measures to protect their systems and networks from threats. We strongly advise users/organizations to report and seek assistance from MyCERT in the event of any security incidents. MyCERT can be reached at: E-mail : 
Phone : +603 89926969 (monitored during business hours)
Fax : +603 89453442 (monitored during business hours)
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : +60 19 2813801 (24x7 SMS reporting)
Business Hours : Mon - Fri 08:30 -17:30 MYT
Web: http://www.mycert.org.my Postal : Malaysian Computer Emergency Response Team (MyCERT)
CyberSecurity Malaysia
Level 7, SAPURA@MINES
7, Jalan Tasik, The Mines Resort City
43300 Seri Kembangan
Selangor Darul Ehsan
MALAYSIA |
