The MyCERT Quarterly Summary includes some brief descriptions and analysis of major incidents observed during that quarter. This report highlights statistics of attacks or incidents reported to MyCERT, as well as other noteworthy incidents and new vulnerability information. MyCERT believes these statistics are only a tip of the iceberg. Internet users are encouraged to report computer security incidents to MyCERT in order for us to assist those affected.

In addition, this summary also directs to resources in dealing with problems related to security incidents, including patches, service packs, upgrades and hardening techniques.

Recent Activities

In this quarter, a total of 9486 incidents were received which is 3.81 decrease compared to Q2 2007. About 95.92% of total incidents reported this quarter is contributed by spam reports. No major outbreak was observed this quarter. Majority of incidents had increased in this quarter which are hack threat, denial of service and malicious code. Other incidents that showed decrease in this quarter are spam, fraud and harassment.

Attached is the table of figure:

Table of Figure for Q1 2007 and Q2 2007

Graph on Harassment, Fraud, Hack Threat, Malicious Code, Denial of Service, Intrusion for Q2 and Q3

Dramatic Increase in Intrusion Incidents

This quarter saw a tremendous increase in intrusion incidents to 191.90%, which comprised of 216 reports compared to 74 reports in previous quarter. The majority of the intrusions reported to us are mainly web defacements of various domains in our constituency. The defacements generally occur to vulnerabilities in web based applications which allow remote code execution, local or remote file inclusion and sql injection.

On the other hand, occurance of mass defacements were typical on virtual hosting services where attackers are able to exploit user vulnerable management tools like cPanel or host misconfiguration.. Most of the intrusion took place at co-location facilities of our local ISPs.

With the increase in intrusion, MyCERT would like to urge all system and web administrators to be vigilant in monitoring security alerts and proactive in applying application and system level patches . In addition, administrators should verify that only required services are running and that hardening steps have been considered prior to placing the servers on a production network. Resources onsecuring UNIX and Windows Servers are available at
http://www.mycert.org.my/en/resources/links/main/main/detail/554/index.html.

Increase in Malicious Code Incidents

Malicious code incidents continue to increase in this quarter compared to previous quarter. A total of 58 incidents were reported compared to 39 in previous quarter. In this quarter, we received many reports from foreign CERTs regarding drones/bots, control & command (C&C) server of botnets and malicious files hosted on machines hosted in Malaysia. Some of these reports contained IPs that had been repeatedly reported to us previously . In all of the instances, MyCERT had notified the respective machines’ administrators.

When it comes to botnet activities,There were only a handful of cases involving botnet C&C hosted in Malaysia. The majority of the reports involved bot infected computers, most of which are home user machines. Since these bots are normally used to carry out malicious activities such as spamming, ddos attacks, phishing and spreading malware.

We also received several reports of spywares that causing pop windows to appear on affected PCs. We had provided appropriate steps to users and the affected machines were rectified. Lastly, there were reports related to the recent 'Skype' worm that started spreading in early September. However, based on our observation, there was no serious nor widespread infection in our constituency.

Besides the above reports, we also received reports from home users regarding their PCs infected with the mass mailing worms, namely the W32.Brontok worm, Backdoor.Win32.mIRC and VBS script worm. The complainants were advised on removal procedures accordingly.

We advise users to safe-guard their PCs against Trojan, backdoor and worm infections. Users may refer to the below guidelines:

1. Ensure computers are installed with anti-virus software and are frequently updated with the latest virus signatures. Users without anti-virus installed on their PCs may download commercial or free anti-virus from the following site:
   http://www.mycert.org.my/en/resources/malware/av_sites/main/detail/528/index.html

2. Ensure computers are always updated with the latest service packs and patches, as some worms propagate by exploiting unpatched programs present in computers.

3. Enable personal/host-based firewalls on PCs.

4. PC users are also advised not to view, open or execute any e-mail attachment unless it is expected or its purpose known to the recipient.

In this quarter we had also released to advisory and alert related to malware activities. They are the MS32DLL.dll.vbs, that displays "Hacked by Pokemon", "Hacked by Godzilla" or "Hacked by Zodgilla" on IE/Firefox title bar once the infected PCs are on. The advisory is available at:

MS32DLL.dll.vbs Malicious Code
http://www.mycert.org.my/en/services/advisories/mycert/2007/main/detail/431/index.html

The alert that we had released is the malicious E-card Trojan, a malware that spreads via emails. The alert is available at:

Malicious E-card Trojan
http://www.mycert.org.my/en/services/advisories/mycert/2007/main/detail/469/index.html

Increase in Hack Threat Activities

Incidents involving hack threat increased to 71.43% in this quarter. A total of 12 reports were received on hack attempts for this quarter compared to 7 in the previous quarter. Majority of hack threat reports were received from foreign organizations with the source of the hack threats are from IPs belonging to our constituency. Hack threats targeted mainly organizations' systems/networks involving network and host scanning activities. Besides organisations’ systems/network, home PCs are also becoming popular targets of hack threat activities.

MyCERT's findings for this quarter, as was in previous quarter showed top ports commonly targeted were SSH (TCP/ 22), FTP (TCP/21) and HTTP (TCP/ 80). Port scans are actively done once a new bug or exploit is released publicly, using either automated or non -automated tools. Attackers are also scanning for programmes and applications that are vulnerable or exploitable.

Increase in Denial of Service Incidents

In this quarter, MyCERT received several reports of Denial of Service attacks and Distributed Denial of Service Attacks. The number had increased from zero incident in previous quarter to 7 incidents in this quarter. Majority of the denial of service and distributed denial of service attacks consists of sending huge, continuously to a system, causing the system to slowdown or choked. In distributed denial of service attacks, the source of the attacks mostly come from various multiple IPs and majority of denial of service attacks originate from 1 single IP address.

Decrease in Harassment Incidents

Number of incidents received on harassment had decreased to 15 compared to 22 incidents which represents 31.82% decrease. Harassment incidents reported to us this quarter involved harassments via emails and web forums. This involves sending of constant threatening or defamatory emails to victims and posting defamatory pictures and messages on web forums against victims with malicious intent. In most incidents, the defamatory pictures and messages were removed after MyCERT notified the respective ISPs and source of most harassing emails were traced by the ISP. However, majority of harassment incidents were referred to the Law Enforcement Agencies for their further investigation.

Other Activities

Spam

Spam incidents had decreased slightly to 5.21% in this quarter compared to the previous quarter. A total of 9099 reports were received compared to 9599 reports in previous quarter. Though spam incidents had dropped slightly in this quarter, however it remains as the incident with highest number of reports received compared to other incidents. Spam has developed from a mere nuisance into an epidemic that threatens end users and organizations. Spam threats are also fast developing with sophisticated spam techniques and tools. There are no perfect techniques or tools to completely eradicate spams, however there are techniques that end users and organizations can implement to minimize them, such as installing anti-spam filters at email gateways and applying appropriate email filters at end users’ email clients. Users are also advised not to respond nor purchase products promoted via spams.

Graph on Spam

Conclusion

Overall, the number of incidents reported to us had decreased to 3.81% compared to previous quarter with incidents mainly contributed from spam incidents. Other reports that contributed highly to the number of incidents received are intrusions with majority contributed from web defacements. In this quarter we also received alarming number of reports of botnets, control & command server and drone activities hosted on local machines. We advise System Administrators to take precautions on these activities and prevent their machines to become targets. Neither crisis nor outbreak was observed this quarter. Nevertheless, users and organizations are advised to always take measures to protect their systems and networks from threats. We strongly advise users/organizations to report and seek assistance from MyCERT in the event of any security incidents.

MyCERT can be reached at:

E-mail : mycert@mycert.org.my
Phone : +603 89926969 (monitored during business hours)
Fax : +603 89453442 (monitored during business hours)
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : +60 19 2813801 (24x7 SMS reporting)
Business Hours : Mon - Fri 08:30 -17:30 MYT
Web: http://www.mycert.org.my

Postal : Malaysian Computer Emergency Response Team (MyCERT)
CyberSecurity Malaysia
Level 7, SAPURA@MINES
7, Jalan Tasik, The Mines Resort City
43300 Seri Kembangan
Selangor Darul Ehsan
MALAYSIA