CERT-In:Indian Computer Emergency Response Team

Home \|\| Feedback \|\| FAQ \|\| Site map

CERT-In Monthly Security Bulletin June 2007
Cyber Intrusion Trends
In this month 25 security incidents were reported to CERT-In from various National/ International agencies. As shown in the figure 60% phishing and 40% unauthorized scanning incidents were reported in this month.As compared to previous month the number of phishing and scanning incidents have increased.In this month CERT-In tracked 4 C&C (Command & Control) servers and 760 bot-infected computers existing in India.The concerned ISPs were intimated to dis-infect the bot infected systems and C&C servers to mitigate botnets.					Cyber Intrusion during June 2007
Indian Websites Defacement
In total 33 Indian websites were defaced during June 2007. A chart depicting Country Code Top Level Domain (ccTLD) wise defacements is shown in the figure. The vulnerabilities which might have been exploited for the defacements are: 1. Microsoft Internet Information Server (IIS) Hit Highlighting Authentication Bypass Vulnerability CIVN-2007-67 2. PHP "php_chunk_split()" Long Arguments Processing Integer Overflow Vulnerability CVE-2007-2872					Statistics of Defaced Indian Websites in June 2007
Open proxy servers
Any proxy server that doesn't restrict its client base to its own set of clients and allows any other client to connect to it, is known as an open proxy server. An open proxy server will accept client connections from any IP address and make connections to any Internet resource. CERT-In tracked 82 open proxy servers functioning in India during June 2007. All the concerned ISPs were alerted immediately to shut down the open proxy servers. A bar chart of open proxy servers tracked during this year is shown in the figure.					Statistics of Open Proxy Servers tracked during Jan - Jun 2007
Security Alerts
The critical and medium vulnerabilities in various Operating Systems, Application software and Network devices discovered during June 2007 and their countermeasures alongwith wide-spreading malicious code like virus/ worm/Trojan are given below:
High Vulnerabilities
Microsoft		Title of Vulnerability		Discovery/Publish Date	CERT-In References & Patch Information
Microsoft Internet Information Server (IIS)		Microsoft Internet Information Server (IIS) Hit Highlighting Authentication Bypass Vulnerability		June 05, 2007	CIVN-2007-68
Microsoft Visio		Microsoft Visio Version Number Memory Corruption and Document Packaging Vulnerabilities		June 13 , 2007	CIVN-2007-70
Microsoft Windows		Microsoft Windows Schannel Security Package Vulnerability		June 13, 2007	CIVN-2007-71
Microsoft Windows		Windows Vista Permissive User Information Store ACLs Information Disclosure Vulnerability		June 13, 2007	CIVN-2007-72
Microsoft Outlook and Windows Mail		Multiple Vulnerabilities in Microsoft Outlook and Windows Mail		June 13, 2007	CIVN-2007-74
Microsoft Windows		Microsoft Win32 API Parameter Validation Remote Code Execution Vulnerability		June 13, 2007	CIVN-2007-75
Microsoft		Multiple Vulnerabilities in various components of Microsoft Windows,Microsoft Internet Explorer, Microsoft Outlook Express, Windows Mail and Microsoft Visio		June 13, 2007	CIAD-2007-33
Unix		Title of Vulnerability		Discovery/Publish Date	CERT-In References & Patch Information
Sun Java		Sun Java System Web Proxy Server SOCKS Module Buffer Overflow Vulnerabilities		June 01, 2007	CIVN-2007-67
PHP		PHP "php_chunk_split()" Long Arguments Processing Integer Overflow Vulnerability		June 04, 2007	CVE-2007-2872
Solaris		Vulnerability in the Authentication Mechanism for Solaris Management Console (SMC)		June 08, 2007	CIVN-2007-69
Sun Java		Sun Java System Directory Server Authentication Bypass Vulnerability		June 26, 2007	CIVN-2007-78
GNOME		GNOME Evolution-Data-Server imap_rescan () function vulnerability		June 27, 2007	CIVN-2007-79
MIT Kerberos		MIT Kerberos Multiple Vulnerabilities		June 28, 2007	CIAD-2007-34
Miscellaneous		Title of Vulnerability		Discovery/Publish Date	CERT-In References & Patch Information
Mozilla FireFox		Mozilla FireFox About:Blank IFrame Vulnerability		June 6, 2007	CVE-2007-3089
Mozilla FireFox		Mozilla Firefox Action Prompt Delay Security Mechanism Bypass Vulnerability		June 6, 2007	CVE-2007-3090
Trend Micro		Trend Micro OfficeScan Server CGI module Buffer Overflow Vulnerabilities		June 27, 2007	CIVN-2007-80
Medium Vulnerabilities
Microsoft		Title of Vulnerability		Discovery/Publish Date	CERT-In References & Patch Information
Microsoft Internet Explorer		Microsoft Internet Explorer COM Object Instantiation, CSS Tag, Uninitialized , Speech Control memory corruption and Language Pack Installation, Navigation Cancel Page Spoofing Vulnerabilities		June 13, 2007	CIVN-2007-73
Microsoft Windows		Microsoft Windows GDI+ Library ICO Header Handling Vulnerability		June 18,2007	CIVN-2007-77
Unix		Title of Vulnerability		Discovery/Publish Date	CERT-In References & Patch Information
Linux Kernel		Multiple Vulnerabilities in Linux Kernel		June 11, 2007	CIAD-2007-32
libexif and openoffice.org		libexif and openoffice.org Buffer Overflow Vulnerabilities		June 18, 2007	CIVN-2007-76
Wireshark		Wireshark (Ethereal) Multiple Protocol Vulnerabilities		June 29, 2007	CIAD-2007-35
Malicious Code Threats
Title of Malicious Code	Type	Overview	Aliases	Discovery Date	References
W32.Antixbot.A	Worm	It is a worm that propagates through Windows Live Messenger. It opens a back door on the compromised computer, can change Internet Explorer settings and can download additional malicious programs.	W32/Chode-AC [Sophos]	June 13, 2007	http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2007-061313-5853-99
W32.Pusia.A@mm	Worm	It is a mass-mailing worm that gathers email addresses from the compromised computer, and may include links to download other threats within the body of the email.	No Alias	June 15, 2007	http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2007-061513-0100-99
Trojan.Srizbi	Trojan	It is a Trojan horse that sends spam and uses a rootkit to hide itself.	No Alias	June 20, 2007	http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2007-062007-0946-99&tabid=1
Trojan.Mpkit!html	Trojan	It is a malware distribution and attack kit.	No Alias	June 22, 2007	http://www.cert-in.org.in/currentacts/currentact07.htm#MPack
Security News
Cyber crooks hijack 10,000 websites [Source: www.theregister.co.uk] More than 10,000 websites have been infected by a sophisticated and fast-acting Trojan downloader that attempts to install malware on visiting PCs. At least one security firm, Trend Micro, is working with the FBI to contain the damage and track down the perpetrators.The attack is noteworthy for the number of sites it has managed to infect in a relatively short period of time. Between Friday and Sunday night, the number jumped from 1,100 to about 2,500. By Monday afternoon, California time, there were more than 10,000 infected sites, according to Paul Ferguson, a network architect for Trend Micro. [More] Hacker breaks into Pentagon email system [Source: www.theregister.co.uk] The Pentagon took as many as 1,500 computers offline yesterday to stamp out a security breach in the Office of the Secretary of Defense. US Secretary of Defense Robert Gates told reporters in a news briefing today that a hacker had penetrated an unclassified OSD email system, prompting the shutdown. The system reportedly does not contain information related to military operations. "A variety of precautionary measures are being taken. We expect the systems to be online again very soon." [More] Chinese user sues Symantec over dodgy updates [Source: www.theregister.co.uk] A Chinese user's attempt to sue Symantec for damage caused as a result of dodgy anti-virus signature update files is unlikely to succeed, according to security experts.Liu Shihui, a solicitor based on Southern Guangdong Province, is suing Symantec for 1,644 Yuan ($215) for damage caused by a signature update of Norton Anti-Virus which identified two core Windows XP files as potentially malicious. [More] Estonia asks Russia to help hunt for Web criminals [Source: www.news.com.com] Estonia is seeking help from Russia to find the culprits behind a massive wave of attacks on the country's Internet infrastructure, Prime Minister Andrus Ansip said Wednesday. The cyberattacks coincided with a sharp deterioration in relations between Moscow and the small Baltic state over Estonia's decision to relocate a Soviet-era war memorial from the center of the capital Tallinn. [More] Botnet assault: Spammers launch DDoS offensive [Source:www.blogs.zdnet.com] The spammers behind last year’s destruction of Blue Security are back with a vengeance, using a variant of the ‘Storm Worm’ malware to launch a sustained distributed denial-of-service attack against three anti-spam services.The ongoing attacks, which use botnets of hijacked Windows computers, successfully shut down the Web servers that power the Spamhaus Project, URIBL (Realtime URI Blacklists) and SURBL (Spam URI Realtime Blocklists (SURBL). [More] E-mail scammers hiding malware in fake IRS notices [Source: www.networkworld.com] If you get an e-mail telling you that you're under investigation by the U.S. Internal Revenue Service, take a breath before calling your lawyer. It's a scam.The IRS warned Thursday of two fraudulent schemes that use the IRS's name in an attempt to get victims to install malicious Trojan horse software on their computers. [More] eBay targets Romanian fraudsters [Source:www.news.com.com] Online auction site eBay has made public the details of a months-long campaign to curb online fraud arising in Romania--an effort that has resulted in several hundred arrests.Matt Henley, a member of eBay's Fraud Investigations Team, spoke about the campaign while taking part in a two-day workshop in Sydney, Australia, with representatives of local law enforcement agencies. [More] E-Mail Attacks Target Business Executives [Source:www.informationweek.com] Cyberattackers know how to follow the money, which is why they often set their sights on companies that are rich with customer data that can be sold online to other attackers and to fraudsters. Now it's getting personal, with top-level business executives, including CEOs, presidents, CIOs, and CFOs, finding themselves being directly targeted by e-mails containing malicious Trojans. [More] Malware targets computer forensics tool [Source:www.theregister.com] Virus writers have created a proof-of-concept virus that targets a widely-used computer forensics tool. Vred-A infects WinHex scripts, preventing these additions to forensics and data recovery tools from doing anything except infecting other scripts. The virus has not been seen in the wild, and probably never will be. [More] Don't touch that Microsoft Security Bulletin email [Source:www.windowsitpro.com] Do not be tempted into opening an email with the subject line: "Microsoft Security Bulletin MS07-0065" because it is no such thing.The email is not from Microsoft and contains a link to a webpage containing a trojan (disguised malware). The emails contain real people's names and the company they work for and looks like a genuine Microsoft email. [More] Zlob Malware Hijacks YouTube [Source:www.pcworld.com] YouTube is again being used to distribute malware, this time a variant of the nuisance Zlob adware.According to Secure Computing, attackers are using a fake video link on the site to initiate infection with the Trojan, which bombards its victims with porn adware, before installing data-stealing code. [More] OpenOffice worm Badbunny hops across operating systems [Source: www.news.zdnet.com] Malicious software targeting OpenOffice.org documents is spreading through multiple operating systems, according to Symantec. "A new worm is being distributed within malicious OpenOffice documents. The worm can infect Windows, Linux and Mac OS X systems," according to a Symantec Security Response advisory. "Be cautious when handling OpenOffice files from unknown sources." . [More] Don't be evil [Source: www.theregister.co.uk] A series of developments raise the specter that remotely stored or created documents may be subject to subpoena or discovery all without the knowledge or consent of the document's creators (pdf). I have been playing around recently with Google's Documents and Spreadsheets. What Google documents and spreadsheets allows you to do is to create documents or spreadsheets (and soon probably presentations) completely online using no software other than a browser and an internet connection. [More] Hydra-headed 'Storm' attack starts [Source: www.computerworld.com] A new round of greeting-card spam that draws users to visit attack sites relies on a sophisticated multipronged, multiexploit strike force to infect machines, security professionals said late today. Captured samples of the unsolicited e-mail have all borne the same subject line -- "You've received a postcard from a family member!" -- and contain links to a malicious Web site, where JavaScript determines whether the victim's browser has scripting enabled or turned off. [More]