CERT-In:Indian Computer Emergency Response Team

Home \|\| Feedback \|\| FAQ \|\| Site map

CERT-In Monthly Security Bulletin January 2007
Cyber Intrusion Trends
In this month 61 security incidents were reported to CERT-In from various National/ International agencies. As shown in the figure 77% phishing incidents were reported in this month including one incident from an Indian bank. 16% incidents related to virus/worm under the malicious code category and 7% unauthorized scanning incidents were reported. As compared to previous month the number of scanning incidents have decreased while virus/worm and phishing incidents have increased.					Cyber Intrusion during January 2007
Indian Websites Defacement
In total 332 Indian websites were defaced during January 2007. Mostly the websites under .com domain were defaced by the hacker groups. A chart depicting Top Level Domain(TLD) wise defacements is shown in the figure. The vulnerabilities which might have been exploited for the defacements are: PHP-Nuke "cat" Old Articles Block SQL Injection CVE ID : CVE-2007-0309 Rated as: Medium Risk Release Date: 17-01-2007 PHP "sscanf()" Format Specifier Handling Security Bypass and Code Execution Vulnerability September 26, 2006 CIAD-2006-35					Statistics of Defaced Indian Websites in January 2007
Open proxy servers
Any proxy server that doesn't restrict its client base to its own set of clients and allows any other client to connect to it, is known as an open proxy server. An open proxy server will accept client connections from any IP address and make connections to any Internet resource. CERT-In tracked 75 open proxy servers functioning in India during January 2007. All the concerned ISPs were alerted immediately to shut down the open proxy servers. A bar chart of open proxy servers tracked during this year is shown in the figure.					Statistics of Open Proxy Servers tracked during Jan 2006 - Jan 2007
Security Alerts
The critical and medium vulnerabilities in various Operating Systems, Application software and Network devices discovered during January 2007 and their countermeasures alongwith wide-spreading malicious code like virus/ worm/Trojan are given below:
High Vulnerabilities
Microsoft		Title of Vulnerability		Discovery/Publish Date	CERT-In References & Patch Information
Microsoft OpenOffice		OpenOffice Integer and Buffer Overflow Vulnerabilities		January 05, 2007	CIVN-2007-01
Microsoft Windows		Multiple Vulnerabilities in Microsoft Windows, Internet Explorer, Outlook Express and Microsoft office		January 11, 2007	CIAD-2007-04
Microsoft Excel		Microsoft Excel Malformed Column Record, Palette Record, IMDATA Record and String Vulnerabilities		January 11, 2007	CIVN-2007-02
Microsoft Outlook		Remote Code Execution and Denial of Service Vulnerabilities in Microsoft Outlook		January 11, 2007	CIVN-2007-03
Microsoft Windows		Microsoft Windows Vector Markup Language Code Execution Vulnerability		January 11, 2007	CIVN-2007-04
Microsoft Word		Microsoft Word Unspecified String Handling Memory Corruption Vulnerability		January 31, 2007	CIVN-2007-07
Unix		Title of Vulnerability		Discovery/Publish Date	CERT-In References & Patch Information
OpenOffice		OpenOffice Integer and Buffer Overflow Vulnerabilities		January 05, 2007	CIVN-2007-01
Fetchmail		Fetchmail multiple password information disclosure and denial of service vulnerabilities		January 09, 2007	CIAD-2007-02
Opera		Opera JPEG Image and JavaScript Handling Remote Code Execution Vulnerabilities		January 16, 2007	CIAD-2007-03
Linux		Linux-PAM Login Bypass Security Vulnerability		January 29, 2007	CIVN-2007-06
Miscellaneous		Title of Vulnerability		Discovery/Publish Date	CERT-In References & Patch Information
Adobe		Multiple XSS vulnerabilities in Adobe Acrobat Plug-In		January 08, 2007	CIAD-2007-01
Cisco		Multiple Vulnerabilities in Cisco IOS and IOS-XR		January 31, 2007	CIVN-2007-08
Medium Vulnerabilities
Unix		Title of Vulnerability		Discovery/Publish Date	CERT-In References & Patch Information
Acroread		Multiple XSS vulnerabilities in Adobe Acrobat Plug-In		January 08, 2007	CIAD-2007-01
Xpdf		Xpdf "Catalog::readPageTree()" Catalog Dictionary Handling Denial of Service Issue		January 15, 2007	CVE-2007-0104
Xorg, Xfree86 and Kerberos		Multiple Vulnerabilities in Xorg, Xfree86 and Kerberos		January 16, 2007	CIAD-2007-05
Squid		Squid Denial of Service Vulnerabilities		January 16, 2007	CVE-2007-0248 CVE-2007-0247
xine-ui		xine-ui "errors_create_window()" Format String Vulnerability		January 17, 2007	CVE-2007-0254
PHP-Nuke		PHP-Nuke "cat" Old Articles Block SQL Injection		January 17, 2007	CVE-2007-0309
Sun Java JRE		Sun Java JRE GIF Image Processing Buffer Overflow Vulnerability		January 18, 2007	CIVN-2007-05
ISC BIND		ISC BIND Denial of Service Vulnerabilities		January 25, 2007	CVE-2007-0493
GTK+		GTK+ "GdkPixbufLoader()" Image Handling Client-Side Denial of Service Vulnerability		January 25, 2007	CVE-2007-0010
Database		Title of Vulnerability		Discovery/Publish Date	CERT-In References & Patch Information
Oracle		Multiple Vulnerabilities in Oracle Products		January 18, 2007	CIAD-2007-06
Malicious Code Threats
Title of Malicious Code	Type	Overview	Aliases	Discovery Date	References
W32.Fujacks.AJ@mm	Worm	It is a mass-mailing worm that opens a back door on the compromised computer and also infects .exe files found on local and mapped drives.	No Aliase	January 22, 2007	http://www.symantec.com/enterprise/security_response /writeup.jsp?docid=2007-012310-1934-99&tabid=1
W32.Gangbot	Worm	It opens a backdoor and connects to an IRC server. It spreads by searching for vulnerable SQL servers. It also spreads by exploiting the Microsoft Internet Explorer Vector Markup Language Code Execution Vulnerability CIVN-2006-92 and the RealVNC Remote Authentication Bypass Vulnerability (as described in CVE-2006-2369 ). on TCP port 5900.	No Aliase	January 22, 2007	http://www.symantec.com/enterprise/security_response/ writeup.jsp?docid=2007-012210-3042-99&tabid=1
Trojan Storm Worm [CME-711]		It comes as an attachment in e-mail with empty body and varying subject lines related to some specific events and tries to establish peer-to-peer communication on UDP ports 4000 or 7871 with other infected machines to download and execute additional malware on the infected system and formulate a botnet.	TROJ_SMALL.EDW [Trend Micro], Trojan.Peacomm [Symantec], Troj/DwnLdr-FYD, Troj/Small-DOR, W32/Stormy.AB, Trojan-Downloader.Win32.Agent.bet, Downloader-BAI!M711, Downloader-BAI, Trojan-Downloader.Win32.Small.dam, Small.DAM ( F-Secure )	January 23, 2007	http://www.cert-in.org.in/virus/Trojan_strom_worm.htm
Trojan MSWord-Exploit	Trojan	The trojan is exploiting Microsoft Word unspecified String Handling Memory Corruption Vulnerability described in CIVN-2007-07 . The trojan comes as an attachment in e-mail messages or could be dropped by some other malware on the affected system.	Trojan.Mdropper.W (Symantec) Trojan-Dropper.MSWord.1Table.cq (Kaspersky) Exploit-MSWord.d (McAfee) TrojanDropper:Win32/Controlwod.E (Microsoft) TROJ_MDROPPER.EQ (Trend Micro)	January 31, 2007	http://www.cert-in.org.in/virus/Trojan_MSWord_Exploit.htm
Security News
Botnet 'pandemic' threatens to strangle the net [Source: www.theregister.com] Networks of of compromised PCs are threatening the smooth operation of the internet, the World Economic Forum was told this week. Up to a quarter of online computers are virus-infected components in botnet networks of PCs under the control of hackers, according to net luminary Vint Cerf. Cerf, who co-developed the TCP/IP protocol, compared the spread of botnets to a disease that has reached "pandemic" proportions. [More] US tops for hosting virus websites and sending spam [Source: www.siliconrepublic.com ] It will surprise nobody to discover that the US was the leading source of malicious code and spam during 2006. The IT security firm Sophos made the scarcely shocking revelation in its annual Security Threat Report 2007. According to the report, more than a third of all websites containing viruses that were identified last year were hosted in the US . The same country – which is home to the so-called ‘spam king' Scott Richter – was also responsible for relaying more unwanted junk email than any other nation. [More] Storm Worm Hits Computers Around the World [Source: www.eweek.com] HELSINKI (Reuters)—Computer virus writers started to use raging European storms on Friday to attack thousands of computers in an unusual real-time assault, head of research at Finnish data security firm F-Secure told Reuters. The virus, which the company named "Storm Worm," is sent to hundreds of thousands of e-mail addresses globally, with the e-mail's subject line saying "230 dead as storm batters Europe ." [More] RSA Catches Financial Phishing Kit [Source: www.eweek.com] RSA, The Security Division of EMC, announced Jan. 10 that it has identified a new phishing kit that was being sold and used online by hackers to target users' personal information in real time. The phishing kit, known as a Universal Man-in-the-Middle Phishing Kit, is meant to help online hackers create attacks involving financial organizations by enabling the hacker to create a fake URL through a user-friendly online interface. The fraudulent URL communicates with the legitimate Web site of the targeted organization in real time. [More] Trojans fuel ID theft boom [Source:www.theregister.com] Identity theft, both offline and online, is on the rise with keylogging Trojan software often forming the weapon of choice for would-be fraudsters, according to a new study by net security firm McAfee. McAfee reckons the number of key logging malware packages increased 250 per cent between January 2004 and May 2006. The number of phishing attacks tracked by the Anti-Phishing Working Group has multiplied 100-fold over the same period of time, it notes. [More] Spammers' Fake Newsletters Slip by E-Mail Filters [Source: www.eweek.com] A new technique being employed by malicious spammers is testing the ability of e-mail filtering technologies to tell the difference between legitimate newsletter content and messages bearing unwanted advertisements and hidden links to malware sites. According to researchers at security software market leader Symantec, a new trend is rapidly emerging among bulk spammers where the creators of the annoying and often dangerous messages are disguising their work using real content distributed in genuine electronic newsletters. [More] Phishing up 180% in 2006 [Source:economictimes.indiatimes.com] NEW DELHI : Internet surfers better watch out! The number of fake website links that could extract your bank account details seem to be on a rise. Going by government data, Indians were confronted with 215 more cases of phishing in 2006 than in the previous year, marking an increase of 180% of such incidents in the country. [More] Spam on IP telephony [Source:www.theregister.co.uk] One more for the list - Spit. Spam over IP telephony is one which so far, thankfully, is pretty rare, and is low on many suppliers' radars. The problem is that it is completely different to the others. [More] Swedish bank falls foul of advanced online scam [Source:www.siliconrepublic.com] Since September nearly £600,000 sterling has been stolen from Sweden 's largest bank Nordea as a result of internet fraud, the bank has revealed. Security firm McAfee has said it is the biggest case of internet fraud reported so far. Some 250 customers of the bank were affected by the scam, which involved tailor-made Trojan horses being unwittingly downloaded onto the victims' PCs. [More]