CERT-In:Indian Computer Emergency Response Team

Home \|\| Feedback \|\| FAQ \|\| Site map

CERT-In Monthly Security Bulletin May 2007
Cyber Intrusion Trends
In this month 46 security incidents were reported to CERT-In from various National/ International agencies. As shown in the figure 57% phishing incidents were reported in this month. 30% unauthorized scanning, 11% incidents related to virus/worm under the malicious code category and 2% incidents related to technical help under the others category were reported. As compared to previous month the number of scanning incidents have increased while phishing incidents have decreased .In this month CERT-In started tracking of Botnets.CERT-In tracked 4 C&C (Command & Control) servers and 357 bot-infected computers existing in India.The concerned ISPs were intimated to dis-infect the bot infected systems and C&C servers to mitigate botnets.					Cyber Intrusion during May 2007
Indian Websites Defacement
In total 110 Indian websites were defaced during May 2007. Mostly the websites under .com domain were defaced by the hacker groups. A chart depicting Top Level Domain(TLD) wise defacements is shown in the figure. The vulnerabilities which might have been exploited for the defacements are: 1. PHP “libxmlrpc library ()”, “make_http_soap_request ()”, user_filter_factory_create ()" Buffer Overflow and "ftp_putcmd ()"CRLF Injection Vulnerabilities CIAD-2007-26 2. Opera Torrent File Processing Remote Buffer Overflow and Code Execution Vulnerability CVE-2007-2809 3. Apache Tomcat JK Web Server Connector Double Encoded ".." Security Bypass CVE-2007-1860					Statistics of Defaced Indian Websites during 01-15 May 2007
Open proxy servers
Any proxy server that doesn't restrict its client base to its own set of clients and allows any other client to connect to it, is known as an open proxy server. An open proxy server will accept client connections from any IP address and make connections to any Internet resource. CERT-In tracked 74 open proxy servers functioning in India during May 2007. All the concerned ISPs were alerted immediately to shut down the open proxy servers. A bar chart of open proxy servers tracked during this year is shown in the figure.					Statistics of Open Proxy Servers tracked during Jan 2007-May 2007
Security Alerts
The critical and medium vulnerabilities in various Operating Systems, Application software and Network devices discovered during May 2007 and their countermeasures alongwith wide-spreading malicious code like virus/ worm/Trojan are given below:
High Vulnerabilities
Microsoft		Title of Vulnerability		Discovery/Publish Date	CERT-In References & Patch Information
Microsoft Excel		Microsoft Excel BIFF Record, Set Font and Auto Filter record Remote Code Execution Vulnerabilities		May 09, 2007	CIVN-2007-59
Microsoft Word		Microsoft Word Array Overflow, Document Stream and RTF Parsing Vulnerabilities		May 09, 2007	CIVN-2007-60
Microsoft Office		Microsoft Office Drawing Object Remote Code Execution Vulnerability		May 09, 2007	CIVN-2007-61
Microsoft Exchange		Multiple Vulnerabilities in Microsoft Exchange		May 09, 2007	CIVN-2007-62
Microsoft Internet Explorer		Microsoft Internet Explorer COM Object Instantiation, Uninitialized Memory , Property , HTML Objects memory corruption and Arbitrary File Rewrite Vulnerabilities		May 09, 2007	CIVN-2007-63
Microsoft		Microsoft CAPICOM.Certificates ActiveX Control Remote Code Execution Vulnerability		May 09, 2007	CIVN-2007-64
Microsoft Windows		Multiple Vulnerabilities in Microsoft Windows,Microsoft Windows Server,Microsoft Internet Explorer,Microsoft Office,Microsoft Exchange,Microsoft CAPICOM and Microsoft BizTalk		May 09, 2007	CIAD-2007-22
Unix		Title of Vulnerability		Discovery/Publish Date	CERT-In References & Patch Information
Sun Java		Sun Java Web Start System Classes Security Bypass and Code Execution Vulnerability		May 08, 2007	CIVN-2007-58
Apache		Apache Tomcat Multiple Cross Site Scripting and Security Bypass Vulnerabilities		May 09, 2007	CVE-2006-7196
Sun Solaris		Sun Solaris 9 Auditing BSM Unspecified Local Denial Of Service Vulnerability		May 10, 2007	CIVN-2007-66
Samba		Multiple vulnerabilities in Samba		May 16,2007	CIAD-2007-25
PHP		PHP MCrypt_Create_IV Insecure Encryption Weakness		May 16, 2007	CVE-2007-2727
PHP		PHP “libxmlrpc library ()”, “make_http_soap_request ()”, user_filter_factory_create ()" Buffer Overflow and "ftp_putcmd ()"CRLF Injection Vulnerabilities		May 18, 2007	CIAD-2007-26
Sun Java		Sun Java Development Kit ICC and BMP Parsing Buffer Overflow and DoS Vulnerabilities		May 21, 2007	CVE-2007-2788
Opera Web Browser		Opera Torrent File Processing Remote Buffer Overflow and Code Execution Vulnerability		May 22, 2007	CVE-2007-2809
Apache Tomcat		Apache Tomcat JK Web Server Connector Double Encoded ".." Security Bypass		May 25, 2007	CVE-2007-1860
Network Devices		Title of Vulnerability		Discovery/Publish Date	CERT-In References & Patch Information
Cisco		Cisco Network Services NetFlow Collection Engine Default User Account Vulnerability		May 04,2007	CIVN-2007-55
Cisco		Multiple vulnerabilities in Cisco Adaptive Security Appliance (ASA) and PIX security appliances		May 10,2007	CIAD-2007-23
Cisco		Multiple Vulnerabilities in Cisco IOS While Processing SSL Packets		May 28,2007	CIAD-2007-28
Miscellaneous		Title of Vulnerability		Discovery/Publish Date	CERT-In References & Patch Information
Adobe		Adobe Photoshop Bitmap File Handling Buffer Overflow Vulnerabilities		May 01 , 2007	CIVN-2007-54
Winamp		Winamp MP4 File Handling Memory Corruption Vulnerability		May 04 , 2007	CIVN-2007-56
Apple		Apple QuickTime Java Extension "toQTPointer()" Code Execution Vulnerability		May 07 , 2007	CIVN-2007-57
LiveData		LiveData Protocol Server Heap Overflow Vulnerability		May 08 , 2007	CIAD-2007-21
Trend Micro		Trend Micro ServerProtect SpntSvc.exe and EarthAgent.exe Buffer Overflow Vulnerabilities		May 09 , 2007	CIVN-2007-65
HTTP content Scanning		Full-Width/Half-Width Unicode Bypasses HTTP content Scanning		May 16 , 2007	CIAD-2007-24
Backdoor Trojan Zapchast		Backdoor Trojan Propagating through Email Greetings		May 24 , 2007	CIAD-2007-27
Crypto Library		Vulnerability In Crypto Library		May 28 , 2007	CIAD-2007-29
Apple		Multiple vulnerabilities in Apple QuickTime Java Extension		May 31 , 2007	CIAD-2007-30
Mozilla		Multiple Vulnerabilities in Mozilla Products		May 31 , 2007	CIAD-2007-31
Malicious Code Threats
Title of Malicious Code	Type	Overview	Aliases	Discovery Date	References
Circulation of malware through MSIE7 Spam	Trojan	It has been observed that large number of spam mails pretending to be from Microsoft are being sent to users persuading them to download malware embedded in a file claiming as update to Internet Explorer.	Win32/Grum.b [ McAfee], Trojan-Downloader.Win32.Agent.bjo [Kaspersky], W32/Grum-B [Sophos], TR/Proxy.Agent.CL [AntiVir], Win32:Agent-GJR , Trojan.Downloader-4640, Trojan.Downloader.18993	May 07, 2007	http://www.cert-in.org.in/currentacts/currentact07.htm#ie7
Trojan.Mailbot	Trojan	It is a Trojan horse that can be used to send unsolicited email through the compromised computer	No Alias	May 7, 2007	http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2007-050720-0155-99&tabid=1
W32.Kenety	Worm	It is a worm that opens a back door on the compromised computer and spreads by exploiting the vulnerability described in CVE-2006-2369.	No Alias	May 10, 2007	http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2007-051102-0553-99
SymbOS.Viver	Trojan	It is a Trojan horse that sends SMS messages to a premium-rate number	Trojan-SMS.SymbOS.Viver.a [Kaspersky]	May 25, 2007	http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2007-052422-4040-99
Badbunny Macro Virus	Virus	multi-platform macro virus named Badbunny is affecting various OS platform namely Windows, Linux and MacOS. It is propagating through OpenOffice Draw file badbunny.odg .	IRC-Worm.StarOffice.Badbunny.a, SB.Badbunny (Symantec), SB/BadBunny-A (Sophos), StarBasic/Bunbad.A (Computer Associates),	May 25, 2007	http://www.cert-in.org.in/virus/badbunny.htm
Banker Infostealer Trojan	Trojan	Banker Infostealer is a Trojan horse programme which steals targeted banking information from the infected system.	No Alias	May 30, 2007	http://www.cert-in.org.in/virus/Bankerinfostealer.htm
Security News
Newsmaker: Cyberattack in Estonia--what it really means [Source: www.news.com.com] newsmaker When it comes to denial-of-service attacks, Jose Nazario has seen just about everything.As senior security researcher at Arbor Networks, Nazario closely monitors network attacks. A denial-of-service, or DoS, attack occurs when someone directs a large number of requests to a target URL so quickly that the Web server can't respond, and the site becomes inaccessible. [More] Estonian/Russian statue riots spill online [Source: www.theregister.co.uk] Civil unrest in Estonia over the removal of Soviet era memorials has been accompanied by attacks against the Baltic nation’s internet infrastructure. Several Estonian government websites remain unavailable whilst others, such as that of the Estonian Police, remain available only in text-only forms as a result of sustained denial of service attacks. [More] How quickly are phishing websites taken down? [Source: www.lightbluetouchpaper.org] Tyler Moore and myself have a paper (An Empirical Analysis of the Current State of Phishing Attack and Defence) accepted at this year’s Workshop on the Economics of Information Security (WEIS 2007) in which we examine how long phishing websites remain available before the impersonated bank gets them “taken-down”. [More] Two-Factor Security Threats Still Exist [Source: www.securitypronews.com] Two factors of security are better than one, but the extra factor does not guarantee complete safety from potential threats. By all means, let's get a two factor authentication security plan in place for financial institutions. The age of the username/password as being enough security for people has been in the rear view mirror for a long time. [More] Online Criminal Gangs Battle With Botnets [Source:www.informationweek.com] Two or three online criminal gangs are waging an all-out battle for control of the largest botnets, sending out waves of malware aimed at stealing zombie computers from rival gangs to build up their own army.Each online gang is trying to build up the biggest botnet because the bigger the army of infected computers they control, the more money spammers and hackers will pay to use them, explains Shane Coursen, a senior technical consultant for Kaspersky Lab. [More] White Papers: Ten Ways Hackers Breach Security [Source: www.first.org] Hacking, cracking, and cyber crimes are hot topics these days and will continue to be for the foreseeable future. However, there are steps you can take to reduce your organization's threat level. The first step is to understand what risks, threats, and vulnerabilities currently exist in your environment. [More] Peer-to-peer networks co-opted for DOS attacks [Source:www.theregister.com] A flaw in the design of a popular peer-to-peer network software has given attackers the ability to create massive denial-of-service attacks that can easily overwhelm corporate websites, a security firm warned last week.Over the past three months, more than 40 companies have endured attacks emanating from hundreds of thousands of Internet Protocol addresses (IPs), with many of the attacks producing more than a gigabit of junk data every second, according to security solutions provider Prolexic Technologies. [More] Gozi hybrid Trojan menaces the net [Source:www.theregister.com] VXers have developed a strain of malware capable of logging keystrokes as well as snooping on encrypted SSL streams originating from compromised PCs.The hybrid variant of the Gozi Trojan was discovered by Don Jackson, a researcher with SecureWorks who discovered the original Gozi malware earlier this year. In its original form, Gozi spread using IE exploits. It used advanced Winsock2 functionality to snoop on traffic. [More] Malware targets OpenOffice users [Source:www.theregister.com] Malware miscreants have crafted a cross-platform worm targeted at OpenOffice users that's capable of infecting Windows, Mac, and Linux computers.The OpenOffice/StarBasic macro worm, dubbed BadBunny , is a proof-of-concept worm that's not been seen outside the lab. Most anti-virus firms describe it as a low-risk threat. [More] New Microsoft Tool Strips Exploits Out of Office Documents (Registered Required) [Source:www.windowsitpro.com] Microsoft released its new Microsoft Office Isolated Conversion Environment (MOICE), which converts Office 2003's binary format files into the more secure Office Open XML format used by Office 2007. [More] Promising antispam technique gets nod [Source:www.news.com.com] A key Internet standards body gave preliminary approval on Tuesday to a powerful technology designed to detect and block fake e-mail messages. It's called DomainKeys Identified Mail, and it promises to give Internet users the best chance so far of stanching the seemingly endless flow of fraudulent junk e-mail. [More] Strange spoofing technique evades anti-phishing filters [Source: www.theregister.com] A Reg reader has produced screen shots that demonstrate a powerful phishing technique that's able to spoof eBay, PayPal and other top web destinations without triggering antiphishing filters in IE 7 or Norton 360. Plenty of other PayPal users are experiencing the same ruse, according to search engine results. [More] Spam Attack Steals High-Level Execs' Data [Source: www.news.yahoo.com] The Better Business Bureau has issued a fraud alert regarding the resurgence of a spam attack that targets high-level executives in various industries. The spam e-mails purport to be sent by the BBB in an effort to entice users to click on a malicious link. The SANS Institute reported a similar wave of targeted spam attacks using the BBB name in March. [More] Six in California indicted for online bank fraud [Source: www.theregister.com] Six California men accused of breaking in to online bank accounts and funneling out the proceeds have been indicted for bank and wire fraud and money laundering. The 53-count indictment could carry a sentence of as much as 30 years in prison and a fine of $1m. [More] Phishing Activity Trends - Report for the Month of April, 2007 [Source:www.antiphishing.org] The number of unique phishing websites detected by APWG rose to 55,643 in April 2007, a massive jump of nearly 35,000 from March resulting from aggressive sub-domain phishing tactics by which phishers started using the tactic of putting a large numbers of phish URLs on the same domain. [More]