27 • The third most common threat family infecting computers in Brunei in 4Q13 was Win32Gamarue, which was detected and removed from 2.2 of every 1,000 unique computers scanned by the MSRT. Win32Gamarue is a worm that is commonly distributed via exploit kits and social engineering. Variants have been observed stealing information from the local computer and communicating with command-and-control CC servers managed by attackers. • The fourth most common threat family infecting computers in Brunei in 4Q13 was Win32Dorkbot, which was detected and removed from 1.4 of every 1,000 unique computers scanned by the MSRT. Win32Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor functionality that allows unauthorized access and control of the affected computer. Win32Dorkbot may be distributed from compromised or malicious websites using PDF or browser exploits.

2.3. Malicious websites

Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. See the Microsoft Security Intelligence Report website for more information about these protections and how the data is collected.

2.4. Summary of BruCERT Honey Pot Project

28 In this section, BruCERT had deployed the Honey Pot project initiative with TelBru. With this Honey Pot, BruCERT can have a better understanding, what is the current security landscape of Brunei cyber space. Summary of honeypot activities This data shows the overall activities from the honeypot starting from January 2014 until November 2014 Total Malicious attack Daily data on malicious attack from attacker origins, to the honeypot. Exploits targeted by malware Exploits used by the malware and the total number of times it has been used. 29 Most attacked Port Most attacked port and total number of hits. 30 Destination ports Descriptions vulnerabilities 3306 MySQL database system MySQL Authentication bypass 1433 MSSQL Microsoft SQL Server database management system Monitor Exploit buffer overflows, hijack existing sessions and to misuse privileges once authenticated 135 MSRPC CVE-2003-352 CVE-2003-528 CVE-2003-533 CVE-2003-717 CVE-2003-813 Buffer overflow in certain DCOm interface allows remote attackers to execute arbitrary code via malformed message. 3389 Microsoft Terminal Server RDP CVE-2012-0173 Vulnerabilities provides attackers with remote access via Remote Desktop Protocol RDP. 5000 “Universal Plug and PlayUPNP is a technology pioneered and developed by Microsoft CVE-2013-6987 CVE-2013-6955 Top 10 Malware Offered 31 3. BruCERT Activities in 2014 3.1. SeminarsConferencesMeetingsVisits