27 •
The third most common threat family infecting computers in Brunei in 4Q13 was Win32Gamarue, which was detected and removed from 2.2 of every 1,000
unique computers scanned by the MSRT. Win32Gamarue is a worm that is commonly distributed via exploit kits and social engineering. Variants have
been observed stealing information from the local computer and communicating with command-and-control CC servers managed by
attackers. •
The fourth most common threat family infecting computers in Brunei in 4Q13 was Win32Dorkbot, which was detected and removed from 1.4 of every 1,000
unique computers scanned by the MSRT. Win32Dorkbot is a worm that spreads via instant messaging and removable drives. It also contains backdoor
functionality that allows unauthorized access and control of the affected computer. Win32Dorkbot may be distributed from compromised or malicious
websites using PDF or browser exploits.
2.3. Malicious websites
Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no
outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by
malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from
malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display
prominent warnings when users try to navigate to them. Web browsers such as Windows Internet Explorer and search engines such as Bing
use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this
section has been generated from telemetry data produced by Internet Explorer and Bing. See the
Microsoft Security Intelligence Report
website for more information about these protections and how the data is collected.
2.4. Summary of BruCERT Honey Pot Project
28 In this section, BruCERT had deployed the Honey Pot project initiative with TelBru.
With this Honey Pot, BruCERT can have a better understanding, what is the current security landscape of Brunei cyber space.
Summary of honeypot activities This data shows the overall activities from the honeypot starting from January
2014 until November 2014
Total Malicious attack Daily data on malicious attack from attacker origins, to the honeypot.
Exploits targeted by malware Exploits used by the malware and the total number of times it has been used.
29 Most attacked Port
Most attacked port and total number of hits.
30 Destination ports
Descriptions vulnerabilities
3306 MySQL database system
MySQL Authentication bypass
1433 MSSQL Microsoft SQL Server
database management system Monitor
Exploit buffer overflows, hijack existing sessions and
to misuse privileges once authenticated
135 MSRPC
CVE-2003-352 CVE-2003-528
CVE-2003-533 CVE-2003-717
CVE-2003-813 Buffer overflow in certain
DCOm interface allows remote attackers to execute
arbitrary code via malformed message.
3389 Microsoft Terminal Server
RDP CVE-2012-0173
Vulnerabilities provides attackers with remote
access via Remote Desktop Protocol RDP.
5000 “Universal Plug and
PlayUPNP is a technology pioneered and developed by
Microsoft CVE-2013-6987
CVE-2013-6955
Top 10 Malware Offered
31
3. BruCERT Activities in 2014 3.1. SeminarsConferencesMeetingsVisits