INDENTIFIKASI DAN INVESTIVIGASI

KASUS-KASUS KEAMANAN SISTEM INFORMASI

Disusun untuk memenuhi tugas matakuliah Keamanan Sistem Komputer

yang dibina oleh Bapak Muladi

Oleh :

Ahmad Sehtahabi (107533411084)

UNIVERSITAS NEGERI MALANG

FAKULTAS TEKNIK

JURUSAN TEKNIK ELEKTRO

S1 PENDIDIKAN TEKNIK INFORMATIKA

AGUSTUS 2010
1. Identifikasi kasus-kasus keamanan system informasi

Ø Avira warns of Windows vulnerability

Wed, 21 July 2010

Cyber criminals abuse an open security vulnerability in all Windows versions to

inject malware into PCs

Tettnang, 21 July 2010 – In Windows operating systems there is currently a

vulnerability which attackers can abuse to smuggle in viruses. It suffices to open a
specially prepared USB stick or a folder containing a manipulated link with Windows
Explorer, warns IT security expert Avira, whose security software protects from this
threat.

ü Investigasi

For the security vulnerability in the processing of file links (.lnk files)
within all supported Windows operating systems, Microsoft released a security
advisory; an update to eliminate this vulnerability is not yet available, though.
The company currently merely provides a guide to deactivate a Windows
service as well as the defective processing routines for the .lnk files, which
seems to be too complicated for the most users and poses the risk to render the
system unusable by a small error. Additionally, the start and quick start menu
show a standard icon for all programs after the procedure, which decreases
usability significantly.

The security vulnerability was abused by a Trojan at first which Avira

detects as RKit/Stuxnet.A. It can, for instance, spread via USB sticks. The
malware becomes active just by opening the USB stick with Windows Explorer.
Meanwhile, there is Proof-of-Concept code available on the Internet which
cyber criminals can put into their malware to abuse the vulnerability. It is very
likely that more malware will show up in the next days abusing this security
hole.

Ø Spam mails lure with domain password reset warning

Thu, 01 July 2010

A wave of spam mails lures recipients with fake warning of domain

password reset; links lead to a fake Canadian Online Pharmacy
 Tettnang, 1 July 2010 – IT security expert Avira warns of a current wave of
spam mails that attempt to trick recipients by warning that their domain password will
be reset unless they click through on an embedded link – which then leads to a fake
online pharmacy.

ü Investigasi

With subject lines like “Reset your <domain name> password”, the emails
pressurize users, advising that their domain password will be reset – unless they
click on a link to stop this from happening. And in an effort to trick even more
people, recipients who agree to a password reset are lured by the spammers to
click through on a link in the message to proceed.

What users do not see is that the link in the mail leads to a domain other
than the one shown in the message. Furthermore, while this web site is
apparently loading, users are automatically redirected to yet another site after
four seconds. During this time, a hidden so-called ‘iframe’ is shown, which is
often used to exploit security vulnerabilities in browser plug-ins and outdated
software by injecting malware.

Hapless users are then redirected to a fake Canadian Online Pharmacy.

This fraudulent site is designed to capture credit and debit card information.
Anyone making an order also runs the risk of receiving fake medications instead
of the real thing, which may even pose a health risk.

Ø Botnet Toolkit for Twitter

Thu, 20 May 2010

The IT security experts at Avira have analyzed a toolkit for a Twitter-based

botnet and ensure protection against it

Tettnang, 20 May 2010 – Currently, a malware toolkit is causing concern, as

even inexperienced cybercriminals can use it to produce malware, which they can
distribute and control via Twitter channels. Avira security solutions ensure protection
against this menace.

ü Investigasi

Avira’s antivirus experts have examined both

the toolkit and the malware files created with it:
With just a few clicks, even without advanced
computer skills, cybercriminals can create malware
 using the KIT/MSIL.Agent.A.1 toolkit, which allows them to build and control
a botnet via Twitter channels.

Avira has immediately classified the botnet drone as TR/Dropper.Gen

with heuristic detection and now identifies it as BDS/Twitbot.E. The malware
can start a Distributed-Denial-of-Service attack or download further malware
from the Internet.

The malware toolkit is basic and it creates quite static botnet drones.
Consequently, its detection and removal from infected computers proved to be
easy, since no advanced functions like rootkits or process self-protection are
used.

However, users should not underestimate the danger that comes with
BDS/Twitbot.E drones. If unsuspecting users infect their computers with it, the
criminal botnet operators can install any kind of malware and cause a lot more
damage.

Ø Ransomware threatens with official complaint of piracy

Wed, 14 April 2010

Avira informs about ransomware, which threatens to inform the public prosecution
department about pirated content on the PC, but in fact steals credit card data

Tettnang, 14. April 2010 – Currently active blackmail Trojans are using a new scam,
as the IT security specialist Avira informs. In order to avoid a complaint because of
downloading illegal copies of copyrighted files, the victims of the ransomware should
pay about 400 USD to an alleged copyright organization.
ü Investigasi

The cyber criminals try to put pressure upon the victims whose
computers they infected, to make them pay in haste, without taking time to think
about it.

The anti-malware solutions from Avira detect the malware with the virus
definition file 7.10.06.65 as TR/Ransom.CardPay.A and
DR/Ransom.CardPay.A, which first search for eventual Torrent files on the
computer which indicate the usage of peer-to-peer networks. Even if none are
found, warnings of pirated content found on the PC are displayed.

The ransomware pretends to be software of the ICPP Foundation, which

allegedly represents copyright owners worldwide. The cyber gangsters show
professionalism: the malware displays translated texts in various languages,
including English and German.

If the victims really want to pay the ransom, they are redirected to a
professionally designed website, where they have to provide their credit card
data. The site is forged and it clearly serves only to collect credit card data,
 which is meant to be profitably sold to the criminal underground. Avira's
security experts strongly advise against giving such data to this site.

Ø Cybercriminals phishing for Skype logins

Tue, 02 February 2010

Avira is issuing a warning against phishing mails that are being used by
criminals in an attempt to access Skype logins

Tettnang, 02 February 2010 – IT Security Specialist Avira has issued a warning

against phishing emails currently circulating that aim to access the login data for
Skype accounts. However, the threat is not currently recognized by the filters of
current web browsers. Users of Avira AntiVir Premium and Suite are protected by
MailGuard and WebGuard.

ü Investigasi

The phishing mails sent contain a link to a remarkably convincing looking

fake Skype login site. The correct address, www.skype.com, actually appears in
the address line, but only as a sub-domain of an entirely different network, for
example www.skype.com.attacker-domain.cc/. This URL takes the user to the
cybercriminals’ phishing site.

Users who enter their Skype login data on this website will then be
diverted to the genuine download site to avoid arousing suspicion. However, the
attempted login by the user reveals his access data to the attackers. The threat is
mainly to the user’s credit on his Skype account, which can be deducted. In
addition, the cybercriminals can also send other phishing links or Spam to the
contacts of the specific user.

At present, the integrated phishing filters of the most commonly used web
browsers, such as Internet Explorer, Opera, Google Chrome or Firefox, do not
yet recognize the risky site and therefore do not issue an appropriate warning.

Anyone receiving a phishing email of this kind should avoid clicking on

the links it contains at all costs. The email should also be deleted from your
mailbox immediately. Thanks to Avira MailGuard and Avira WebGuard
features, users of the Avira AntiVir Premium Security Solution or Avira
Premium Security Suite are protected against these phishing attempts.
MailGuard detects and marks these emails as attempts at phishing and
WebGuard blocks access to the phishing sites.
Ø Spam in July: Facebook coming under increasing attack from phishers

Kaspersky Lab, a leading developer of secure content management solutions,

announces the publication of its monthly report on spammer activity for July 2010.

Throughout the month, the share of spam messages in mail traffic averaged
82.9%. Links to phishing sites were found in 0.03% of all email traffic. The most
popular social network Facebook usurped eBay’s 2nd place ranking in the list of
organizations most often attacked by phishers. Facebook accounted for 12.81% of
phishing messages, more than three times as much as in the previous month. The e-
commerce business PayPal remained in first place after being targeted by over half
(53.48%) of all phishing attacks.

ü Investigasi

The USA and India maintained their leading positions as the most popular
sources of spam: they distributed 1.5 times as much spam compared to June
(17.2% and 9% respectively). Europe caused the most noticeable change in
July’s rating with the UK, Germany and Italy all making it into the Top 10. The
total volume of spam originating from their combined territories increased by 50
percentage points compared with the previous month. Two newcomers to the
top twenty were high-tech Hong Kong (17th place with 1.8%) and Taiwan (19th
place with 1.3% of spam).

Organizations targeted by phishing attacks in July 2010

2. Imvestigasi “Phishing, Spam and Malware Statistics for July 2010”

August 19, 2010, 9:39 am

Most phished brands statistics

Paypal continues to be the most phished brand around, followed now with a long
distance by Facebook which continues to be quite a lot under attack.

Because of the holiday season, many people started to buy games and spend more
time in the social media websites, so the increase in attacking such web sites comes quite
naturally.

Note that the top 10 names have remained almost the same compared to June but
the amount of phishing has grown.
Most abused TLDs

Not much changed from last month, despite the fact that there were some
fluctuations in the top 5. Of some concern is the fact that the “.de” domain has reached
place 6 this month, stepping up 5 positions from June. The amount of 2.62% in total is so
little though that this might be usual fluctuation.
Extension statistics for malware URLs

The distribution didn’t change so much from last month, most important variation
being registered in the scripts ending in JSP, CSS, ASP and in the JPG extension.
Spam categories statistics

The spam mails sent in July where mostly Online Pharmacy related, followed by
Casino spam. Interesting enough is the fact that the Casino spams increasingly are sent in
the German language and less are English. This is probably related to the fact that some
of our spamtraps are hosted on German servers; but this also means that spam got
adopted better to the “target audience mother tongue” in July 2010.
URL Shorteners used in malicious activities in July 2010

Since our statistics about URL shortener services abused in malicious activities
are new, there isn’t much that can be told about this category yet. It can be observed that
the url shorteners are almost always the same for Phishing and Malware. There are little
variations, but there are always the same websites in the top 5. Probably the reason for
this is that the distribution is being made by an organized group of people, almost always
the same. The future statistics will show if this is the case.
Catatan :

v Penulis mengidentifikasi dan investigasi kasus-kasus keamanan system informasi

ini bersumber dari 2 perusahaan asing antivrus yang cukup ternama yaitu Avira
dan Kaspersky sehingga informasi yang disajikan dapat dipertanggungjawabkan,
alamat yang penulis akses :

http://www.avira.com/en/press_releases/index.html
http://www.securelist.com/en/analysis/204792134/Spam_report_July_2010

v Informasi yang disajikan penulis modifikasi sedikit dengan menghilangkan

pernyataan yang berbau komersil atau promosi.

v Informasi yang penulis sajikan apa adanya dalam bahasa inggris sesuai dengan
informasi dari sumber yang penulis ambil, hal ini dimaksudkan agar tidak terjadi
kesalahpahaman karena keterbatasan bahasa yang dimiliki penulis