TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ----------------------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 INTERNET THREAT UPDATE for 12-28-2001 ISS X-Force Special Operations Group www.iss.net - Click on 'Current Internet Threat' for more information. ****************************************************** ALERTCON 2 Projected: AlertCon 2 ****************************************************** - - We will close 2001 at AlertCon 2. We are there due to a host of vulnerabilities recently found in Internet Explorer; the Login Buffer overflow vulnerability and the vulnerability relating to Universal Plug and Play (UPnP) in Windows XP, ME, as well as Win 98 and 98 SE running XP Internet Connection Sharing client; and lastly, Microsoft has released a Security Bulletin with a patch for a vulnerability found in the SQL Server 7.0 and 2000. If unpatched it could lead to buffer overflows and be subject to denial of service attacks. - - We see no diminution in the exploitation of software by the criminal element to deface web sites, steal credit card and proprietary data, and to cause businesses to react to crisis situations due to attacks from without and within. - - 2001 was an incredible year. We have seen the widespread distribution of malicious programs exploiting breaches and holes in software safety systems. E-mail and the Internet solidified their positions as the most dangerous sources for malicious programs. With the creation of alternative means (Gnutella, ICQ, MSN Messenger and IRC), new avenues for the spreading of malicious programs were exploited. We also saw an increase in malicious programs targeting the Linux O/S. - - The main virus event of 2001 was the widespread distribution of malicious programs exploiting breaches and holes in an operating system's safety measures and applications for the purpose of penetrating computers (examples of such viruses are CodeRed, Nimda, Badtrans etc.). One of 2001's most unpleasant surprises came in the form of detecting a new type of malicious code (CodeRed and CodeBlue) which was able to actively spread and function on an infected computer without the use of a file. The global epidemic caused by CodeRed (which according to some estimates has infected well over 300,000 computers) confirmed the effectiveness of the fileless technology. It is important to note that even now, most computers have inadequate defense measures against this type of malicious code - - Today's trend allows for the assessment that e-mail and the Internet will remain the most popular means for virus spreading. We must once again emphasize the importance of installing a reliable anti-virus defense for thwarting virus attacks via these sources and to keep those solutions up-to-date. - - Let us not forget the events of 9/11. The event emphasized the need for businesses to have business continuity and disaster recovery plans in place. - - Lastly, Internet security is the Homeland Defense for a digital economy. See you next year. - ------------------------------------------------------ RECOMMENDATIONS - ------------------------------------------------------ - -Regarding the Microsoft UPnP vulnerability - review the X-Force alert at: (http://xforce.iss.net/alerts/advise106.php). X-Force also recommends that Internet Firewalls should be configured to block ports 1900 and 5000. - - See the Microsoft patch for the unchecked buffer in UPnP found at: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/sec urity/bulletin/MS01-059.asp - - Regarding the three vulnerabilities in the IE versions 5.5 and 6.0, review MS Security advisory MS01-058 and apply the appropriate patch: (http://www.microsoft.com/technet/treeview/default.asp?url=/technet/se curity/bulletin/MS01-058.asp) - - Regarding the multi-vendor Login buffer overflow, in addition to loading the vendor patches below, customers can take several precautions to minimize their risk. Disable default terminal communications services, including Telnet and Rlogin. Install and use Secure Shell (SSH) as a secure alternative. SSH implements encrypted terminal connections, and is designed to replace insecure protocols such as Telnet and Rlogin. - - See the X-Force advisory for details, solutions to the SysV derived login vulnerability. http://xforce.iss.net/alerts/advise105.php - - Additional information is available in CERT-CC advisory CA 2001-34 http://www.cert.org/advisories/CA-2001-34.html - - For the Microsoft SQL Server patch see: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/sec urity/bulletin/MS01-060.asp - ------------------------------------------------------ ATTACK SIGNATURE RANKING - global IDS, midnight - midnight, previous Day, % of total - ------------------------------------------------------ Unauthorized Access Attempt 51.55% Protocol Decode 28.82% Suspicious Activity 08.71% Denial Of Service 07.78% Pre-Attack Probe 03.12% Back Door 00.03% - ------------------------------------------------------ TOP TEN ATTACK DESTINATION PORTS - global IDS, midnight - midnight, previous day, % of top ten (ports found at) http://www.networkice.com/Advice/Exploits/Ports/default.htm - ------------------------------------------------------ 80 (http) 90.09% 21 (ftp) 03.10% 22 (ssh) 01.60% 25 (smtp) 01.22% 515 (lp,lpr,line prnt) 00.99% 69 (tftp) 00.81% 443 (ssl) 00.73% 23 (Telnet) 00.69% 15104 (unassigned) 00.49% 12754 (unassigned) 00.29% 15104 (unassigned) 00.27% - ------------------------------------------------------ BACKGROUND, COPYRIGHT NOTICE, and DISCLAIMER - ------------------------------------------------------ Background. We provide this information in the spirit of PDD 63 to help security professionals wage the war against Internet threats more effectively. Information in this update derived primarily from global, real time, 24 x 7 IDS feeds, ISS X-Force R&D Team research, and professional liaison. Other sources as noted. AlertCon 1 reflects the global, malicious, determined, 24 x 7 attacks experienced by all networks. AlertCon 2 means increased vigilance/action recommended due to a specific threat or concern. AlertCon 3 means increased attacks against specific targets or vulnerabilities on a scale that is unusually high, action required. AlertCon 4 reflects an Internet emergency for a target or group of targets whose business continuity may depend on some sort of immediate, decisive action. All summaries cover 24 hours the previous workday, GMT. Monday summaries may cover some weekend activity. Copyright 2001 Internet Security Systems, Inc. Permission is granted for the redistribution of the Internet Threat Update electronically. It is not to be sold or edited in any way without express consent of ISS. Refer comments or questions to: [EMAIL PROTECTED] or [EMAIL PROTECTED] Disclaimer: This information is subject to change without notice. Use of this information constitutes acceptance for use in an 'as is' condition. There are no warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. No other use authorized. FOIA Exemption 4. Patrick Gray Manager, Internet Threat Intelligence Center X-Force, MSS Special Operations Group Internet Security Systems 6303 Barfield Road Atlanta, GA 30328 -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBPCzL7pG41ROSQPncEQI8/wCgog7ImI0uU1zaMzfzQSkovPmoULUAoIWt v4pDm/IkKaisL2zJkirbGD8z =3vF+ -----END PGP SIGNATURE-----
