TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ----------------------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Copyright 2001 Internet Security Systems (trademark) THE POWER TO PROTECT INTERNET THREAT & SOLUTIONS UPDATE for Nov 1st - Nov 5th, 2001 ISS X-Force Special Operations Group - ---------------------------------------- CURRENT THREAT ASSESSMENT & THREAT FORECAST - ---------------------------------------- AlertCon 2 Today, Nov 1st, 2001 AlertCon 1 For Nov 2nd-5th, 2001 ************* - - We remain at AlertCon 2 (increased vigilance) today because of the combination of problems noted below. We are projecting AlertCon 1 from tomorrow through mid-day on Monday, Nov 5th. - - Significant SSH vulnerabilities and associated exploits are highlighted in the following X-Force alert. The use of these exploits will grow over time as the information spreads among the hacker community and the threat will increase accordingly. Strongly urge you implement the defensive solutions noted here. - - We continue to observe the new Nimda-E variant on our monitored networks in numbers large enough to get our attention. There is clearly a lot of patching that needs to be done. If the growing movement by commercial ISPs will take hold and become the norm, we will see a lot of the noise from these worms go away as the home users either take care of the problem or lose their Internet access. - ------------------------------------- SOLUTIONS - ------------------------------------- - - SSH vulnerabilities and exploitation. - -- Review the ISS X-Force advisory <http://xforce.iss.net/alerts/advise100.php> for information regarding the exploitation of SSH CRC32 and the Cisco write-up on the original vulnerability <http://www.cisco.com/warp/public/707/SSH-multiple-pub.html>. - -- Verify the patches have been applied to your implementation of SSH and consider limiting port access to just those IP addresses using SSH to support your business requirements. - -- Here are some additional advisories posted for the SSH vulnerabilities: - -- Remote vulnerabilities in OpenSSH <http://linuxtoday.com/news_story.php3?ltsn=2001-10-25-001-20-SC> - -- SSH Secure Shell Authentication Bypass Vulnerability <http://xforce.iss.net/alerts/advise88.php> - -- OpenSSH - Possible to determine password length <http://www.trustix.org/pipermail/tsl-announce/2001-March/000002.html> - - Nimda-E Worm. This worm seeks the same vulnerabilities as earlier versions of Nimda worm so those devices with the IIS patch installed will not be affected. The numbers of alarms we see daily on this worm makes it clear there is still a lot of patching to do. - -- Those relying on anti-virus solutions to defend against Nimda will need to pay attention since the strings have changed and until your vendor catches up you may be vulnerable to successful exploitation. - -- Far better to install the IIS and other relevant Microsoft patches. - -- Patch your Win 2K and NT machines from these links: - --- Win 2K <http://www.microsoft.com/windows2000/downloads/critical/q300972/defaul t.asp?FinishURL=%2Fdownloads%2Frelease%2Easp%3FReleaseID%3D30800%26redi rect%3Dno> - --- Win NT <http://www.microsoft.com/ntserver/nts/downloads/critical/q300972/defau lt.asp?FinishURL=%2Fdownloads%2Frelease%2Easp%3FReleaseID%3D30833%26red irect%3Dno> - --- Make sure Outlook is patched (MSO 01-020) and to ensure that you have updated your IE Browser to ensure you're running IE 5.01 SP2, IE 5.5 SP2, or IE 6.0 to be sure you're not vulnerable, or apply the MS01-027 patch (which supercedes MS01-020). - ------------------------------------- Attack Signature Ranking - global IDS, midnight - midnight, previous day, % of total - ------------------------------------- Protocol Decode 47.40% Unauth Access Attempt 38.10% Denial Of Service 07.08% Suspicious Activity 04.44% Pre-Attack Probe 02.98% Back Door 00.01% - ------------------------------------- Top Ten Attack Destination Ports - global IDS, midnight - midnight, previous day, % of top ten (ports found at <http://www.iana.org/assignments/port-numbers> - ------------------------------------- 80 (http) 79.49% 22 (ssh) 12.84% 25 (smtp) 03.41% 21 (ftp) 02.94% 113 (ident-auth) 00.31% 443 (https) 00.30% 15104 (unassigned) 00.19% 123 (ntp) 00.19% 12754 (unassigned) 00.18% 143 (imap) 00.15% - --------------------------------------- VIRUS, TOP 10 and NEW VULNERABILITIES, NEWS UPDATES - --------------------------------------- - - Visit <http://www.iss.net> under 'Global Internet Threat Intelligence Service' - - According to Sophos <http://www.sophos.com/virusinfo/topten/> the top ten viruses in October 2001 were: 1. W32/Sircam-A 21.7% 2. W32/Nimda-A 17.8% 3. W32/Magistr-B 16.1% 4. W32/Magistr-A 09.2% 5. W32/Hybris-B 06.6% 6. VBS/Kakworm 02.5% 7. UNIX/Sadmind 01.9% 8. W32/Apology-B 01.3% 9. W/32Verona-B 01.2% 10. VBS/Haptime-A 01.0% - --------------------------------------- Defacement Watch based on www.alldas.de <http://www.alldas.de> - --------------------------------------- - - Their stats show that since April, 2000, the most defaced OS is Windows, with a total of 15,630 defacements reported to Alldas.de, for 63% of the total. Although growing in popularity as a target, Linux is a distant second with 4404 defacements reported for 17% of the total. - --------------------------------------- NOTES, COPYRIGHT NOTICE, and DISCLAIMER - --------------------------------------- NOTE 1: Our web site has this information in more attractive format and graphics available to the public at no cost at www.iss.net <http://www.iss.net> under 'Global Internet Threat Intelligence Service' <https://gtoc.iss.net/secure/whatshot.php> Screen captures (Control/PrtSc) of the site's pages dropped into PowerPoint can be an effective way to communicate various aspects of the Internet threat, e.g. the graph depicting 'AlertCon Trends' <https://gtoc.iss.net/secure/graph.html> NOTE 2: We provide this information on Internet threat metrics, viruses, vulnerabilities, patches, and breaking news, in the spirit of PDD 63, to help security professionals wage the war against Internet threats more effectively. Information in this update derived primarily from global, real time, 24 x 7 IDS feeds, ISS X-Force R&D Team research, and professional liaison. Other sources as noted. AlertCon 1 reflects the global, malicious, determined, 24 x 7 attacks experienced by all networks. AlertCon 2 means increased vigilance/action recommended due to a specific threat or concern. AlertCon 3 means increased attacks against specific targets or vulnerabilities on a scale that is unusually high, action required. AlertCon 4 reflects an Internet emergency for a target or group of targets whose business continuity may depend on some sort of immediate, decisive action. All summaries cover 24 hours the previous workday, GMT. Monday summaries may cover some weekend activity. Copyright 2001 Internet Security Systems, Inc. Permission is granted for the redistribution of the Internet Threat Update electronically. It is not to be sold or edited in any way without express consent of ISS. Refer comments or questions to [EMAIL PROTECTED] mailto: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> Disclaimer: This information is subject to change without notice. Use of this information constitutes acceptance for use in an 'as is' condition. There are no warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. No other use authorized. FOIA Exemption 4. Dennis Dennis Treece Director, Global MSS Special Operations Group Internet Security Systems (ISS) 6303 Barfield Road Atlanta, Georgia 30328 404-236-4065 -----BEGIN PGP SIGNATURE----- Version: PGP 6.5 iQA/AwUBO+F8g+OOe/7N9KJeEQLvPwCgkJWs8604IEPMZFHfPg7soBOa7ycAn2mZ JT6DCacJ/SUz6w6TGaVObTwV =Tebi -----END PGP SIGNATURE-----
