TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ----------------------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 INTERNET THREAT UPDATE for 12-12-2001 ISS X-Force Special Operations Group www.iss.net <http://www.iss.net> - Click on "Current Internet Threat" for more information. ****************************************************** ALERTCON 1 ****************************************************** - - We remain at AlertCon 1 - normal chaos on the Interent. - - We continue to detect worm activity from the 'leper colony' of patch-resistant systems infected with Nimda, its variants, and even older versions of the Code Red Worm. - - This worm activity serves as a constant reminder of the permanence of this threat and the consequent need to keep after patching vulnerable devices as a part of your IT maintenance routine. See below for patches and additional information. - - Outbound Nimda.E propagation threads continue to alert us when an infestation has taken place. This happens after some infected device has found a chink in the armor. People relying on a strong perimeter defense are ignoring the many ways an unpatched box on a well protected network can be infected. Examples: Machine from inside the network goes to an infected web site, an employee brings an infected laptop into the building and connects it to the network. - - The only safe course of action is to assume every client running MS OS is vulnerable to Nimda.E and other malicious code that exploits MS vulnerabilities until you prove otherwise. - ------------------------------------------------------ RECOMMENDATIONS - ------------------------------------------------------ - - IT staffs will never be big enough to make rapid changes on desktops and laptops throughout the company. Users must be enlisted to perform these tasks whenever possible. Direct them to the appropriate sites and to download the relevant patches. Technical details, links to vendor patches and other preventive solutions are contained in the X-Force alerts on Nimda <http://xforce.iss.net/alerts/advise97.php> and the Code Red Worm <http://xforce.iss.net/alerts/advise90.php>. - ------------------------------------------------------ ATTACK SIGNATURE RANKING - global IDS, midnight - midnight, previous day, % of total - ------------------------------------------------------ Unauthorized Access Attempt 65.55% Protocol Decode 21.83% Denial Of Service 06.62% Pre-Attack Probe 03.88% Suspicious Activity 02.08% Back Door 00.04% - ------------------------------------------------------ TOP TEN ATTACK DESTINATION PORTS - global IDS, midnight - midnight, previous day, % of top ten (ports found at) <http://www.networkice.com/Advice/Exploits/Ports/default.htm> - ------------------------------------------------------ 80 (http) 91.03% 21 (ftp) 01.62% 69 (tftp) 01.45% 25 (smtp) 01.35% 23 (telnet) 01.18% 6346 (unassigned) 01.10% 53 (dns) 00.60% 15104 (unassigned) 00.59% 22 (ssh) 00.54% 137 (netbios-ns) 00.54% - ------------------------------------------------------ BACKGROUND, COPYRIGHT NOTICE, and DISCLAIMER - ------------------------------------------------------ Background. We provide this information in the spirit of PDD 63 to help security professionals wage the war against Internet threats more effectively. Information in this update derived primarily from global, real time, 24 x 7 IDS feeds, ISS X-Force R&D Team research, and professional liaison. Other sources as noted. AlertCon 1 reflects the global, malicious, determined, 24 x 7 attacks experienced by all networks. AlertCon 2 means increased vigilance/action recommended due to a specific threat or concern. AlertCon 3 means increased attacks against specific targets or vulnerabilities on a scale that is unusually high, action required. AlertCon 4 reflects an Internet emergency for a target or group of targets whose business continuity may depend on some sort of immediate, decisive action. All summaries cover 24 hours the previous workday, GMT. Monday summaries may cover some weekend activity. Copyright 2001 Internet Security Systems, Inc. Permission is granted for the redistribution of the Internet Threat Update electronically. It is not to be sold or edited in any way without express consent of ISS. Refer comments or questions to: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> or [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> Disclaimer: This information is subject to change without notice. Use of this information constitutes acceptance for use in an 'as is' condition. There are no warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. No other use authorized. FOIA Exemption 4. Dennis Dennis Treece Director, X-Force Special Operations Group Internet Security Systems (ISS) 6303 Barfield Road Atlanta, Georgia 30328 -----BEGIN PGP SIGNATURE----- Version: PGP 6.5 iQA/AwUBPBeJXeOOe/7N9KJeEQKAQQCgwJWXUCFeAgLLfQRRuKCt1k3DFpgAoIwy fD5oJhk9ysutlUgYTnE38lpO =Wm9e -----END PGP SIGNATURE-----
