TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ----------------------------------------------------------------------------
INTERNET RISK UPDATE for 05-15-2002 ISS X-Force Internet Threat Intelligence Center www.iss.net <http://www.iss.net> - Click on the AlertCon logo for more information. ******************************************** ALERTCON 1 Projected: AlertCon 1 (next 48 hours) ******************************************** ALERTCON 1 - We have assessed Internet Risk to be AlertCon 1, the usual unregulated chaos on the Internet. Internet risk at AlertCon 1 means that an unprotected computer will be compromised within 24 hours of connecting it to the Internet. Vulnerabilities: Multiple personal firewalls for Microsoft Windows platforms, including Tiny Personal Firewall and AtGuard Personal Firewall, could allow a remote attacker to bypass the firewall using port 53. If a DNS server has not been defined in configuration, an attacker could create a Trojan that uses port 53 to bypass the firewall. An attacker can use this vulnerability to send/receive messages, including sensitive information without the user knowing it. VIRUSES/WORMS: BKDR_EMULBOX.A - This is a non-destructive backdoor Trojan posing as a Microsoft Xbox emulator. Once installed, it accesses commercial and pornographic Web sites. It is typically downloaded as EMU_xbox.exe, which is the installation program. ******************************************** RECOMMENDATIONS ******************************************** For the firewall vulnerability, as a workaround, change the default DNS to a fixed host and refer to: <http://www.iss.net/security_center/static/9063.php> For a list of current vulnerabilities, please see: <https://gtoc.iss.net/vulnerabilities.php> For information on the BKDR_EMULBOX.A, please refer to: <http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=BKDR_EMULBOX .A> Information regarding viruses and worms please see: <https://gtoc.iss.net/viruses.php> ******************************************** ATTACK SIGNATURE RANKING - global IDS, midnight - midnight, previous Day, % of total ******************************************** Unauthorized Access Attempt 50.92% Protocol Decode 20.72% Suspicious Activity 14.79% Denial Of Service 08.94% Pre-Attack Probe 04.59% Back Door 00.03% ******************************************** TOP TEN ATTACK DESTINATION PORTS - global IDS, midnight - midnight, previous day, % of top ten (ports found at) <http://www.neohapsis.com/neolabs/neo-ports/neo-ports.html> ******************************************** 80 (http) 72.91% 161 (SNMP) 12.01% 25 (smtp) 06.06% 69 (tftp) 02.50% 23 (telnet) 02.38% 1500 (ADSM/TSM) 01.45% 162 (SNMPTrap) 01.16% 21 (ftp) 00.57% 6346 (gnutella) 00.51% 139 (NetBIOS) 00.45% ******************************************** BACKGROUND, COPYRIGHT NOTICE, and DISCLAIMER ******************************************** Background. We provide this information in the spirit of PDD 63 to help security professionals wage the war against Internet threats more effectively. Information in this update derived primarily from global, real time, 24 x 7 IDS feeds, ISS X-Force R&D Team research, and professional liaison. Other sources as noted. AlertCon 1 reflects the global, malicious, determined, 24 x 7 attacks experienced by all networks. AlertCon 2 means increased vigilance/action recommended due to a specific threat or concern. AlertCon 3 means increased attacks against specific targets or vulnerabilities on a scale that is unusually high, action required. AlertCon 4 reflects an Internet emergency for a target or group of targets whose business continuity may depend on some sort of immediate, decisive action. All summaries cover 24 hours the previous workday, GMT. Monday summaries may cover some weekend activity. Copyright 2002 Internet Security Systems, Inc. Permission is granted for the redistribution of the Internet Threat Update electronically. It is not to be sold or edited in any way without express consent of ISS. Refer comments or questions to: [EMAIL PROTECTED] or [EMAIL PROTECTED] Disclaimer: This information is subject to change without notice. Use of this information constitutes acceptance for use in an 'as is' condition. There are no warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. No other use authorized. FOIA Exemption 4. Dennis Dennis Treece Director, X-Force Special Operations Group Internet Security Systems (ISS) 6303 Barfield Road Atlanta, Georgia 30328 404-236-4065 Cell 404-667-9345 Fax 404-236-3255 Internet Security Systems -- The Power to Protect Confidentiality Notice: This message is being sent by a network security professional. It is intended exclusively for the individual to whom it is addressed. This communication may contain information that is proprietary, privileged or confidential.
