Date: Tue, 28 Aug 2001 11:10:06 -0400 (EDT)
From: CERT Advisory <[email protected]>
To: [email protected]Subject: CERT Summary CS-2001-03
-----BEGIN PGP SIGNED MESSAGE-----
CERT Summary CS-2001-03
August 28, 2001
Each quarter, the CERT Coordination Center (CERT/CC) issues the CERT
Summary to draw attention to the types of attacks reported to our
incident response team, as well as other noteworthy incident and
vulnerability information. The summary includes pointers to sources of
information for dealing with the problems.
Past CERT summaries are available from:
CERT Summaries
http://www.cert.org/summaries/
______________________________________________________________________
Recent Activity
Since the last regularly scheduled CERT summary, issued in May 2001
(CS-2001-02), we have seen several self-propagating worms, as well as
active exploitation of vulnerabilities in Solaris in.lpd, BSD telnet
daemon and Microsoft IIS by intruders. In addition, we have seen an
increase in intruder activity directed at home users.
For more current information on activity being reported to the
CERT/CC, please visit the CERT/CC Current Activity page. The Current
Activity page is a regularly updated summary of the most frequent,
high-impact types of security incidents and vulnerabilities being
reported to the CERT/CC. The information on the Current Activity page
is reviewed and updated as reporting trends change.
CERT/CC Current Activity
http://www.cert.org/current/current_activity.html
1. "Code Red" / "Code Red II" worms
On June 19, 2001, the CERT/CC published CERT Advisory CA-2001-13,
describing a vulnerability in Indexing Services used by Microsoft
IIS 4.0 and IIS 5.0 running on Windows NT, Windows 2000, and beta
versions of Windows XP. This vulnerability allows a remote
intruder to run arbitrary code on the victim machine.
On July 19, 2001, the CERT/CC began receiving a large number of
reports of a worm commonly referred to as "Code Red". The
widespread, automated attack and propagation characteristics of
this worm, and its variants, have caused bandwidth
denial-of-service conditions in isolated portions of the Internet,
particularly near groups of compromised hosts. Since that time, we
have received reports of variants, as well as reports of another
worm with similiar characteristics (Code Red II). These worms have
affected at least 300,000 hosts. The CERT/CC highly encourages
administrators of IIS servers to review the following documents
and take appropriate action.
CERT Advisory CA-2001-13:
Buffer Overflow In IIS Indexing Service DLL
http://www.cert.org/advisories/CA-2001-13.html
CERT Advisory CA-2001-19:
"Code Red" Worm Exploiting Buffer Overflow in IIS Indexing Service DLL
http://www.cert.org/advisories/CA-2001-19.html
CERT Advisory CA-2001-23:
Continuing Threat of the "Code Red" Worm
http://www.cert.org/advisories/CA-2001-23html
CERT Incident Note IN-2001-08:
"Code Red" Worm Exploiting Buffer Overflow in IIS Indexing Service DLL
http://www.cert.org/incident_notes/IN-2001-08.html
CERT Incident Note IN-2001-09:
"Code Red II:" Another Worm Exploiting Buffer Overflow in IIS Indexing Service DLL
http://www.cert.org/incident_notes/IN-2001-09.html
2. "Code Red" Worm Crashes IIS 4.0 Servers with URL Redirection
Enabled
Along with the large number of "Code Red" and "Code Red II"
reports indicating that systems are compromised, the CERT/CC has
received a smaller yet still significant number of reports where
Windows NT 4.0 IIS 4.0 systems have been adversely affected by the
high volume of "Code Red" scanning activity. A recently discovered
vulnerability can cause an IIS 4.0 server (patched against "Code
Red" according to Microsoft Security Bulletin MS01-033) with URL
redirection enabled to crash when scanned by the "Code Red" worm.
CERT Incident Note IN-2001-10:
"Code Red" Worm Crashes IIS 4.0 Servers with URL Redirection Enabled
http://www.cert.org/incident_notes/IN-2001-10.html
3. W32/Sircam Malicious Code
"W32/Sircam" is malicious code that spreads through email and
potentially through unprotected Windows network shares. Once the
malicious code has been executed on a system, it may reveal or
delete sensitive information.
Detailed information about W32/Sircam can be found in CERT
Advisory CA-2001-22. Users are strongly encouraged to visit their
anti-virus vendor's website for information on how to properly
remove W32/Sircam from an infected computer.
CERT Advisory CA-2001-22:
W32/Sircam Malicious Code
http://www.cert.org/advisories/CA-2001-22.html
4. Buffer Overflow in telnetd
The telnetd program is a server for the Telnet remote virtual
terminal protocol. There is a remotely exploitable buffer overflow
in Telnet daemons derived from BSD source code. This vulnerability
can crash the server or be leveraged to gain root access.
CERT Advisory CA-2001-21:
Buffer Overflow in telnetd
http://www.cert.org/advisories/CA-2001-21.html
5. Buffer Overflow in Sun Solaris in.lpd Print Daemon
A buffer overflow exists in the Solaris BSD-style line printer
daemon, in.lpd, that may allow a remote intruder to execute
arbitrary code with the privileges of the running daemon.
CERT Advisory CA-2001-15:
Buffer Overflow in Sun Solaris in.lpd Print Daemon
http://www.cert.org/advisories/CA-2001-15.html
6. Continuing Threats to Home Users
The CERT/CC has observed a significant increase in activity
resulting in compromises of home user machines. Many home users do
not keep their machines up to date with security patches and
workarounds, do not run current anti-virus software, and do not
exercise caution when handling email attachments. Intruders know
this, and we have seen a marked increase in intruders specifically
targeting home users who have cable modem and DSL connections.
The CERT/CC strongly encourages home users to review the below
referenced documents. These documents illustrate the threats to
home users, and outline countermeasures that can be used to
mitigate aganist them.
CERT Advisory CA-2001-20:
Continuing Threats to Home Users
http://www.cert.org/advisories/CA-2001-20.html
CERT Tech Tip: Home Network Security
http://www.cert.org/tech_tips/home_networks.html
7. W32/Leaves
The CERT/CC has received a number of reports regarding the
compromise of home user machines running Microsoft Windows. Most
of these reports surround the intruder tool SubSeven. SubSeven is
often used as a Trojan horse, which allows an intruder to deliver
and execute any custom payload and run arbitrary commands on the
affected machine.
CERT Incident Note IN-2001-07:
W32/Leaves: Exploitation of previously installed SubSeven Trojan Horses
http://www.cert.org/incident_notes/IN-2001-07.html
_________________________________________________________________
What's New and Updated
Since the last CERT Summary, we have published new and updated
* Advisories
http://www.cert.org/advisories/
* Congressional Testimony
http://www.cert.org/congressional_testimony/
* Incident Notes
http://www.cert.org/incident_notes/
* CERT/CC Statistics
http://www.cert.org/stats/cert_stats.html
* Tech Tips
http://www.cert.org/tech_tips/
* Training Schedule
http:/www.cert.org/training/
______________________________________________________________________
This document is available from:
http://www.cert.org/summaries/CS-2001-03.html
______________________________________________________________________
CERT/CC Contact Information
Email: [email protected]
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for more
information.
Getting security information
CERT publications and other security information are available from
our web site
http://www.cert.org/
To subscribe to the CERT mailing list for advisories and bulletins,
send email to [email protected]. Please include in the body of your
message
subscribe cert-advisory
* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
______________________________________________________________________
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
_________________________________________________________________
Conditions for use, disclaimers, and sponsorship information
Copyright 2001 Carnegie Mellon University.
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv
iQCVAwUBO4uyaQYcfu8gsZJZAQFJEgP6A0+vfi/vkpl5YeneQPhyfllaFEtKwQSD
xuGWHF6YUQGEHiQZYnwAFV2gWEkY5OGLWGBSsRESr3kHSpcMPfsOkGvty+lyi5aM
kfRaZkkdlZdNmMYlxwQxq9IrEaWX4rJzrzcdfq9U3TTB4oBJnP4dDRyUIdW3Oe3E
R8vDJQar7EM=
=DR64
-----END PGP SIGNATURE-----