-----Original Message----- From: NIPC Watch [mailto:nipc.watch@private] Sent: Thursday, August 23, 2001 9:05 AM To: daily@private Subject: NIPC Daily Report 23 August NIPC Daily Report 23 August Significant Changes and Assessment - No significant changes Private Sector - A new variant of the Code Red II worm is on the loose, but security experts believe its impact will be minimal, although the appearance of the new worm could be trouble. According to Roger Thompson, head of malicious code research at TruSecure Corp., the new variant, which has initially been named CodeRed.d, is nearly identical to its predecessor except for two minor pieces of code. The new worm has replaced a fragment of code known as an "atom" that was unique to the earlier version, the string "CodeRedII," with a series of underscore characters. In addition, the byte at offset 07C5 is changed from a 0 to an FF. According to Thompson, the new variant cannot easily be differentiated from Code Red II in Web server log files, since it leaves the same initial "GET" command and a long string of "X" characters, just like the earlier version. (Source: Newsbytes, 22 August) (NIPC Comment: A new version of the Code Red Worm has been discovered which appears to be similar to Code Red II. The new worm replaces the "Code Red II" string in the code with a series of underscores or "___________". Additionally, the new worm appears to have changed the way it chooses targets making target selection more random. It is believed that this was done to increase the scanning activity to other vulnerable machines not on the local subnet. It is also believed that this new version may have removed the reference to Code Red II to hinder intrusion detection systems looking for that string in the code. The new version of the worm does not pose an immediate threat, however, system administrators are encouraged to check their systems and install the patch.) A worm which poses as a virus clean-up utility has appeared called All3gro. Fortunately All3gro is neither spreading rapidly nor doing much harm, however, it is a sign that virus writers are coming up with fresh social engineering techniques through which they hope to snare the unwary. Perhaps the technique was conceived because of the recent hype about the Code Red worm and the continuing spread of the SirCam virus. All3gro comes in the form of an e-mail with a subject line "New antivirus tool" and attached file "Antivirus.exe," which contains the worm. If you open the attachment you get infected, providing of course you've got a Windows machine. Mac and Linux users are immune from infection. (Source: InfoSec News, 22 August) (NIPC Comment: The Malicious Code Team of NIPC has been in contact with the anti-virus industry to determine the validly of this virus. W32.All3gro@mm is being reported as a low threat at this time due to low victim reporting and the lack of samples being received by the anti-virus community; however, this virus contains a mass-mailing capability that uses MAPI commands to send e-mail to the addresses that are found in e-mail messages stored on the infected systems. This could escalate the outbreak of the virus and move it to medium or high threat in a very short time period. This virus does carry a destructive payload depending on day of the week. Each day activates a different scenario, which causes deletions and modifications to victim systems. Users are urged to check anti-virus web pages to update their anti-virus software. Due to All3gro's unique social engineering technique that could cause confusion for misinformed system users, the NIPC Malicious Code Team will closely follow its activity.) International - A group of Japanese researchers have designed an e-mail system that is capable of detecting previously unknown viruses lurking in attached files. Conventional anti-virus software searches for infections by using a database of known viruses, but the new system performs a simulated run of software on a virtual computer in order to discover viruses. The group, which includes developers from Tokyo Institute of Technology, the University of Tokyo and the University of Tsukuba, plans to provide software based on the technology free of charge as early as this fiscal year. The system searches attached files for programs that threaten to erase files or connect to communications lines. It also wards off junk mail by not accepting e-mail from unidentified senders, which makes for a more secure environment. (Source: Tokyo Nikkei Telecom, 21 August) Excite@Home Australia has been randomly searching its users' broadband accounts looking for pirate activity. Many of the users are saying that it's an invasion of their privacy. The ISP informed users of its Optus@Home broadband service, that it would investigate claims into activities such as downloading protected movies and "immediately terminate" a subscriber's account without any prior warning. It is not clear whether the policy extends to the company's other international operations. A spokesperson from Excite@Home said, "We are not watching every bit and byte, but we would randomly check from time to time." This hard-hitting policy is raising questions about the extent of monitoring Optus performs on individual accounts and whether Optus has the authority to control illegal activity on the Internet?" Excite@Home, however, said that users are made aware through the terms and conditions set out in its Acceptable Use Policy, which says that it will monitor the network from time to time. (Source: ZDNet UK, 22 August) A man in the UK has been convicted of blackmail after he threatened to hack into the computers of Barclays Bank unless he was paid 200,000 British Pounds. Stuart Kearns, 24, faces three years in prison after threatening the collapse of the computer system in the Barclays branch in Beckenham High Street and others in Barclays' network, unless the bank complied with his extortion demands. Kearns made his threat via a typed note he gave to bank staff. They called the police and the would-be hacker was captured at his proposed cash drop off point. (Source: The Register, 23 August) Government - Bruce Brody, the new associate deputy assistant secretary for cybersecurity at the Department of Veterans Affairs, says program managers will be asked to sign a contract certifying that they have installed security with every project they build and that this new policy is necessary because security is one issue that tends to "slip." Brody also said new rules for telecommuting would be published for VA employees requiring them to use a computer strictly dedicated to VA work, he said. Brody writes in the June/July 2001 issue of the VA newsletter, VAnguard, that the VA has a long way to go to tighten security. (Source: Federal Computer Week, 22 August) Military - Northrop Grumman Corporation's Information Technology sector has been selected by the US Air Force Research Laboratory (AFRL), to develop real-time information and systems recovery for distributed command and control systems such as airspace management, air defense, and air traffic control systems. Data Resiliency in Information Warfare 2.0 is the successor program to several recovery efforts sponsored by AFRL. (Source: PRNewswire, 22 August) Defacements: According to Safemode.org, the following U.S. Federal and State government sites were defaced on 22 August by "Tedi" U.S. Courts - Southern District of Alabama, ( http://www.als.uscourts.gov <http://www.als.uscourts.gov> ); and USDA AFM Proto-type Web site ( http://www.afmtestlab.ars.usda.gov <http://www.afmtestlab.ars.usda.gov> ). U.S. SECTOR INFORMATION: Electrical Power - Early this month, the Washington, D.C., area and the rest of the mid-Atlantic region reportedly came uncomfortably close to a California-style power shortage. On 9 August, Potomac Electric Power Co. cut power levels by 5 percent across its D.C. and Maryland territories. Customers didn't notice, but the voltage-reduction decision was a warning that power reserves were near bottom. The order came from the PJM Interconnection in Norristown, PA., west of Philadelphia. Formed by utilities in 1927 to swap power, PJM is the region's electric-power overseer, directing generation and transmission decisions in the District, Delaware, New Jersey, most of Maryland and parts of Virginia and Pennsylvania. It approves the transmission of power from other states into, out of, and through the region, and it is responsible for steering the region through power emergencies. (Source: Washington Post, 22 August) Telecommunications - NTR Water Supply - NTR Gas and Oil Storage Distribution - NTR Government Services - NTR Emergency Services - NTR Banking and Finance - NTR Transportation - NTR NOTE: Please understand that this is for informational purposes only and does not constitute any verification of the information contained in the report nor does this constitute endorsement by the NIPC or the FBI.
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:24:20 PDT