FW: NIPC Daily Report 23 August

From: George Heuston (georgeh@private)
Date: Thu Aug 23 2001 - 09:54:40 PDT

  • Next message: George Heuston: "FW: 24 August 2001 NIPC Daily Report"

     
    -----Original Message-----
    From: NIPC Watch [mailto:nipc.watch@private] 
    Sent: Thursday, August 23, 2001 9:05 AM
    To: daily@private
    Subject: NIPC Daily Report 23 August
    
    
    
    NIPC Daily Report 23 August 
    
    
    Significant Changes and Assessment  - No significant changes 
    
    
    Private Sector - A new variant of the Code Red II worm is on the loose, but
    security experts believe its impact will be minimal, although the appearance
    of the new worm could be trouble.  According to Roger Thompson, head of
    malicious code research at TruSecure Corp., the new variant, which has
    initially been named CodeRed.d, is nearly identical to its predecessor
    except for two minor pieces of code.  The new worm has replaced a fragment
    of code known as an "atom" that was unique to the earlier version, the
    string "CodeRedII," with a series of underscore characters.  In addition,
    the byte at offset 07C5 is changed from a 0 to an FF.  According to
    Thompson, the new variant cannot easily be differentiated from Code Red II
    in Web server log files, since it leaves the same initial "GET" command and
    a long string of "X" characters, just like the earlier version.  (Source:
    Newsbytes, 22 August) (NIPC Comment:  A new version of the Code Red Worm has
    been discovered which appears to be similar to Code Red II.  The new worm
    replaces the "Code Red II" string in the code with a series of underscores
    or "___________".  Additionally, the new worm appears to have changed the
    way it chooses targets making target selection more random.  It is believed
    that this was done to increase the scanning activity to other vulnerable
    machines not on the local subnet. It is also believed that this new version
    may have removed the reference to Code Red II to hinder intrusion detection
    systems looking for that string in the code.  The new version of the worm
    does not pose an immediate threat, however, system administrators are
    encouraged to check their systems and install the patch.) 
    
    
    A worm which poses as a virus clean-up utility has appeared called All3gro.
    Fortunately All3gro is neither spreading rapidly nor doing much harm,
    however, it is a sign that virus writers are coming up with fresh social
    engineering techniques through which they hope to snare the unwary.  Perhaps
    the technique was conceived because of the recent hype about the Code Red
    worm and the continuing spread of the SirCam virus.  All3gro comes in the
    form of an e-mail with a subject line "New antivirus tool" and attached file
    "Antivirus.exe," which contains the worm.  If you open the attachment you
    get infected, providing of course you've got a Windows machine.  Mac and
    Linux users are  immune from infection. (Source:  InfoSec News, 22 August)
    (NIPC Comment: The Malicious Code Team of NIPC has been in contact with the
    anti-virus industry to determine the validly of this virus.   W32.All3gro@mm
    is being reported as a low threat at this time due to low victim reporting
    and the lack of samples being received by the anti-virus community; however,
    this virus contains a mass-mailing capability that uses MAPI commands to
    send e-mail to the addresses that are found in e-mail messages stored on the
    infected systems.  This could escalate the outbreak of the virus and move it
    to medium or high threat in a very short time period.   This virus does
    carry a destructive payload depending on day of the week.  Each day
    activates a different scenario, which causes deletions and modifications to
    victim systems. Users are urged to check anti-virus web pages to update
    their anti-virus software.  Due to All3gro's unique social engineering
    technique that could cause confusion for misinformed system users, the NIPC
    Malicious Code Team will closely follow its activity.) 
    
    
    International - A group of Japanese researchers have designed an e-mail
    system that is capable of detecting previously unknown viruses lurking in
    attached files.  Conventional anti-virus software searches for infections by
    using a database of known viruses, but the new system performs a simulated
    run of software on a virtual computer in order to discover viruses. The
    group, which includes developers from Tokyo Institute of Technology, the
    University of Tokyo and the University of Tsukuba, plans to provide software
    based on the technology free of charge as early as this fiscal year. The
    system searches attached files for programs that threaten to erase files or
    connect to communications lines.  It also wards off junk mail by not
    accepting e-mail from unidentified senders, which makes for a more secure
    environment. (Source: Tokyo Nikkei Telecom, 21 August) 
    
    
    Excite@Home Australia has been randomly searching its users' broadband
    accounts looking for pirate activity.  Many of the users are saying that
    it's an invasion of their privacy.  The ISP informed users of its Optus@Home
    broadband service, that it would investigate claims into activities such as
    downloading protected movies and "immediately terminate" a subscriber's
    account without any prior warning.  It is not clear whether the policy
    extends to the company's other international operations.  A spokesperson
    from Excite@Home said, "We are not watching every bit and byte, but we would
    randomly check from time to time."  This hard-hitting policy is raising
    questions about the extent of monitoring Optus performs on individual
    accounts and whether Optus has the authority to control illegal activity on
    the Internet?"  Excite@Home, however, said that users are made aware through
    the terms and conditions set out in its Acceptable Use Policy, which says
    that it will monitor the network from time to time.  (Source: ZDNet UK, 22
    August) 
    
    
    A man in the UK has been convicted of blackmail after he threatened to hack
    into the computers of Barclays Bank unless he was paid 200,000 British
    Pounds.  Stuart Kearns, 24, faces three years in prison after threatening
    the collapse of the computer system in the Barclays branch in Beckenham High
    Street and others in Barclays' network, unless the bank complied with his
    extortion demands.  Kearns made his threat via a typed note he gave to bank
    staff.  They called the police and the would-be hacker was captured at his
    proposed cash drop off point.  (Source: The Register, 23 August) 
    
    
    Government - Bruce Brody, the new associate deputy assistant secretary for
    cybersecurity at the Department of Veterans Affairs, says program managers
    will be asked to sign a contract certifying that they have installed
    security with every project they build and that this new policy is necessary
    because security is one issue that tends to "slip."  Brody also said new
    rules for telecommuting would be published for VA employees requiring them
    to use a computer strictly dedicated to VA work, he said.  Brody writes in
    the June/July 2001 issue of the VA newsletter, VAnguard, that the VA has a
    long way to go to tighten security.  (Source: Federal Computer Week, 22
    August) 
    
    
    Military - Northrop Grumman Corporation's  Information Technology sector has
    been selected by the US Air Force Research Laboratory (AFRL), to develop
    real-time information and systems recovery for distributed command and
    control systems such as airspace management, air defense, and air traffic
    control systems.  Data Resiliency in Information Warfare 2.0 is the
    successor program to several recovery efforts sponsored by AFRL. (Source:
    PRNewswire, 22 August) 
    
    
    Defacements: According to Safemode.org, the following U.S. Federal and State
    government sites were defaced on 22 August by "Tedi" U.S. Courts - Southern
    District of Alabama, ( http://www.als.uscourts.gov
    <http://www.als.uscourts.gov> ); and USDA AFM Proto-type Web site (
    http://www.afmtestlab.ars.usda.gov <http://www.afmtestlab.ars.usda.gov> ). 
    
    
    U.S. SECTOR INFORMATION: 
    
    
    Electrical Power - Early this month, the Washington, D.C., area and the rest
    of the mid-Atlantic region reportedly came uncomfortably close to a
    California-style power shortage. On 9 August, Potomac Electric Power Co. cut
    power levels by 5 percent across its D.C. and Maryland territories.
    Customers didn't notice, but the voltage-reduction decision was a warning
    that power reserves were near bottom.  The order came from the PJM
    Interconnection in Norristown, PA., west of Philadelphia.  Formed by
    utilities in 1927 to swap power, PJM is the region's electric-power
    overseer, directing generation and transmission decisions in the District,
    Delaware, New Jersey, most of Maryland and parts of Virginia and
    Pennsylvania.  It approves the transmission of power from other states into,
    out of, and through the region, and it is responsible for steering the
    region through power emergencies.  (Source: Washington Post, 22 August) 
    
    
    Telecommunications  - NTR 
    Water Supply - NTR 
    Gas and Oil Storage Distribution - NTR 
    Government Services - NTR 
    Emergency Services - NTR 
    Banking and Finance - NTR 
    Transportation - NTR  
    
    NOTE:  Please understand that this is for informational purposes only and
    does not constitute any  verification of the information contained in the
    report nor does this constitute  endorsement by the NIPC or the FBI.  
      
      
      
    



    This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:24:20 PDT