-----Original Message----- From: NIPC Watch To: daily Sent: 10/31/01 7:45 AM Subject: NIPC Watch Daily Report 31 October 01 NOTE: Please understand that this is for informational purposes only and does not constitute any verification of the information contained in the report nor does this constitute endorsement by the NIPC of the FBI. Significant Changes and Assessment - There is a new exploit called "Klez" that affects users who have Microsoft Internet Explorer versions 5.01 and 5.5 on their systems. Klez is a self-replicating mass mailer that uses Outlook or Outlook Express Address book, but may also have the virus ElKern attached to it. Even if viewed as a preview, Klez may execute and infect the system by modifying the registry to execute every time the system boots. Klez copies itself to the root directories of the local drives and to all network drives to which the user has write permissions. These files have double extensions, such as .txt.exe. The payload for Klez executes on the 13th of every month, causing all files on the local and mapped drives to become zero length files. The fact that Klez has the capability to carry another payload in addition to its own makes it a double threat. This may be a proof of concept exploit, or another malicious coder could potentially take this one step further and attach a more destructive payload later. Private Sector - A new variant of the Nimda worm has started spreading slowly throughout the Asia-Pacific region. The variant, called Nimda.E, spreads using the same methods as the original worm, but its files have been renamed to mimic existing Windows files. The first reports received came from Korea at about 9 a.m. EST on 29 October. Shortly thereafter similar reports were received in the US and Australia. The only PCs that can be infected by Nimda.E are those that have not been secured in the aftermath of the original worm. Like its parent, Nimda.E can infect PCs and servers in any of four ways: through an e-ail attachment, by scanning for vulnerable servers running Microsoft ISS software and then exploiting a flaw in the software, through shared hard drives, and by fooling browsers into uploading the worm from infected Web servers. Nimda and Nimda.E gather e-ail addresses from any e-mail supporting the Messaging Application Programming Interface, including Microsoft Outlook and Outlook Express. The worm uses these e-mail addresses to fill in the "sender" and "recipient" fields for the messages it sends. Addresses from Web pages stored in a browser's cache also will be used. (Source: ZDNet News, 30 October) (NIPC Comment: US anti-virus vendors are rating the threat from this worm as low with high distribution. NIPC will continue to monitor and advise as appropriate.) International - In China, the Urumqi City Public Security Bureau recently cracked a case of a hacker's intrusion and attack on a government Web site in violation of law. The case was the first case of Internet crime cracked by the Xinjiang police. Since May this year, the homepage of the center's website was intruded into and attacked on many occasions. The homepage was changed, documents were deleted, and the hard disc of the website's server was formatted. A large quantity of data was lost. Some documents and much valuable information on human resources could not be retrieved. The Web site stopped operation for as long as five days and the center suffered an economic loss of 220,000 yuan. (Source: Beijing Xinhua, 27 October) Foreign hackers have attacked the sites of India's Atomic Energy Regulatory Board (AERB), the All India Institute of Medical Sciences (AIIMS) and the Jawaharlal Nehru (JNU) University in Delhi. However, the organizations mentioned that not much damage took place and the sites would be restored. The AERB's site has already been repaired. "We don't keep sensitive information on public sites and therefore is no question of security breach," said AERB secretary Dr K S Parthasarathy. Pakistani Hackers Club, and Anti India Crew - two well known hacking groups, have stalked the defacement claims for AERB and AIIMS sites. One of the hackers, Dr Nuker, claims to have laid his hands on sensitive atomic energy documents, which has been denied by the AERB secretary. Both the JNU and the AIIMS sites are under repair and cannot be accessed. (Source: Bangalore Deccan Herald, 27 October) A computer hacker who caused thousands of liters of raw sewage to flow into creeks and parks on the lower Queensland Coast has been jailed for two years. A Maroochydore District Court jury found Vitek Boden guilty of hacking into the sewerage computer system of Maroochy Shire Council in March last year and purposely releasing sewage. He was jailed for 12 months for willfully causing serious environmental harm. He also received a two-year sentence for numerous computer hacking and stealing charges. The sentences will be served concurrently. (Source: Austrailian Broadcast Network, 31 October) U.S. SECTOR INFORMATION: Water Supply - New York City's Daily News reported that city officials want a system so sophisticated for its water supplies that it can be triggered by any strange biochemical agents that are introduced into the water supply, said Charles Sturcken, chief of staff for the city's Environmental Protection Department. The 2,000-square-mile, 19-reservoir system, already on heightened alert since the terrorist attacks, will add the high-tech equipment under a $30 million security boost, the Daily News said. The department, which oversees the watershed and reservoirs, has signed a deal with the Army Corps of Engineers, which will design much of the security system and contract with federally licensed firms for implementation. In addition to the high-tech improvements, the $30 million will allow for hiring more security officers and improving fencing and lighting around the reservoirs. (Source: Water Technology Online, 30 October) Gas and Oil Storage Distribution - US natural gas pipelines could add capacity of as much as 32 billion cubic feet per day by the end of 2003 to meet the growing needs of electricity plants, especially in California and the Northeast, the Energy Information Administration (EIA) said on 30 October. The steep rise reflects new pipelines planned to move gas from production fields in the Rocky Mountains to markets in the West, and more capacity to feed the New York and Boston markets. The planned increase would dwarf the average 5 billion cubic feet per day of nationwide capacity added annually during the past three years, the EIA said in a report on natural gas pipeline trends. (Source: Reuters, 30 October) Transportation - President Bush urged lawmakers to support his version of an aviation security bill that would give the federal government control of airport screening without hiring thousands of new federal workers. The House votes 1 November, on legislation that both sides agree is needed badly to fill dangerous holes in airport security but has created a deep ideological split over the role of government. Bush met separately with 13 Republicans and 13 Democrats at the White House to press his argument that the best way to improve security was to follow the model of some European countries and Israel, where governments retain tight control of training and supervision but the work forces remain private. Currently, airlines are responsible for contracting out security functions at airports, often resulting in the hiring of poorly trained, poorly paid workers who have high turnover rates and aren't properly checked before they are hired. (Source: Associated Press, 31 October) The Federal Aviation Administration temporarily banned private planes from flying near nuclear power plants after Attorney General John Ashcroft warned of possible new terrorist attacks. The FAA imposed the restrictions "for reasons of national security," on 30 October. The ban on flying within 11 miles of 86 nuclear plants and other nuclear sites such as the Sandia National Laboratory in New Mexico expires 7 November. Also in response to Ashcroft's warning, Transportation Secretary Norman Y. Mineta told his department's administrators to make sure that the trucking, aviation, railroad, shipping and other industries maintained high levels of security. The ban on private flights near nuclear power plants will force nearby small airports to close, said Warren Morningstar, a spokesman for the Aircraft Owners and Pilots Association. (Source: Associated Press, 31 October) Telecommunications - NTR Emergency Services - NTR Electrical Power - NTR Banking and Finance - NTR Continuity of Government - In the wake of the terrorist attacks, DoD is developing plans for a "virtual Pentagon" that would enable DoD officials to continue to work even in the event of a large scale attack on the Pentagon, senior military information technology officials said. The plans, which are referred to either as the "virtual Pentagon" or the "distributed Pentagon," are a significant redesign of DoD's IT contingency plans, which were found to be inadequate as a result of the crash. The attacks showed that there were some vulnerabilities. There were some single points of failure where systems were not sufficiently distributed. The plans focus on creating redundancies and locating those backup sites away from the Pentagon so operations can continue even if there is an attack similar to 11 September. (Source: Federal Computer Weekly, 30 October)
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:29:12 PDT