-----Original Message----- From: InfraGard [mailto:infragard@private] Sent: Tuesday, August 12, 2003 6:20 AM To: Information Technology Subject: [Information_technology] Daily News 8/12/03 August 12, U.S. Department of Homeland Security Potential for Significant Impact on Internet Operations Due to Vulnerability in Microsoft Operating Systems (2nd UPDATE: Worm Spreading on the Internet). The Department of Homeland Security (DHS) has issued a second update to the July 24, 2003 advisory on Microsoft operating systems. Today's update warns that malicious code dubbed "MSBlast," "Lovesan," or "Blaster" began circulating on the Internet on August 11th. This worm takes advantage of the vulnerability discussed in the July 24th advisory and contains code that will target Microsoft's update servers on August 16th. This additional attack could cause significant Internet-wide disruptions. It is possible that other worms based on this vulnerability will be released over the next few days as "copy cat" attacks. In this 2nd update, DHS recommends that the Microsoft update (available at http://microsoft.com/technet/treeview/default.asp?url=/technet/security/ bull etin/MS03-026.asp) be applied as soon as possible to the systems affected. In addition to blocking the TCP and UDP ports listed in the July 24th advisory, DHS further recommends that Ports 69 (TFTP) and 4444 be blocked when possible. Both of these ports are used to spread the worm. Source: http://www.nipc.gov/warnings/advisories/2003/2ndUpdate8122003.htm August 11, CERT/CC CERT Advisory CA-2003-20: W32/Blaster worm. The W32/Blaster worm exploits a vulnerability in Microsoft's DCOM RPC interface as described Microsoft Security Bulletin MS03-026. Upon successful execution, the worm attempts to retrieve a copy of the file msblast.exe from the compromising host. Once this file is retrieved, the compromised system then runs it and begins scanning for other vulnerable systems to compromise in the same manner. In the course of propagation, a TCP session to port 135 is used to execute the attack. However, access to TCP ports 139 and 445 may also provide attack. The worm includes the ability to launch a TCP SYN flood denial-of-service attack against windowsupdate.com. Unusual or unexpected traffic to windowsupdate.com may indicate a network infection, so system administrators may wish to monitor network traffic. Sites that do not use windowsupdate.com to manage patches may wish to block outbound traffic to windowsupdate.com. Users are encouraged to apply the patches available on the Microsoft Website: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur ity/ bulletin/MS03-026.asp. Source: http://www.cert.org/advisories/CA-2003-20.html August 08, SecurityFocus NSA proposes backdoor detection center. The information assurance director for the National Security Agency's (NSA) is calling on Congress to fund a new National Software Assurance Center dedicated to developing advanced techniques for detecting backdoors and logic bombs in large software applications. In testimony before the House Select Committee on Homeland Security's cybersecurity subcommittee last month, Daniel Wolf bemoaned an absence of tools capable of scouring program source code and executables for evidence of tampering. The proposed solution: a federally funded think-tank that would include representatives from academia, industry, government, national laboratories and "the national security community," said Wolf, "all working together and sharing techniques." Source: http://securityfocus.com/news/6671 Internet Security Systems - AlertCon: 3 out of 4 https://gtoc.iss.net/ Last Changed 12 August 2003 Security Focus ThreatCon: 3 out of 4 www.securityfocus.com Last Changed 12 August 2003 Current Virus and Port Attacks Virus: #1 Virus in USA: WORM_LOVGATE.F Source: http://wtc.trendmicro.com/wtc/wmap.html, Trend World Micro Virus Tracking Center [Infected Computers, North America, Past 24 hours, #1 in United States] Top 10 Target Ports: 135 (epmap), 137 (netbios-ns), 445 (microsoft-ds), 113 (ident), 27015 (halflife), 139 (netbios-ssn), 1434 (ms-sql-m), 27374 (SubSeven), 80 (www), 0 (---) Source: http://isc.incidents.org/top10.html; Internet Storm Center _______________________________________________ Information_technology mailing list Information_technology@listserv
This archive was generated by hypermail 2b30 : Tue Aug 12 2003 - 10:33:04 PDT