CRIME FW: [C.r.i.m.e.-announce] Potential Internet Attack Targeting Microsoft Beginning August 16, 2003

From: George Heuston (GeorgeH@private)
Date: Thu Aug 14 2003 - 15:15:54 PDT

  • Next message: Rob Jacobsen: "CRIME How-to question"

     
    
     
    
    -----Original Message-----
    From: Goerling, Richard J. LT (TAD to CGIC Portland)
    [mailto:RIGoerling@private] 
    Sent: Thursday, August 14, 2003 3:00 PM
    To: 'FW List'
    Subject: [C.r.i.m.e.-announce] Potential Internet Attack Targeting
    Microsoft Beginning August 16, 2003
    
     
    
     
    
    -----Original Message-----
    From: stephfa [mailto:stephfa@private]
    Sent: Thursday, August 14, 2003 12:02 PM
    Subject: Potential Internet Attack Targeting Microsoft Beginning August
    16, 2003
    
    DHS Advisory 
    
     Potential Internet Attack Targeting Microsoft Beginning August 16, 2003
    
    
    OVERVIEW
    
    The National Cyber Security Division (NCD) of the DHS / Information
    Analysis and Infrastructure Protection Directorate is issuing this
    advisory to heighten awareness of potential Internet disruptions
    beginning August 16, 2003.  An Internet worm dubbed "msblast",
    "lovesan", or "blaster" began spreading on August 11th that takes
    advantage of a recently announced vulnerability in computers running
    some versions of the Microsoft Windows operating system.  DHS addressed
    this issue in an advisory available at
    http://www.dhs.gov/interweb/assetlibrary/Advisory_Internet_Impact_MS2.PD
    F. NCD would like to highlight that this worm contains additional code
    which may cause infected computers to attempt repetitive connections to
    a popular Microsoft web site, www.windowsupdate.com beginning just after
    midnight on the morning of August 16th. 
    
    IMPACT
    
    Because of the significant percentage of infected computers using high
    speed connections to the Internet (DSL or cable for example) the
    conditions exist for a phenomena known as a distributed denial of
    service (DDoS) attack against the Microsoft web site beginning on August
    16th.  Steps are being taken by Microsoft and by Internet Service
    Providers to mitigate the impact of the DDoS.  Owners of computers
    infected by the worm may experience a general slowness of their computer
    along with difficulty in connecting to Internet sites or local network
    resources.  Systems that are still infected on August 16th may stop
    spreading the worm and may begin flooding the Microsoft Update site with
    repeated connection requests.  Other customers who attempt to use the
    site to update their Microsoft Windows operating systems on or after
    August 16th might experience slowness in response or inability to
    connect to the update site. 
    
    DETAILS
    
    Windowsupdate.com is used as a starting point for users of Microsoft
    Windows operating systems for software updates.  The code in the worm
    instructs infected computers to repeatedly connect to that site
    beginning on the 16th of August.  Starting on January 1, 2004, the worm
    will switch to cyclic behavior in which it attacks the Microsoft web
    site from the 16th of each month to the end of the month.  Between the
    1st and 15th of the month, infected computers may attempt to scan for
    other vulnerable systems in order to spread the worm.  The worm uses the
    clock in the infected computer to determine when to start and stop;
    therefore Microsoft may begin seeing attacks on the morning of the 15th
    due to time zone differences around the world.  This pattern of
    spreading from the 1st to the 15th and flooding Microsoft between the
    16th and the end of the month may continue indefinitely. 
    
    RECOMMENDATIONS
    
    The worm takes advantage of a serious vulnerability in several versions
    of the Microsoft Windows operating system.  DHS encourages system
    administrators and computer owners to update vulnerable versions of
    Microsoft Windows operating systems as soon as possible before August
    15th. 
    
    Details on which computers are vulnerable and instructions for cleaning
    infected computers are available at
    http://www.microsoft.com/security/incident/blast.asp. 
    
    DHS also encourages system administrators and computer owners to update
    antivirus software with the latest signatures available from their
    respective software vendor. 
    
    In order to limit the spreading of the worm, DHS further suggests that
    Internet Service Providers and network administrators consider blocking
    TCP 
    and UDP ports 69, 135, 139, 445, and 4444 for inbound connections unless
    absolutely needed for business or operational purposes. 
    
    DHS encourages recipients of this Advisory to report information
    concerning suspicious or criminal activity to local law enforcement,
    local FBI's Joint 
    Terrorism Task Force (in Washington, DC/Northern Virginia; (202)
    278-2000) or the Homeland Security Operations Center (HSOC).  The HSOC
    may be contacted at:   Phone: (202) 282-8101. 
    
    DHS intends to update this advisory should it receive additional
    relevant information, including information provided to it by the user
    community. 
    Based on this notification, no change to the Homeland Security
    AdvisorySystem (HSAS) level is anticipated; the current HSAS level is
    YELLOW. 
      
      
      
      
      
    
    
    
    



    This archive was generated by hypermail 2b30 : Thu Aug 14 2003 - 15:46:58 PDT