Archive of CERT general posting, CERT Summary CS-2000-04

21/11/00, CERT Summary CS-2000-04
From: CERT Advisory <cert-advisory@cert.org>

Generated by MHonArc

CSIM Logo WelcomeCourses
Faculty, Student, Staff
Projects and reports
Conferences, workshop and seminars
Laboratories and reasearch facilities
Information related to CSIM
Information non-related to CSIM
Address, map, phone, etc.
Search

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


To: cert-advisory@cert.org
Subject: CERT Summary CS-2000-04
From: CERT Advisory <cert-advisory@cert.org>
Date: Mon, 20 Nov 2000 14:49:40 -0500 (EST)
Mail-from: From nobody@cert.org Tue Nov 21 05:58:11 2000
Organization: CERT(R) Coordination Center - +1 412-268-7090
Reply-To: cert-advisory-request@cert.org


-----BEGIN PGP SIGNED MESSAGE-----

CERT(R) Summary CS-2000-04

   November 20, 2000
   
   Each quarter, the CERT(R) Coordination Center (CERT/CC) issues the CERT
   Summary to draw attention to the types of attacks reported to our
   incident response team, as well as other noteworthy incident and
   vulnerability information. The summary includes pointers to sources of
   information for dealing with the problems.
   
   Past CERT summaries are available from:
   
	CERT Summaries
	http://www.cert.org/summaries/
   ______________________________________________________________________
   
Recent Activity

   Since the last regularly scheduled CERT summary, issued in August
   (CS-2000-03), we have seen continued compromises via rpc.statd and
   FTPd. We have also seen a number of sites compromised by exploiting a
   vulnerability in the IRIX telnet daemon. Notable virus activity
   includes the Loveletter.as worm and the QAZ worm.
   
   For more current information on activity being reported to the
   CERT/CC, please visit the CERT/CC Current Activity page. The Current
   Activity page is a regularly updated summary of the most frequent,
   high-impact types of security incidents and vulnerabilities being
   reported to the CERT/CC. The information on the Current Activity page
   is reviewed and updated as reporting trends change.
   
     CERT/CC Current Activity
     http://www.cert.org/current/current_activity.html
          
   
    1. Compromises Via an Input Validation Vulnerability in rpc.statd
     
       Over the past several months we have received multiple daily
       reports of sites being root compromised via a vulnerability in
       rpc.statd. We have also received a number of reports indicating
       that intruders are performing widespread scanning for this
       vulnerability and using toolkits to automate the compromise of
       vulnerable machines. Sites, especially those running Linux, are
       encouraged to review the documents below.
       
         CERT Advisory CA-2000-17, 
         Input Validation Problem in rpc.statd
         http://www.cert.org/advisories/CA-2000-17.html
       
         CERT Incident Note IN-2000-10, 
         Widespread Exploitation of rpc.statd and wu-ftpd Vulnerabilities
         http://www.cert.org/incident_notes/IN-2000-10.html
                
   
    2. Compromises Via the 'SITE EXEC' Vulnerability in FTPd
     
       The CERT/CC continues to receive regular reports of intruders
       probing large network blocks for vulnerable FTP servers, and
       compromising machines found to be vulnerable to the 'SITE EXEC'
       vulnerability exploit. Sites are strongly encouraged to follow the
       advice contained in CA-2000-13 and IN-2000-10 to protect systems
       running FTP servers.
       
         CERT Advisory CA-2000-13, 
         Two Input Validation Problems In FTPD
         http://www.cert.org/advisories/CA-2000-13.html
       
         CERT Incident Note IN-2000-10, 
         Widespread Exploitation of rpc.statd and wu-ftpd Vulnerabilities
         http://www.cert.org/incident_notes/IN-2000-10.html
                
   
    3. Compromises Via a Vulnerability in the IRIX Telnet Daemon
     
       We have received reports of intruder activity involving the telnet
       daemon on SGI machines running the IRIX operating system.
       Intruders are actively exploiting a vulnerability in telnetd that
       is resulting in a remote root compromise of victim machines. Sites
       running IRIX are encouraged to review IN-2000-09.
       
         CERT Incident Note IN-2000-09, 
         Systems Compromised Through a Vulnerability in the IRIX telnet daemon
         http://www.cert.org/incident_notes/IN-2000-09.html
                
    4. VBS/Loveletter.AS Worm
     
       The CERT/CC has been receiving reports from users infected by the
       VBS/Loveletter.AS worm for several weeks. VBS/LoveLetter.AS is
       known to spread in email messages with the following
       characteristics:
       
         Subject: US PRESIDENT AND FBI SECRETS =PLEASE VISIT => (http://WWW.2600.COM)<=
         Body: VERY JOKE..! SEE PRESIDENT AND FBI TOP SECRET PICTURES..
         Attachment: (random_name.ext).vbs
       
       Copies of the virus that have been reported to us contain the
       following comment:
       
         rem  "Plan Colombia" virus v1.0
       
       When the worm is executed, it makes several registry
       modifications, attempts to download additional files, and replaces
       files of certain types similar to the behavior of the
       VBS/Loveletter.A virus. For information on how to prevent or
       recover from a Loveletter infection, please see CA-2000-04.
       
         CERT Advisory CA-2000-04, 
         Love Letter Worm
         http://www.cert.org/advisories/CA-2000-04.html
                
       Additional information about this virus can be found by visiting
       the sites listed on our Computer Virus Resources page.
       
         Computer Virus Resources
         http://www.cert.org/other_sources/viruses.html
                
   
    5. QAZ Worm
    
       For several weeks, the CERT/CC saw an increase in the number of
       NETBIOS Session (139/tcp) probes and a corresponding increase in
       reports of QAZ infected machines. The QAZ worm scans networks for
       unprotected Windows Networking Shares similar to the behavior of
       the network.vbs worm disussed in IN-2000-02. When launched, the
       QAZ worm replaces the Notepad.exe file and modifies the registry
       to ensure that it is run when Windows restarts. This trojan also
       allows an intruder to upload files to the system, or execute any
       file on the system. Sites are encouraged to follow the advice in
       IN-2000-02 to secure Windows Networking Shares, and update
       anti-virus software definitions to prevent infection.
       
         CERT Incident Note IN-2000-02,
         Exploitation of Unprotected Windows Networking Shares
         http://www.cert.org/incident_notes/IN-2000-02.html
                
       Additional information about this virus can be found by visiting
       the sites listed on our Computer Virus Resources page.
       
         Computer Virus Resources
	 http://www.cert.org/other_sources/viruses.html
                
   
    6. Multiple Denial of Service Problems in ISC BIND
   
       The CERT/CC has recently learned of two serious denial of service
       vulnerabilities in the Internet Software Consortium's (ISC) BIND
       software. The first vulnerability is referred to by the ISC as the
       "zxfr bug" and the second is the "srv bug." We have not yet
       received reports of these vulnerabilities being exploited, but we
       believe the potential is there. Sites are encouraged to follow the
       advice in CA-2000-20 to protect systems running BIND.
       
         CERT Advisory CA-2000-20,
	 Mulitple Denial of Service Problems in ISC BIND
	 http://www.cert.org/advisories/CA-2000-20.html
   ______________________________________________________________________
   
New CERT PGP key

   The CERT/CC PGP key for 2000-2001 is now operational. The new key is
   an RSA key; it is constructed so as to provide maximum
   interoperability with as many versions of PGP as possible as well as
   with GPG. Information about the new PGP Key can be found at:
   
     Sending Sensitive Information to the CERT/CC
     http://www.cert.org/contact_cert/encryptmail.html
   ______________________________________________________________________
   
New Vulnerability Disclosure Policy

   On October 9, 2000, the CERT Coordination Center began following a new
   policy regarding the disclosure of vulnerability information.
   Information about the new policy can be found at:
   
     The CERT Coordination Center Vulnerability Disclosure Policy
     http://www.cert.org/faq/vuldisclosurepolicy.html
   ______________________________________________________________________
   
What's New and Updated

   Since the last CERT summary, we have published new and updated
     * Advisories
     * Incident notes
     * CERT/CC statistics
     * Security improvement modules
     * Infosec Outlook newsletter
     * Frequently Asked Questions
       
   Descriptions of these documents and links to them can be found on our
   "What's New" page:
   
     What's New
     http://www.cert.org/nav/whatsnew.html
   ______________________________________________________________________
   
   This document is available from:
   http://www.cert.org/summaries/CS-2000-04.html
   ______________________________________________________________________
  
CERT/CC Contact Information

   Email: cert@cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.
          
   CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
   Monday through Friday; they are on call for emergencies during other
   hours, on U.S. holidays, and on weekends.
   
Using encryption

   We strongly urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from
   
   http://www.cert.org/CERT_PGP.key
       
   If you prefer to use DES, please call the CERT hotline for more
   information.
   
Getting security information

   CERT publications and other security information are available from
   our web site
   
   http://www.cert.org/
       
   To be added to our mailing list for advisories and bulletins, send
   email to cert-advisory-request@cert.org and include SUBSCRIBE
   your-email-address in the subject of your message.
   
   * "CERT" and "CERT Coordination Center" are registered in the U.S.
   Patent and Trademark Office.
   ______________________________________________________________________
   
   NO WARRANTY
   Any material furnished by Carnegie Mellon University and the Software
   Engineering Institute is furnished on an "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied as to any matter including, but not limited to, warranty of
   fitness for a particular purpose or merchantability, exclusivity or
   results obtained from use of the material. Carnegie Mellon University
   does not make any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.
     _________________________________________________________________
   
   Conditions for use, disclaimers, and sponsorship information
   
   Copyright 2000 Carnegie Mellon University.

-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQCVAwUBOhl8hgYcfu8gsZJZAQHDwAP9ETFkUYW79oW3a9kCFDTNgRqhMhHIqKvw
LfUSTI0BfZsSv/gmb8lYmEqOcKdwEhQjYJT6xHy3NpeQx9OHqxksJLVyLxIrSzQG
4gfxC5P6Dgcu0xnZXiajokFiX0sRoY6cXABQFamE3L6AweOtF9UrGLFw94j9267z
R0UDVW2tLbQ=
=3X+Y
-----END PGP SIGNATURE-----


Previous message sorted by date: CERT Summary CS-2000-03
Previous message sorted by thread: CERT Summary CS-2000-03
Main Index
Thread Index

CSIM home pageWMailAccount managementCSIM LibraryNetwork test toolsSearch CSIM directories
Contact us: Olivier Nicole CSIM    SET    AIT Last update: Nov 2000