OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
[ISN] A glitch in the Matrix, or a hungry exploit?

From: InfoSec News (alertsinfosecnews.org)
Date: Mon Jul 02 2007 - 00:27:33 CDT

http://www.theregister.co.uk/2007/06/30/weird_internet_behaviour/

By Sunnet Beskerming
30th June 2007

Sunnet Beskerming researchers observed an interesting deviation in
global network traffic over the last 24 hours, particularly for South
American, Asian, and Australian networks. Normally, global Internet
traffic (as observed by the Internet Traffic Report) oscillates around
nine per cent packet loss, with global response times of 138 ms, and the
internally derived traffic index at around 79.

Sustained over the last 24 hours, the traffic index has dipped almost
five per cent, packet loss has climbed to 11 per cent, and the global
response time to almost 150 ms.

Normal spikes and dips as observed on the Internet Traffic Report show
up as no more than three- or four-hour blocks of odd results before
settling back into normalcy. This latest spike and dip has been
sustained for at least 18 hours, with a rapid ramp up in the six hours
prior to the peaks (and lows) being reached.

When the figures are considered against the seven-day average, and the
30-day average, the deviation appears to be quite significant and seems
to mark a distinct event or set of events. When the reports for Asia,
South America, and Australia are looked at in isolation, the three
regions appear to be suffering from a related event, with similar
patterns being observed in the data being put forward for those regions.
Data for Europe and North America indicates that whatever is affecting
the other regions, it isn't affecting Europe or North America.
Independently sourced data at Keynote (using their Internet Health
Report) indicates that there is nothing adversely impacting the US at
this time.

Either these regions are experiencing the first stages of a global
event, or they contain networks that are under a sustained attack for
some specific reason.

So, what can be causing this problem? There appears to be nothing that
is being reported by any of the usual agencies or news feeds, with SANS
indicating a GREEN Threat level, and Symantec, McAfee, and the other
major security software providers not indicating any new malicious
software emergence.

Looking at the current Top 10 report from SANS, it appears that Port
5901 (used for VNC) is leading the charge for the top rating across all
metrics (including a 20 per cent lead on the next port on the rising
Trends chart). At the time of writing, the raw data for Port 5901 was
showing disturbing results.

While there is spam, drive-by phishing attacks, and persistent worms
attacking global networks, these have been ongoing attacks and should
not be responsible for such a large change in such a short period of
time by themselves.

If we consider port 5901 to be relevant to the reason behind the
attacks, then we might have found a potential cause, and a potential
target.

An exploit was added a couple of days ago to a number of security
mailing lists, distribution sites, and other sources, which targets a
remote code execution vulnerability in the AMX VNC ActiveX control.
Since appearing on these sources it has spread to thousands of sites,
and is guaranteed to have been seen by many, many people - some with
malicious intent.

Although a remote code execution exploit is nothing special nowadays,
this particular piece of code claims to achieve its goals without
alerting the victim to the fact that they have just been successfully
hacked.

Whether or not it is relevant to the real reason behind the observed
response time and packet loss deviation will be seen over time. At the
least, administrators and end users should keep a closer eye on their
systems and networks over the next few days to see if this unknown
problem is going to spread.

(c) Sunnet Beskerming Pty. Ltd - http://www.beskerming.com/company

5B
_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com