TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
majordomoiss.net Contact issforum-owneriss.net for help with any problems!
----------------------------------------------------------------------------

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Copyright 2001 Internet Security Systems (trademark) THE POWER TO
PROTECT

INTERNET THREAT & SOLUTIONS UPDATE for September 19th - 21st, 2001
ISS X-Force Special Operations Group

- --------------------------------------
CURRENT THREAT ASSESSMENT & THREAT FORECAST
- --------------------------------------

AlertCon 3 Today, September 19th, 2001
AlertCon 3 Projected for September 20th - 21st, 2001

*************

- - We are holding at AlertCon 3 and projecting this out an additional
two days. AlertCon 3 means there is a focused or specific threat and
some action is required.

- - The NIMDA worm continues to plague the Internet. The port stats
below show how NIMDA's propagation via port 80 dominated our alarms
yesterday.

- - NIMDA affects Windows 95, 98, ME, 2000, and NT 4.0. It spreads
itself via Outlook, using the addresses of the people in your inbox.
It also spreads itself via file shares and if it finds none it will
create them. It spreads itself via the web, scanning for such things
as the back door deposited in infected machines by Code Red II.

- - NIMDA deposits itself in a multitude of files with a variety of
extensions (e.g. .exe, .htm, .doc). The executable is in a README.EXE
file.

- - The X-Force <http://xforce.iss.net/> R&D team has published a
technical advisory that you should consult for the detailed write-up.
Keep checking their site for updated security solutions relative to
this worm.

- ---------------------------------------
SOLUTIONS
- ---------------------------------------

- - NIMDA is pervasive and destructive. Today, make sure key data is
identified and then backed up in a separate place.

- - Patch your Win 2K and NT machines from these links:
- -- Win 2K
<http://www.microsoft.com/windows2000/downloads/critical/q300972/defaul
t.asp?FinishURL=%2Fdownloads%2Frelease%2Easp%3FReleaseID%3D30800%26redi
rect%3Dno>
- -- Win NT
<http://www.microsoft.com/ntserver/nts/downloads/critical/q300972/defau
lt.asp?FinishURL=%2Fdownloads%2Frelease%2Easp%3FReleaseID%3D30833%26red
irect%3Dno>

- - Visit the Microsoft site
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secu
rity/topics/Nimda.asp and follow their suggestions regarding NIMDA.
Advise your users to avoid opening any e-mail attachment they are
unsure of with a .exe, .txt, or .vbs extension.

- - Anti-virus solutions are available. Visit your vendor's site and
update immediately.

- - Blocking tftp outbound will keep your machines from being infected
from other networks via either the e-mail method or the Code Blue
vulnerabilities.

- - Cause a prompt to appear before running Java script when surfing the
web. Unless you are sure of the integrity of the site you are visiting
it is wise to avoid running Java unless absolutely necessary. A .eml
file is what you want to watch for in these situations.

- - Check your firewalls to ensure net bios traffic is not passing
through them. This prevents share points from being accessed from
outside your local network. Any networks using file sharing between
geographical areas should be doing it via VPN.

- - NIMDA Removal, Protection. Bugtraq has some suggestions, as do
others in this business. The safest way to do this may be to minimize
risk by taking the above steps and wait for your anti-virus vendor to
field a removal solution. Because this worm insinuates itself into so
many different files its safe removal is a tricky proposition.
Suggested Reading:

http://it.is.rice.edu/~rickr/safe/
http://www.slipstick.com/outlook/antivirus.htm

- -------------------------------------
Attack Signatures - global IDS, midnight - midnight, previous day, %
of total
- -------------------------------------

Suspicious Activity 44.70%
Protocol Decode 27.14%
Unauth Access Attempts 14.43%
Denial Of Service 12.61%
Pre-Attack Probe 01.13%
Back Doors 00.00%

- -------------------------------------
Top Ten Destination Ports - global IDS, midnight - midnight, previous
day, % of top ten (port assignments found at
<http://www.iana.org/assignments/port-numbers>
- -------------------------------------

80 (http) 97.52%
25 (smtp) 01.28%
21 (ftp) 00.62%
443 (https) 00.17%
139 (net bios) 00.16%
53 (dns) 00.08%
143 (imap) 00.06%
2560 (labrat) 00.05%
2065 (data link switch read) 00.04%
12754 (unassigned) 00.04%

- ---------------------------------------
NOTE, DISCLAIMER AND COPYRIGHT NOTICE
- ---------------------------------------

NOTE: Our web site with this information in more attractive format and

graphics is available to the public at no cost at
<http://www.iss.net/> under "Global Internet Threat Intelligence
Service". Screen
captures (Control/PrtSc) of the site's pages dropped into PowerPoint
can be an effective way to communicate various aspects of the Internet
threat, e.g. the graph depicting "AlertCon Trends".

We provide this information on Internet threat metrics, viruses,
vulnerabilities, patches, and breaking news, in the spirit of PDD 63,
to help security professionals wage the war against Internet threats
more effectively. Information in this update derived primarily from
global, real time, 24 x 7 IDS feeds, ISS X-Force R&D Team research,
and professional liaison. Other sources as noted. AlertCon 1 reflects
the global, malicious, determined, 24 x 7 attacks experienced by all
networks. AlertCon 2 means increased vigilance/action recommended due
to a specific threat or concern. AlertCon 3 means increased attacks
against specific targets or vulnerabilities on a scale that is
unusually high, action required. AlertCon 4 reflects an Internet
emergency for a target or group of targets whose business continuity
may depend on some sort of immediate, decisive action. All summaries
cover 24 hours the previous workday, GMT. Monday summaries may cover
some weekend activity.

Copyright 2001 Internet Security Systems, Inc. Permission is granted
for the redistribution of the Internet Threat Update electronically.
It is not to be sold or edited in any way without express consent of
ISS. Refer comments or questions to dtreeceiss.net
<mailto:dtreeceiss.net>. Disclaimer: This information is subject to
change without notice. Use of this information constitutes acceptance
for use in an "as is" condition. There are no warranties with regard
to this information. In no event shall the author be liable for any
damages whatsoever arising out of or in connection with the use or
spread of this information. Any use of this information is at the
user's own risk. No other use authorized. FOIA Exemption 4.

Dennis
Dennis Treece
Director,
Global MSS Special Operations Group
Internet Security Systems (ISS)
6303 Barfield Road
Atlanta, Georgia 30328
404-236-4065
Cell 404-667-9345
Fax 404-236-2626

Internet Security Systems -- The Power to Protect

Confidentiality Notice: This message is being sent by or on behalf of
a network security professional. It is intended exclusively for the
individual to whom it is addressed. This communication may contain
information that is proprietary, privileged or confidential.

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5

iQA/AwUBO6j0aOOOe/7N9KJeEQJ5OgCcDp4TaTgReJA+12pO+1nP0sbSdHwAn3F6
KOvwsCCXXmBwThCo2FvZ+wKg
=Oe9+
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]