TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
majordomoiss.net Contact issforum-owneriss.net for help with any problems!
----------------------------------------------------------------------------

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Copyright 2001 Internet Security Systems (trademark) THE POWER TO
PROTECT

INTERNET THREAT & SOLUTIONS UPDATE for September 25th - 27th, 2001
ISS X-Force Special Operations Group

- --------------------------------------
CURRENT THREAT ASSESSMENT & THREAT FORECAST
- --------------------------------------

AlertCon 2 Today, September 25th, 2001
AlertCon 2 Projected for September 26th - 27th, 2001

Today's Focus: Antivirus updates, advisories

*************

- - We remain at AlertCon 2 (increased vigilance) for today and we're
projecting AlertCon 2 for the next two days.

- - The discovery yesterday of a destructive virus has replaced the
Nimda Worm as the "cause du jour".

- - The virus W32.Vote.amm also known as TROJ_VOTE.A is currently
spreading in the wild.

- -- This destructive, mass-mailing Trojan was created using Visual
Basic 5.

- -- It propagates via Microsoft Outlook by sending emails to all
addresses listed in an infected user's address book.

- -- It arrives in an email with the Subject: Fwd: Peace BeTween AmeriCa
And IsLam!

- -- The message body says, Hi! iS iT A waR Against AmeriCa Or IsLam!
Let's Vote To Live in Peace!

- -- The attachment to look for is WTC.EXE.

- -- TROJ_VOTE.A deletes certain antivirus products installed in a
system, and deposits the files WTC.exe MixDaLaL.vbs, and Zacker.vbs.

- - Nimda is still out there and needs to be addressed by aggressive
patching of systems

- --------------------------------------
Recommended Security Focus
- --------------------------------------

- - Implementation of your antivirus action plan. If you don't have one,
recommend you develop one. Key elements of any such plan must include
learning about new viruses, getting the word out to your users and
various system and network administrators, limiting both damage and
inconvenience, and expediting antivirus updates. One indispensable
feature of any such plan is empowering someone to take decisive action
to disconnect any or all of the network from the Internet or Extranets
in order to stop the spread of hostile code - should that be the only
available solution. The identity of this person should be well known
and they should be easy to reach. This is the kind of decision that
needs to be made in minutes, and executed immediately.

- ---------------------------------------
SOLUTIONS
- ---------------------------------------

Antivirus Activity:

- - Notify all users on your networks not to open e-mail attachments
with a subject line anything like this, "Fwd:Peace BeTween AmeriCa And
IsLam !" as this is the W32.Vote worm. Alert all users not to open any
attachment resembling WTC.exe.

- - Force anti-virus updates and direct all users, particularly those
with laptops, to power up and update their anti-virus before
conducting any business with the computer. For updated anti-virus
software, see the following sites:
<http://www.symantec.com/avcenter/defs.download.html>

<http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=TROJ_VOT
E.A>

Nimda Activity:

- - Re-install patches previously instructed by ISS and software vendors
for IIS vulnerabilities, etc.

- - Get management involved to help you marshal the resources you need
to patch everything and keep it patched. Remember that whenever OS are
installed or reinstalled if the patches are not also included you have
left gaping holes in your network. The same is true for anti-virus
updates. All patches from the date of the OS you are installing must
be manually researched and installed. The Microsoft "mega patch" at
the link below is a big help in this effort.

- - Users everywhere are reminded that one of the features of Nimda is
randomly booby-trap web sites throughout the Web. Opening an infected
site invites Nimda infection via Java script. Networks with strong,
updated gateway protection notify the user and strip the malicious
logic from the packet stream. Small office and home networks may have
less protection but should be moving rapidly towards commercial
anti-virus solutions.

- - Microsoft's web site has the full solution set for its products at
this site:
<http://www.microsoft.com/technet/treeview/default.asp?url=/technet/sec
urity/topics/Nimda.asp>

- - All the major anti-virus vendors now have Nimda solutions. Aris has
an excellent write-up on the Worm and some further links to security
solutions:
<http://aris.securityfocus.com/alerts/nimda/010919-Analysis-Nimda.pdf>

- -------------------------------------
Attack Signatures - global IDS, midnight - midnight, previous day, %
of total
- -------------------------------------

Unauth Access Attempts 55.36%
Protocol Decode 36.16%
Suspicious Activity 05.32%
Denial of Service 01.81%
Pre-Attack Probe 01.18%
Back Doors 00.17%

- -------------------------------------
Top Ten Destination Ports - global IDS, midnight - midnight, previous
day, % of top ten (ports found at
<http://www.iana.org/assignments/port-numbers>
- -------------------------------------

80 (http) 98.03%
25 (smtp) 00.66%
69 (tftp) 00.42%
21 (ftp) 00.40%
24452 (unassigned) 00.14%
31337 (unassigned) 00.13%
443 (https) 00.09%
123 (ntp) 00.05%
15104 (unassigned) 00.04%
12754 (unassigned) 00.04%

- ---------------------------------------
VIRUS, VULNERABILITY, NEWS UPDATES
- ---------------------------------------

<http://www.iss.net/> under "Global Internet Threat Intelligence
Service"

- ---------------------------------------
NOTE, DISCLAIMER AND COPYRIGHT NOTICE
- ---------------------------------------

NOTE: Our web site with this information in more attractive format and

graphics is available to the public at no cost at
<http://www.iss.net/> under "Global Internet Threat Intelligence
Service". Screen captures (Control/PrtSc) of the site's pages dropped
into PowerPoint can be an effective way to communicate various aspects
of the Internet threat, e.g. the graph depicting "AlertCon Trends".

We provide this information on Internet threat metrics, viruses,
vulnerabilities, patches, and breaking news, in the spirit of PDD 63,
to help security professionals wage the war against Internet threats
more effectively. Information in this update derived primarily from
global, real time, 24 x 7 IDS feeds, ISS X-Force R&D Team research,
and professional liaison. Other sources as noted. AlertCon 1 reflects
the global, malicious, determined, 24 x 7 attacks experienced by all
networks. AlertCon 2 means increased vigilance/action recommended due
to a specific threat or concern. AlertCon 3 means increased attacks
against specific targets or vulnerabilities on a scale that is
unusually high, action required. AlertCon 4 reflects an Internet
emergency for a target or group of targets whose business continuity
may depend on some sort of immediate, decisive action. All summaries
cover 24 hours the previous workday, GMT. Monday summaries may cover
some weekend activity.

Copyright 2001 Internet Security Systems, Inc. Permission is granted
for the redistribution of the Internet Threat Update electronically.
It is not to be sold or edited in any way without express consent of
ISS. Refer comments or questions to dtreeceiss.net
<mailto:dtreeceiss.net>. Disclaimer: This information is subject to
change without notice. Use of this information constitutes acceptance
for use in an "as is" condition. There are no warranties with regard
to this information. In no event shall the author be liable for any
damages whatsoever arising out of or in connection with the use or
spread of this information. Any use of this information is at the
user's own risk. No other use authorized. FOIA Exemption 4.

Dennis
Dennis Treece
Director,
Global MSS Special Operations Group
Internet Security Systems (ISS)
6303 Barfield Road
Atlanta, Georgia 30328
404-236-4065
Cell 404-667-9345
Fax 404-236-2626

Internet Security Systems -- The Power to Protect

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5

iQA/AwUBO7DewOOOe/7N9KJeEQKmKQCgjrFXyLVpPsAEncz4VLqq+sjT8UUAoLcQ
WurhJSFOWQ515OGASLanif/n
=afQC
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]