TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
majordomoiss.net Contact issforum-owneriss.net for help with any problems!
----------------------------------------------------------------------------

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Copyright 2001 Internet Security Systems (trademark) THE POWER TO
PROTECT

INTERNET THREAT & SOLUTIONS UPDATE for September 26th - 28th, 2001
ISS X-Force Special Operations Group

- --------------------------------------
CURRENT THREAT ASSESSMENT & THREAT FORECAST
- --------------------------------------

AlertCon 1 Today, September 26th, 2001
AlertCon 1 Projected for September 27th - 28th, 2001

Today's Focus: Home Office/Small Office Security

*************

- - We have reduced to AlertCon 1 for today and we're projecting
AlertCon 1 for the next two days. AlertCon 1 means normal warfare on
the Internet. This assumes all malicious code, vulnerabilities,
unpatched and misconfigured devices, script kiddie attacks, hard core
hacker attacks, insider mischief, lack of training, lack of staff in
network and network security jobs.

- - The destructive virus W32.Vote.amm also known as TROJ_VOTE.A
remains a concern, particularly for the home user but also for the
corporate networks that have yet to get all users updated with the
latest antivirus signatures.

- - Nimda, Code Blue, Code Red are also still out there and remain a
strong reminder to continue aggressive patching and cleanup.

- --------------------------------------
Recommended Security Focus
- --------------------------------------

- - Home and Home/Small Office Security. The so-called 'vote' virus is
of course a real concern and antivirus protection is one of the
cornerstones of user protection but not the end of the story. Nimda,
Code Blue, and Code Red are also still out there banging on our gates
as many as seven thousand times an hour. It's impossible to tell for
sure but we suspect most of these infected machines are in small
businesses and home offices that have trusted access to our large,
monitored corporate networks. IT staffs are urged to take a hard look
at their supply chains and sales staffs for unpatched desktops and
laptops. All external devices must be considered hostile until you can
be sure they are not.

- ---------------------------------------
SOLUTIONS
- ---------------------------------------

Home and Small Office Solutions:

- - The Sans Institute's Reading Room has some excellent recommendations
for security basics in this area.
<http://www.sans.org/infosecFAQ/homeoffice/homeoffice_list.htm>

Antivirus Solutions:

- - Notify all users on your networks not to open e-mail attachments
with a subject line anything like this, 'Fwd:Peace BeTween AmeriCa And
IsLam !' as this is the W32.Vote worm. Alert all users not to open any
attachment resembling WTC.exe.

- - Force anti-virus updates and direct all users, particularly those
with laptops, to power up and update their anti-virus before
conducting any business with the computer. For updated anti-virus
software, see the following sites:
<http://www.symantec.com/avcenter/defs.download.html>

<http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=TROJ_VOT
E.A>

Nimda Solutions:

- - Re-install patches previously instructed by ISS and software vendors
for IIS vulnerabilities, etc.

- - Get management involved to help you marshal the resources you need
to patch everything and keep it patched. Remember that whenever OS are
installed or reinstalled if the patches are not also included you have
left gaping holes in your network. The same is true for anti-virus
updates. All patches from the date of the OS you are installing must
be manually researched and installed. The Microsoft 'mega patch' at
the link below is a big help in this effort.

- - Users everywhere are reminded that one of the features of Nimda is
randomly booby-trap web sites throughout the Web. Opening an infected
site invites Nimda infection via Java script. Networks with strong,
updated gateway protection notify the user and strip the malicious
logic from the packet stream. Small office and home networks may have
less protection but should be moving rapidly towards commercial
anti-virus solutions.

- - Microsoft's web site has the full solution set for its products at
this site:
<http://www.microsoft.com/technet/treeview/default.asp?url=/technet/sec
urity/topics/Nimda.asp>

- - All the major anti-virus vendors now have Nimda solutions. Aris has
an excellent write-up on the Worm and some further links to security
solutions:
<http://aris.securityfocus.com/alerts/nimda/010919-Analysis-Nimda.pdf>

- -------------------------------------
Attack Signatures - global IDS, midnight - midnight, previous day, %
of total
- -------------------------------------

Unauth Access Attempts 55.36%
Protocol Decode 36.16%
Suspicious Activity 05.32%
Denial of Service 01.81%
Pre-Attack Probe 01.18%
Back Doors 00.17%

- -------------------------------------
Top Ten Destination Ports - global IDS, midnight - midnight, previous
day, % of top ten (ports found at
<http://www.iana.org/assignments/port-numbers>
- -------------------------------------

80 (http) 91.20%
21 (ftp) 01.19%
25 (smtp) 00.95%
69 (tftp) 00.42%
143 (imap) 00.13%
123 (ntp) 00.11%
32782 (unassigned) 00.10
443 (https) 00.10%
12754 (unassigned) 00.07%
15104 (unassigned) 00.04%
139 (netbios-ss) 00.04%

- ---------------------------------------
VIRUS, VULNERABILITY, NEWS UPDATES
- ---------------------------------------

<http://www.iss.net/> under 'Global Internet Threat Intelligence
Service'

- ---------------------------------------
Web Defacements
- ---------------------------------------

- - Alldas.de is back on the net, reporting defacements from 9:26 PM EDT
last night. Couldn't get in to their site so shot them a quick e-mail
and they let me in.
- - Their stats show that since April, 2000, the most defaced OS is
Windows, with a total of 14,909 defacements reported, for 66% of the
total. Linux is a distant second with 3697 defacements for 16% of the
total.

- ---------------------------------------
NOTE, DISCLAIMER AND COPYRIGHT NOTICE
- ---------------------------------------

NOTE: Our web site with this information in more attractive format and

graphics is available to the public at no cost at
<http://www.iss.net/> under 'Global Internet Threat Intelligence
Service'. Screen
captures (Control/PrtSc) of the site's pages dropped into PowerPoint
can be an effective way to communicate various aspects of the Internet
threat, e.g. the graph depicting 'AlertCon Trends'.

We provide this information on Internet threat metrics, viruses,
vulnerabilities, patches, and breaking news, in the spirit of PDD 63,
to help security professionals wage the war against Internet threats
more effectively. Information in this update derived primarily from
global, real time, 24 x 7 IDS feeds, ISS X-Force R&D Team research,
and professional liaison. Other sources as noted. AlertCon 1 reflects
the global, malicious, determined, 24 x 7 attacks experienced by all
networks. AlertCon 2 means increased vigilance/action recommended due
to a specific threat or concern. AlertCon 3 means increased attacks
against specific targets or vulnerabilities on a scale that is
unusually high, action required. AlertCon 4 reflects an Internet
emergency for a target or group of targets whose business continuity
may depend on some sort of immediate, decisive action. All summaries
cover 24 hours the previous workday, GMT. Monday summaries may cover
some weekend activity.

Copyright 2001 Internet Security Systems, Inc. Permission is granted
for the redistribution of the Internet Threat Update electronically.
It is not to be sold or edited in any way without express consent of
ISS. Refer comments or questions to dtreeceiss.net
<mailto:dtreeceiss.net>. Disclaimer: This information is subject to
change without notice. Use of this information constitutes acceptance
for use in an 'as is' condition. There are no warranties with regard
to this information. In no event shall the author be liable for any
damages whatsoever arising out of or in connection with the use or
spread of this information. Any use of this information is at the
user's own risk. No other use authorized. FOIA Exemption 4.

Dennis
Dennis Treece
Director,
Global MSS Special Operations Group
Internet Security Systems (ISS)
6303 Barfield Road
Atlanta, Georgia 30328
404-236-4065
Cell 404-667-9345
Fax 404-236-2626

Internet Security Systems -- The Power to Protect

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5

iQA/AwUBO7H2OeOOe/7N9KJeEQLlmgCg3jN92gU/O6fTSXdygrd5dveZVrsAniPl
VaA2aRB9tGYsZJTM7gKaYYNi
=X4B1
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]