TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
majordomoiss.net Contact issforum-owneriss.net for help with any problems!
----------------------------------------------------------------------------

INTERNET THREAT UPDATE for 04-10-2002
ISS X-Force Internet Threat Intelligence Center

www.iss.net - Click on AlertCon logo for more information.

********************************************
ALERTCON 1
Projected: AlertCon 1
********************************************

ALERTCON 1 - AlertCon 1 reflects the malicious, determined, global,
24 x 7 attacks experienced by all networks. At AlertCon 1 risk level an
unprotected device running common commercial software will be compromised
within a day of connecting it to the Internet.

Vulnerabilities:

Microsoft has released a cumulative patch which in addition to fixing
previous issues relating to Active Server Pages (ASP) and buffer overruns in
ISAPI, new vulnerabilities found in IIS 4.0, 5.0 and/or 5.1.

Still existing vulnerabilities not covered in the above-mentioned advisory-
 
        1. Opening group policy files for exclusive read blocks policy
application. Affected software: Windows 2000 Server, Windows 2000 Advanced
Server, and Windows 2000 Datacenter Server.
        2. Unchecked buffer in the Multiple UNC Provider could enable
code execution. Affected software: NT 4.0 Workstation, NT 4.0 Server, NT
4.0 Server, Enterprise Edition, NT 4.0 Terminal Server Edition, Windows 2000
Professional, Windows 2000 Server, Windows 2000 Advanced Server, and Windows
XP Professional.

VIRUSES/WORMS: MYLIFE.G is another variant of the MYLIFE worm released in
March. This UPX-compressed worm, upon execution, copies itself to the
Windows System Directory and deletes files.

********************************************
RECOMMENDATIONS
********************************************

For the Microsoft Security Bulletins:

<http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security
/bulletin/MS02-018.asp>

<<http://www.microsoft.com/technet/treeview/default.asp?url=/technet/securit
y/bulletin/MS02-016.asp>>

<<http://www.microsoft.com/technet/treeview/default.asp?url=/technet/securit
y/bulletin/MS02-017.asp>>

For information on the MYLIFE.G worm, please see:
<http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYLIFE.
G&VSect=T>

Information regarding viruses and worms please see:
<https://gtoc.iss.net/viruses.php>

********************************************

FACTOID: Internet-based threats rose significantly in 2001 and continued to
climb through the early months of 2002, according to a new report.
Traditional incidents such as virus and Denial of Service attacks remained
at or above previous levels, but automated scripts against common
vulnerabilities are now the most significant online risk, said Internet
Security Systems (ISS). See the full report at
<https://gtoc.iss.net>

Financial losses from cyber crimes shot up for the third year in a row.
Ninety percent of respondents detected computer security breaches within the
past 12 months. See the full report at
<http://www.gocsi.com/press/20020407.html>

********************************************
ATTACK SIGNATURE RANKING - global IDS, midnight - midnight, previous
Day, % of total
********************************************

Suspicious Activity 50.68%
Protocol Decode 30.40%
Unauthorized Access Attempt 10.91%
Denial Of Service 04.98%
Pre-Attack Probe 03.01%
Back Door 00.01%

********************************************
TOP TEN ATTACK DESTINATION PORTS - global IDS, midnight - midnight,
previous day, % of top ten (ports found at)
<http://www.networkice.com/Advice/Exploits/Ports/default.htm>
********************************************

80 (http) 73.28%
161 (SNMP) 12.48%
21 (ftp) 06.31%
23 (telnet) 01.90%
69 (tftp) 01.51%
25 (smtp) 01.21%
162 (SNMPTrap) 00.98%
139 (NetBIOS) 00.87%
1500 (VLSI) 00.73%
22 (ssh) 00.72%

Once again we see the majority of malicious activity using port 80. There is
a definite lesson there for anyone trying to mitigate Internet risk.

********************************************
BACKGROUND, COPYRIGHT NOTICE, and DISCLAIMER
********************************************

Background. We provide this information in the spirit of PDD 63 to
help security professionals wage the war against Internet threats
more effectively. Information in this update derived primarily from
global, real time, 24 x 7 IDS feeds, ISS X-Force R&D Team research,
and professional liaison. Other sources as noted. AlertCon 1 reflects
the global, malicious, determined, 24 x 7 attacks experienced by all
networks. AlertCon 2 means increased vigilance/action recommended due
to a specific threat or concern. AlertCon 3 means increased attacks
against specific targets or vulnerabilities on a scale that is
unusually high, action required. AlertCon 4 reflects an Internet
emergency for a target or group of targets whose business continuity
may depend on some sort of immediate, decisive action. All summaries
cover 24 hours the previous workday, GMT. Monday summaries may cover
some weekend activity.

Copyright 2002 Internet Security Systems, Inc. Permission is granted
for the redistribution of the Internet Threat Update electronically.
It is not to be sold or edited in any way without express consent of
ISS. Refer comments or questions to: pgrayiss.net or dtreeceiss.net

Disclaimer: This information is subject to change without notice. Use
of this information constitutes acceptance for use in an 'as is'
condition. There are no warranties with regard to this information.
In no event shall the author be liable for any damages whatsoever
arising out of or in connection with the use or spread of this
information. Any use of this information is at the user's own risk.
No other use authorized. FOIA Exemption 4.

                                Dennis
                                Dennis Treece
                                Director,
                                X-Force Special Operations Group
                                Internet Security Systems (ISS)
                                6303 Barfield Road
                                Atlanta, Georgia 30328
                                404-236-4065
                                Cell 404-667-9345
                                Fax 404-236-3255

                                Internet Security Systems -- The Power to
Protect

Confidentiality Notice: This message is being sent by a network security
professional. It is intended exclusively for the individual to whom it is
addressed. This communication may contain information that is proprietary,
privileged or confidential.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]