OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NTBugtraq And NTSecurity Archives: Alert: Global Threat Monitor

Alert: Global Threat Monitoring effort

Subject: Alert: Global Threat Monitoring effort
From: Russ (Russ.CooperRC.ON.CA)
Date: Thu Dec 23 1999 - 08:53:46 CST

-----BEGIN PGP SIGNED MESSAGE-----

The Christmas/New Years holiday period represents the time when more
machines are left unattended for longer than any other time of the
year.

I've been asked by Steve Northcutt to participate in a SANS effort to
monitor and analyze suspicious activity from now until Jan. 5, 2000.
See http://www.sans.org/newlook/resources/flashadv.htm for Steve's
original note about this effort, and http://www.sans.org/y2k.htm for
the on-going analysis reports of activity.

*My* concern is that there may be a distributed attack leveraging
idle systems in a coordinated fashion. It could manifest itself in a
Denial of Service attack which I term a "panic attack", tickling
systems in critical infrastructure in the hope that the media takes
reports from various sites and ERRORNEOUSLY concludes some concerted
effort is underway. The resulting media report could cause a frenzy
of unnecessary panic, boosting that media outlet's distribution at
the expense of public confidence.

Ok, there, I've said it...;-]

Given the number of cable modem sites which are largely undefended
and not monitored, combined with idle corporate machines behind
flimsy router ACLs...you can see the potential.

If you're with the media, please try and convey points 1 & 2 below to
your audiences.

If you're with an AV vendor, please contact me and ensure I have a
rapid response address to submit virus/trojan/worm samples to.

If you're part of a monitoring team and working over the period,
please let me know if you see any suspicious activity (or contact the
SANS address intrusionsans.org).

What to do?
- ----------
While its possible that some new exploit method may be used to load
trojans onto boxes like these, its far more likely that any attack is
going to come in the form of an executable attachment in email. It
could use scripting in HTML-based mail, but given how willing people
are to double-click on an attachment, there's little need to make it
that complex.

So here's what you can do for me, from now until Jan. 5, 2000, to
help minimize the potential for harm.

1. Tell everyone you know to avoid opening any attachments they
receive in email. Don't get into trying to explain how to determine
the risk of opening attachments, just tell them not to for this
period. My concern is not viruses, but trojan installation over the
period allowing the attacked machine to be used as part of a
distributed attack.

2. Turn off your computers as much as possible over the period. If
the machine isn't on, it won't be contributing to any malicious
efforts, be it responding to incoming mail with an infected email, or
used as a node in a distributed attack.

3. If you're a Network Administrator, enable logging as much as
possible. If your site becomes part of some identified attack, your
logs are going to be crucial to the investigative effort. Be it NT
Event Logging, Router logging, or Netmon traces, any and all logs
will be helpful. All logs will be treated with the highest
confidentiality.

Some of you might remember the Teardrop2 attack last year. That
attack targeted 50 or so domains simultaneously and used a spoofed
source address. If it were not for the logs of targeted sites, it
would have been impossible to determine the actual source. As it was,
it still took nearly 2 days to identify the source machine and shut
it down. We want to avoid something like this happening again, and at
the very least, be able to get it stopped in a much shorter period of
time.

This effort is not intended to replace any existing efforts by other
Response Teams. We hope that we'll be able to provide more people
with more information faster, and help spread the load that groups
may face over this period.

I will be trying to keep NTBugtraq traffic to a minimum over this
period, focusing on the most important issues to avoid cluttering
your inboxes. However, should we see attacks arise that appear to be
distributed, I will likely provide blow-by-blow coverage to give you
as much information as possible. If there is anything else that
NTBugtraq can do to help you over this period, drop me a note.

Cheers,
Russ - NTBugtraq Editor

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.2

iQCVAwUBOGI4iRBh2Kw/l7p5AQGoNwP+OdGPsX0pKmUOu4AM8V1F6mzzE2Cjwhne
O5pAuSF0rq2DxQbBTFeS/jucN7oN/8vF6yJtu6AnF9Gf5ElfFvC/wjnjeo2GRKmt
t1MZFR/TBvRG5El+l72ePqH0Qkpvfn4/yZthJHVpt2DV5Tfrm/iezFqETQRmswdb
ZENGHWoDeQs=
=aPLF
-----END PGP SIGNATURE-----

This archive was generated by hypermail 2b27 : Thu Dec 23 1999 - 08:56:05 CST