Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Possible new wave of worms, TCP reset tool for Windows released, New IIS 5 SSL Remote Root Exploit - patch now.

Published: 2004-04-21
Last Updated: 2004-04-22 02:59:01 UTC
by Davis Sickmon (Version: 1)
0 comment(s)
Today 3 new versions of NetSky, and one new version of MyDoom was released into the wild. Over the past week, that makes a total of 5 new Netsky (.V - .Z) versions, two new MyDooms (.I & .J), and a Blaster (.T) (along with all the other new stuff like W32.Opasa and other updated worms) This could be an indication of another increase in activity among these worms that already have a history of high activity.

http://securityresponse.symantec.com/avcenter/vinfodb.html

While anti-virus software is important, because of the frequency of and the game of oneupmanship that's occurring, it's just as important to make sure users understand safe practices while dealing with these, and that OS and application level patches are kept up to date, along with the obvious anti-virus updates.

A new TCP Reset vulnerability toy was released for Windows today. Existing snort signatures based on previous tools may not pick this one up, so keep an eye out for new signatures based on this one. While tools to exploit the TCP Reset situation have been released, the Infocon is remaining at Green for the moment. The Windows release of a tool does indicate that a broader range of less-skilled attackers can now make use of it, but use of these tools has not become widespread enough to necessitate change in the Infocon status. We'll be keeping an eye on the situation, and change the Infocon status if the situation necessitates it.

A new IIS 5 SSL Remote Root exploit tool has been released - this has elevated the situation from a DoS situation to root access. Be sure to install the MS04-011 Security Update or be prepared to rebuild the IIS server later. The tool is new so full impact of this one may not be felt for a couple of days. The MS04-011 Update is also important because this particular exploit, now that it's moved to root access, has a very high likelihood of someone writing a new worm (or as the current trend is, patch one of the current worms or bots) to take advantage of this one.

There have also been a mention of probes and scans to ports 1024 - 1029. However, this does not appear to be widespread based on the current port trends, except for port 1024, which is probably unrelated traffic:

http://isc.sans.org/port_details.php?port=1024&repax=1&tarax=2&srcax=2&percent=N&days=10&Redraw=

But if you happen to be seeing a new trend for 1024 - 1029, it may be worth mentioning. Same goes for increased activity for the TCP Reset vulnerability and IIS 5 SSL DoS and exploit situations.

----
Handler on Duty, Davis Ray Sickmon, Jr ( http://www.midnightryder.com )
Keywords:
0 comment(s)
Diary Archives