Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Move to Yellow, Potential PCT worm, No Osama has NOT been captured, New Virus, Symantec Firewall Vulnerability

Published: 2004-04-23
Last Updated: 2004-04-24 03:18:00 UTC
by Deborah Hale (Version: 1)
0 comment(s)

Potential Microsoft PCT worm (MS04-011)

In response to observed active exploit [1] of the PCT vulnerability [2], announced in Microsoft Bulletin MS04-011[3], some AV vendors have raised alert status. The IT-ISAC reports that some IDS are "detecting and blocking attacks against many institutions. The attacks are attempting to steal data and/or break into payment systems."

US-CERT has reported that it is "aware of network activity that is
Consistent with scanning and/or exploit attempts against this vulnerability. Reports indicate increased network traffic to ports 443/tcp and 31337/tcp. The PCT protocol runs over SSL (443/tcp) and the known exploit code connects a command shell on 31337/tcp."

REN-ISAC monitoring of port 443 traffic [4] on the Internet2 Abilene network does indicate elevated levels of activity.

According to the US-CERT overview of the vulnerability: "A vulnerability exists in the Private Communications Transport (PCT) protocol, which is part of the Microsoft Secure Sockets Layer (SSL) library. Exploitation of this vulnerability may permit a remote attacker to compromise the system.

An exploit for this issue currently being used to compromise vulnerable
systems running SSL-enabled IIS 5.0. Note the vulnerability exists in any SSL-enabled program which is running on vulnerable Windows systems.
Windows 2003 Server is not affected if PCT is disabled."

MS04-11 is effective in patching against the exploit. [1] [2] [3] [4]

Possible New Virus

We have received several reports today of possible virus release. It has been reported it is first recognized by a slowing down of the server and ended with a dbs corruption. We are receiving reports of network scans on port 443. This is likely to be an interesting weekend as all of these surface. Stay tuned for more information.

Osama Bin Laden Captured

An email is circulating on the internet today that claims to be from CNN or BBC. The email utilizes this exploit to download a file pics.chm that in turn contains and executes a Trojan. McAfee has identified this as Exploit-MhtRedir.gen and Norton identifies it as Backdoor.Nibu.D. The Trojan once executed attempts to steal passwords and bank account information.

Symantec Firewall Vulnerability :


eEye Digital Security has discovered a severe denial of service vulnerability in the Symantec Client Firewall products for Windows.
The vulnerability allows a remote attacker to reliably render a system inoperative with one single packet. Physical access is required in order to bring an affected system out of this "frozen" state. This specific flaw exists within the component that performs low level processing of TCP packets.

Possible move to Yellow

We are closely monitoring the IIS exploit and may move to Yellow this evening.

Thanks to all for their contributions.

Deb Hale

Handler on Duty
0 comment(s)
Diary Archives