Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Milw0rm offline

Published: 2009-07-08
Last Updated: 2009-07-09 19:11:23 UTC
by Marcus Sachs (Version: 3)
2 comment(s)

We've received multiple emails today from readers who cannot reach Milw0rm.  The site's owner, str0ke, left this message on the site yesterday:

Well, this is my goodbye header for milw0rm. I wish I had the time I did in the past to post exploits, I just don't :(. For the past 3 months I have actually done a pretty crappy job of getting peoples work out fast enough to be proud of, 0 to 72 hours (taking off weekends) isn't fair to the authors on this site. I appreciate and thank everyone for their support in the past.
Be safe, /str0ke

Update: Well, it wasn't gone for too long.  str0ke brought the site back up with this message:

"milw0rm's back up & posting will start once again, I can't let all of the emails in my submit box to just sit there"

--Joel

Update 2:  Many people have written in, continuing to say that they can't get to milw0rm right now.  According to str0ke, the box that is hosting the page is being hit so hard, they can't keep it running.

--Joel

 

Marcus H. Sachs
Director, SANS Internet Storm Center

Keywords: milw0rm
2 comment(s)

RFI: DDoS Against Government and Civilian Web Sites

Published: 2009-07-08
Last Updated: 2009-07-09 02:34:21 UTC
by Marcus Sachs (Version: 5)
9 comment(s)

We are aware of an ongoing DDoS against several high-profile web sites.  Public details are in these online stories:

http://blogs.csoonline.com/online_attack_hits_us_government_web_sites

http://hosted.ap.org/dynamic/stories/U/US_CYBER_ATTACK

There have also been sketchy reports that South Korean websites are experiencing outages.  We are looking for any additional information, especially technical reports or packet captures.  Please use our contact page.

UPDATE 1:  Several news agencies are reporting that attacks in South Korea are ongoing.  There are some allegations that North Korea is involved but we have not seen any technical attribution.  Shadowserver's DDoS charts clearly show the increases in DDoS traffic.  (see update 3 below)

UPDATE 2: Speculation on who is behind this series of attacks based on the evidence we have seen is just that, speculation. Given the mountain of evidence we have to review, judgements on attribution or motivations would be inaccurate at best and irresponsible at worst. As we analyze all the data we will hopefully be able to provide more clarity into these attacks.  There does appear to be many malicious binaries responsible for this activity, some of these binary files appear to have different target lists. - AndreL

UPDATE 3:  The good people over at Shadowserver wrote to tell us that the spike in their DDoS graph is not related to the US/KR attacks.  They said that the timing is just coincidental and that they have no specific statistics on the US/KR event.

UPDATE 4:  Trendmicro and PandaLabs have posted lists of sites that are being attacked, as well as some other information.  You can get this information at the links below. - AndreL

http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYDOOM.EA&VSect=T

http://pandalabs.pandasecurity.com/archive/DDoS-attacking-US-and-South-Korea-government-sites-.aspx

 

Marcus H. Sachs
Director, SANS Internet Storm Center

Keywords: DDoS
9 comment(s)

Safari 4.0.2 update published

Published: 2009-07-08
Last Updated: 2009-07-08 23:28:10 UTC
by Andre Ludwig (Version: 1)
0 comment(s)

It looks like Apple released safari 4.0.2 for OS X and Windows platforms.

It would appear that this new versions addresses the following security related issues in WebKit (as well as some performance increases in the nitro JS engine).

Detailed information can be found at Apples KB article: http://support.apple.com/kb/HT3666

 

CVE-ID: CVE-2009-1724
Impact:
  Visiting a maliciously crafted website may lead to a cross-site scripting attack
Description: An issue in WebKit's handling of the parent and top objects may result in a cross-site scripting attack when visiting a maliciously crafted website. This update addresses the issue through improved handling of parent and top objects.

CVE-ID: CVE-2009-1725
Impact:  Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.
Description: A memory corruption issue exists in WebKit's handling of numeric character references. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of numeric character references. Credit to Chris Evans for reporting this issue.
 

You can get the new version of Safari at the url below.

http://www.apple.com/downloads/macosx/apple/application_updates/safari.html

Keywords: safari
0 comment(s)
Diary Archives