CERT Quarterly Summary for November, 2000 - Since the last regularly scheduled CERT summary, issued in August (CS-2000-03), we have seen continued compromises via rpc.statd and FTPd. We have also seen a number of sites compromised by exploiting a vulnerability in the IRIX telnet daemon. Notable virus activity includes the Loveletter.as worm and the QAZ worm.
e8488c9895d8d674123d6fae983a30e4fa01369e7a25ab353192c987dd4546ee
-----BEGIN PGP SIGNED MESSAGE-----
CERT(R) Summary CS-2000-04
November 20, 2000
Each quarter, the CERT(R) Coordination Center (CERT/CC) issues the CERT
Summary to draw attention to the types of attacks reported to our
incident response team, as well as other noteworthy incident and
vulnerability information. The summary includes pointers to sources of
information for dealing with the problems.
Past CERT summaries are available from:
CERT Summaries
http://www.cert.org/summaries/
______________________________________________________________________
Recent Activity
Since the last regularly scheduled CERT summary, issued in August
(CS-2000-03), we have seen continued compromises via rpc.statd and
FTPd. We have also seen a number of sites compromised by exploiting a
vulnerability in the IRIX telnet daemon. Notable virus activity
includes the Loveletter.as worm and the QAZ worm.
For more current information on activity being reported to the
CERT/CC, please visit the CERT/CC Current Activity page. The Current
Activity page is a regularly updated summary of the most frequent,
high-impact types of security incidents and vulnerabilities being
reported to the CERT/CC. The information on the Current Activity page
is reviewed and updated as reporting trends change.
CERT/CC Current Activity
http://www.cert.org/current/current_activity.html
1. Compromises Via an Input Validation Vulnerability in rpc.statd
Over the past several months we have received multiple daily
reports of sites being root compromised via a vulnerability in
rpc.statd. We have also received a number of reports indicating
that intruders are performing widespread scanning for this
vulnerability and using toolkits to automate the compromise of
vulnerable machines. Sites, especially those running Linux, are
encouraged to review the documents below.
CERT Advisory CA-2000-17,
Input Validation Problem in rpc.statd
http://www.cert.org/advisories/CA-2000-17.html
CERT Incident Note IN-2000-10,
Widespread Exploitation of rpc.statd and wu-ftpd Vulnerabilities
http://www.cert.org/incident_notes/IN-2000-10.html
2. Compromises Via the 'SITE EXEC' Vulnerability in FTPd
The CERT/CC continues to receive regular reports of intruders
probing large network blocks for vulnerable FTP servers, and
compromising machines found to be vulnerable to the 'SITE EXEC'
vulnerability exploit. Sites are strongly encouraged to follow the
advice contained in CA-2000-13 and IN-2000-10 to protect systems
running FTP servers.
CERT Advisory CA-2000-13,
Two Input Validation Problems In FTPD
http://www.cert.org/advisories/CA-2000-13.html
CERT Incident Note IN-2000-10,
Widespread Exploitation of rpc.statd and wu-ftpd Vulnerabilities
http://www.cert.org/incident_notes/IN-2000-10.html
3. Compromises Via a Vulnerability in the IRIX Telnet Daemon
We have received reports of intruder activity involving the telnet
daemon on SGI machines running the IRIX operating system.
Intruders are actively exploiting a vulnerability in telnetd that
is resulting in a remote root compromise of victim machines. Sites
running IRIX are encouraged to review IN-2000-09.
CERT Incident Note IN-2000-09,
Systems Compromised Through a Vulnerability in the IRIX telnet daemon
http://www.cert.org/incident_notes/IN-2000-09.html
4. VBS/Loveletter.AS Worm
The CERT/CC has been receiving reports from users infected by the
VBS/Loveletter.AS worm for several weeks. VBS/LoveLetter.AS is
known to spread in email messages with the following
characteristics:
Subject: US PRESIDENT AND FBI SECRETS =PLEASE VISIT => (http://WWW.2600.COM)<=
Body: VERY JOKE..! SEE PRESIDENT AND FBI TOP SECRET PICTURES..
Attachment: (random_name.ext).vbs
Copies of the virus that have been reported to us contain the
following comment:
rem "Plan Colombia" virus v1.0
When the worm is executed, it makes several registry
modifications, attempts to download additional files, and replaces
files of certain types similar to the behavior of the
VBS/Loveletter.A virus. For information on how to prevent or
recover from a Loveletter infection, please see CA-2000-04.
CERT Advisory CA-2000-04,
Love Letter Worm
http://www.cert.org/advisories/CA-2000-04.html
Additional information about this virus can be found by visiting
the sites listed on our Computer Virus Resources page.
Computer Virus Resources
http://www.cert.org/other_sources/viruses.html
5. QAZ Worm
For several weeks, the CERT/CC saw an increase in the number of
NETBIOS Session (139/tcp) probes and a corresponding increase in
reports of QAZ infected machines. The QAZ worm scans networks for
unprotected Windows Networking Shares similar to the behavior of
the network.vbs worm disussed in IN-2000-02. When launched, the
QAZ worm replaces the Notepad.exe file and modifies the registry
to ensure that it is run when Windows restarts. This trojan also
allows an intruder to upload files to the system, or execute any
file on the system. Sites are encouraged to follow the advice in
IN-2000-02 to secure Windows Networking Shares, and update
anti-virus software definitions to prevent infection.
CERT Incident Note IN-2000-02,
Exploitation of Unprotected Windows Networking Shares
http://www.cert.org/incident_notes/IN-2000-02.html
Additional information about this virus can be found by visiting
the sites listed on our Computer Virus Resources page.
Computer Virus Resources
http://www.cert.org/other_sources/viruses.html
6. Multiple Denial of Service Problems in ISC BIND
The CERT/CC has recently learned of two serious denial of service
vulnerabilities in the Internet Software Consortium's (ISC) BIND
software. The first vulnerability is referred to by the ISC as the
"zxfr bug" and the second is the "srv bug." We have not yet
received reports of these vulnerabilities being exploited, but we
believe the potential is there. Sites are encouraged to follow the
advice in CA-2000-20 to protect systems running BIND.
CERT Advisory CA-2000-20,
Mulitple Denial of Service Problems in ISC BIND
http://www.cert.org/advisories/CA-2000-20.html
______________________________________________________________________
New CERT PGP key
The CERT/CC PGP key for 2000-2001 is now operational. The new key is
an RSA key; it is constructed so as to provide maximum
interoperability with as many versions of PGP as possible as well as
with GPG. Information about the new PGP Key can be found at:
Sending Sensitive Information to the CERT/CC
http://www.cert.org/contact_cert/encryptmail.html
______________________________________________________________________
New Vulnerability Disclosure Policy
On October 9, 2000, the CERT Coordination Center began following a new
policy regarding the disclosure of vulnerability information.
Information about the new policy can be found at:
The CERT Coordination Center Vulnerability Disclosure Policy
http://www.cert.org/faq/vuldisclosurepolicy.html
______________________________________________________________________
What's New and Updated
Since the last CERT summary, we have published new and updated
* Advisories
* Incident notes
* CERT/CC statistics
* Security improvement modules
* Infosec Outlook newsletter
* Frequently Asked Questions
Descriptions of these documents and links to them can be found on our
"What's New" page:
What's New
http://www.cert.org/nav/whatsnew.html
______________________________________________________________________
This document is available from:
http://www.cert.org/summaries/CS-2000-04.html
______________________________________________________________________
CERT/CC Contact Information
Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other
hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for more
information.
Getting security information
CERT publications and other security information are available from
our web site
http://www.cert.org/
To be added to our mailing list for advisories and bulletins, send
email to cert-advisory-request@cert.org and include SUBSCRIBE
your-email-address in the subject of your message.
* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
______________________________________________________________________
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
_________________________________________________________________
Conditions for use, disclaimers, and sponsorship information
Copyright 2000 Carnegie Mellon University.
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQCVAwUBOhl8hgYcfu8gsZJZAQHDwAP9ETFkUYW79oW3a9kCFDTNgRqhMhHIqKvw
LfUSTI0BfZsSv/gmb8lYmEqOcKdwEhQjYJT6xHy3NpeQx9OHqxksJLVyLxIrSzQG
4gfxC5P6Dgcu0xnZXiajokFiX0sRoY6cXABQFamE3L6AweOtF9UrGLFw94j9267z
R0UDVW2tLbQ=
=3X+Y
-----END PGP SIGNATURE-----