CERT-SEI

CERT Incident Notes

CERT Incident Notes have become a core component of US-CERT's Technical Cyber Security Alerts and Current Activity.

2004 | 2003 | 2002 | 2001 | 2000


2004


IN-2004-02: W32/Netsky.B Virus

February 18, 2004

The CERT/CC has been receiving reports of a new mass-mailing virus known as W32/Netsky.B. The virus propagates either as an attachment to an email message or by automatically copying itself to Windows network shares.

IN-2004-01: W32/Novarg.A Virus

January 27, 2004

The CERT/CC has been receiving reports of a new mass-mailing virus known as W32/Novarg.A, W32/Shimg, or W32/Mydoom that has been reported to open a backdoor to the compromised system and possibly launch a denial-of-service attack against a web site at a fixed time in the future.

2003


IN-2003-04: Exploitation of Internet Explorer Vulnerability

October 1, 2003

The CERT/CC has received reports indicating that attackers are actively exploiting the Microsoft Internet Explorer vulnerability described in VU#865940.

IN-2003-03: W32/Sobig.F Worm

August 22, 2003

The CERT/CC has been receiving a large volume of reports of a mass mailing worm, referred to as W32/Sobig.F, spreading on the Internet. New information indicates that this worm has additional capabilities that were not realized at the time it first began propagating.

IN-2003-02: W32/Mimail Virus

August 2, 2003

On Friday, August 1st 2003 the CERT Coordination Center began to receive an increased number of reports of a new mass mailing virus, now referred to as W32/Mimail, spreading on the Internet.

IN-2003-01: Malicious Code Propagation and Antivirus Software Updates

July 2, 2003

Recent reports to the CERT/CC have highlighted that the speed at which viruses are spreading is increasing and that users who were compromised may have been under the incorrect impression that merely having antivirus software installed was enough to protect them from all malicious code attacks.

2002


IN-2002-06: W32/Lioten Malicious Code

December 17, 2002

The CERT/CC has received reports of self-propagating malicious code known as W32/Lioten affecting systems running Windows 2000. This malicious code exploits weak or null passwords in order to propagate. Reports to date indicate that thousands of systems are scanning in a manner consistent with W32/Lioten's known behavior. Various sources have referred to this malicious code as IraqiWorm and iraqi_oil.exe.

IN-2002-05: W32/Frethem Malicious Code

July 17, 2002

The CERT/CC has received a number of reports of malicious code known as W32/Frethem. It affects systems running Microsoft Windows with unpatched versions of Internet Explorer and mail clients that use IE's HTML rendering engine (including Outlook and Outlook Express). Patched systems (or systems that do not use IE's HTML rendering engine for mail) may also be affected if a user manually executes the malicious code. A number of variants of this code have been identified.

IN-2002-04: Exploitation of Vulnerabilities in Microsoft SQL Server

May 22, 2002

The CERT/CC has received reports of systems being compromised through the automated exploitation of null or weak default sa passwords in Microsoft SQL Server and Microsoft Data Engine. This activity is accompanied by high volumes of scanning, and appears to be related to recently discovered self-propagating malicious code, referred to by various sources as Spida, SQLsnake, and Digispid.

IN-2002-03: Social Engineering Attacks via IRC and Instant Messaging

March 19, 2002

The CERT/CC has received reports of social engineering attacks on users of Internet Relay Chat (IRC) and Instant Messaging (IM) services. Intruders trick unsuspecting users into downloading and executing malicious software, which allows the intruders to use the systems as attack platforms for launching distributed denial-of-service (DDoS) attacks. The reports to the CERT/CC indicate that tens of thousands of systems have recently been compromised in this manner.

IN-2002-02: W32/Gibe Malicious Code

March 12, 2002

The CERT/CC has received numerous reports of a piece of malicious code, written for the Windows platform, commonly known as W32/Gibe. W32/Gibe spreads via email disguised as a Microsoft security bulletin and patch. A user must execute the attached file in order to be infected. The payload is non-destructive, but a backdoor is installed that may allow an intruder access to the system.

IN-2002-01: W32/Myparty Malicious Code

January 28, 2002

"W32/Myparty" is malicious code written for the Windows platform that spreads as an email file attachment. The malicious code makes use of social engineering to entice a user to execute it. The W32/Myparty payload is non-destructive.

2001


IN-2001-15: W32/Goner Worm

December 4, 2001

W32/Goner is a malicious Windows program distributed as an email file attachment and via ICQ file transfers. To a user, the file (gone.scr) appears to be a Windows screen saver. W32/Goner infects a system when a user executes file "gone.scr".

IN-2001-14: W32/BadTrans Worm

November 27, 2001

W32/BadTrans is a malicious Windows program distributed as an email file attachment. Because of a known vulnerability in Internet Explorer, some email programs, such as Outlook Express and Outlook, may execute the malicious program as soon as the email message is viewed.

IN-2001-13: "Kaiten" Malicious Code Installed by Exploiting Null Default Passwords in MS-SQL

November 27, 2001

The CERT/CC has received reports of a new variant of the "Kaiten" malicious code being installed through exploitation of null default sa passwords in Microsoft SQL Server and Microsoft Data Engine. (Microsoft SQL 2000 Server will allow a null sa password to be used, but this is not default behavior.) Various sources have referred to this malicious code as "W32/Voyager," "Voyager Alpha Force," and "W32/CBlade.worm."

IN-2001-12: Exploitation of vulnerability in SSH1 CRC-32 compensation attack detector

November 5, 2001

The CERT/CC has received multiple reports of systems being compromised via the CRC-32 compensation attack detector vulnerability described in VU#945216. We are also receiving reports of increased scanning activity for the SSH service (22/tcp).

IN-2001-11: Cache Corruption on Microsoft DNS Servers

August 31, 2001

The CERT/CC has received reports from sites experiencing cache corruption on systems running Microsoft DNS Server. The default configuration of this software allows data from malicious or incorrectly configured servers to be cached in the DNS server. This corruption can result in erronous DNS information later being returned to any clients which use this server.

IN-2001-10: "Code Red" Worm Crashes IIS 4.0 Servers with URL Redirection Enabled

August 16, 2001

The CERT/CC has received numerous reports of Windows NT 4.0 IIS 4.0 servers patched according to Microsoft Security Bulletin MS01-033 crashing when scanned by the "Code Red" worm.

IN-2001-09: "Code Red II:" Another Worm Exploiting Buffer Overflow in IIS Indexing Service DLL

August 6, 2001

The CERT/CC has received reports of new self-propagating malicious code exploiting the vulnerability described in CA-2001-13 Buffer Overflow In IIS Indexing Service DLL. These reports indicate that the worm has already affected thousands of systems. This new worm is being called "Code Red II," however, except for using the same buffer overflow mechanism, it is different from the original "Code Red" worm described in CA-2001-19 "Code Red" Worm Exploiting Buffer Overflow In IIS Indexing Service DLL.

IN-2001-08: "Code Red" Worm Exploiting Buffer Overflow In IIS Indexing Service DLL

July 19, 2001

The CERT/CC has received reports of new self-propagating malicious code exploiting the vulnerability described in CERT Advisory CA-2001-13 Buffer Overflow In IIS Indexing Service DLL. These reports indicate that the "Code Red" worm has already affected over 13,000 hosts.

IN-2001-07: W32/Leaves: Exploitation of previously installed SubSeven Trojan Horses

July 6, 2001

The CERT/CC has received an increasing number of reports regarding the compromise of home user machines running Microsoft Windows. Most of these reports surround the intruder tool SubSeven. SubSeven is often used as a Trojan horse, which allows an intruder to deliver and execute any custom payload and run arbitrary commands on the affected machine.

IN-2001-06: Verification of Downloaded Software

June 8, 2001

When downloading software from online repositories, it is important to consider the possibility that the site has been compromised. There are precautions that users can take when downloading software. There are also ways that software publishers and distributors can provide verification of the authenticity of their software.

IN-2001-05: The "cheese" Worm

May 17, 2001

The CERT/CC has observed in public and private reports a recent pattern of activity surrounding probes to TCP port 10008. We have obtained an artifact called the 'cheese worm' which may contribute to the pattern.

IN-2001-04: "Carko" Distributed Denial-of-Service Tool

April 24, 2001

The CERT/CC has received reports that a distributed denial-of-service (DDoS) tool named Carko is being installed on compromised hosts.

IN-2001-03: Exploitation of BIND Vulnerabilities

March 30, 2001

On January 29, 2001 the CERT/CC published CERT Advisory CA-2001-02 detailing multiple vulnerabilities in multiple versions of ISC BIND nameserver software. Two of the vulnerabilities described in the advisory are now actively being exploited by the intruder community to compromise systems.

IN-2001-02: Open mail relays used to deliver "Hybris Worm"

March 2, 2001

The CERT/CC has received reports of intruders using open mail relays to propagate malicious code such as the "Hybris Worm." The code propagates through email messages and newsgroup postings, specifically targeting Windows machines.

IN-2001-01: Widespread Compromises via "ramen" Toolkit

January 18, 2001

The CERT/CC has received reports from sites that have recovered an intruder toolkit called "ramen" from compromised hosts. Ramen, which is publicly available, exploits one of several known vulnerabilities and contains a mechanism to self-propagate.

2000


IN-2000-10: Widespread Exploitation of rpc.statd and wu-ftpd Vulnerabilities

September 15, 2000

Recent reports involving intruder exploitation of two vulnerabilities have involved very similar intruder activity. The level of activity and the scope of the attacks suggests that intruders are using scripts and toolkits to automate attacks.

IN-2000-09: Systems Compromised Through a Vulnerability in the IRIX telnet daemon

August 31, 2000

We have received reports of intruder activity involving the telnet daemon on SGI machines running the IRIX operating system. Intruders are actively exploiting a vulnerability in telnetd that is resulting in a remote root compromise of victim machines.

IN-2000-08: Chat Clients and Network Security

June 21, 2000

The CERT/CC has received reports and inquiries regarding the security issues inherent in the use of chat clients.

IN-2000-07: Exploitation of Hidden File Extensions

June 19, 2000

There have been a number of recent malicious programs exploiting the default behavior of Windows operating systems to hide file extensions from the user. This behavior can be used to trick users into executing malicious code by making a file appear to be something it is not.

IN-2000-06: Exploitation of "Scriptlet.Typelib" ActiveX Control

June 6, 2000

Bubbleboy and kak are email-borne viruses that exploit a vulnerability created by unsafe configuration of the Microsoft ActiveX control named "Scriptlet.Typelib," allowing local files to be created or modified.

IN-2000-05: "mstream" Distributed Denial of Service Tool

May 2, 2000

In late April 2000, we began receiving reports of sites finding a new distributed denial of service (DDOS) tool that is being called "mstream". This tool enables intruders to use multiple Internet-connected systems to launch packet flooding denial of service attacks against one or more target systems.

IN-2000-04: Denial of Service Attacks using Nameservers

April 28, 2000

Intruders are using nameservers to execute packet flooding denial of service attacks.

IN-2000-03: 911 Worm

April 4, 2000

A worm with variants known as "chode," "foreskin," "dickhair", "firkin," or "911" spreads by taking advantage of unprotected Windows shares.

IN-2000-02: Exploitation of Unprotected Windows Networking Shares

March 3, 2000

Updated April 7, 2000

Intruders are actively exploiting Windows networking shares that are made available for remote connections without requiring password authentication. This is not a new problem, but the potential impact on the overall security of the Internet is increasing.

IN-2000-01:Windows Based DDOS Agents

February 28, 2000

We have received reports indicating intruders are beginning to deploy and utilize windows based denial of service agents to launch distributed denial of service attacks.