 |
|
 |
CERT/CC Incident NotesCERT Incident Notes have become a core component of US-CERT's Technical Cyber Security Alerts and Current Activity.
2004 |
2003 |
2002 |
2001 |
2000 |
1999 |
1998
2004
IN-2004-02: W32/Netsky.B VirusFebruary 18, 2004The CERT/CC has been receiving reports of a new mass-mailing virus known as W32/Netsky.B. The virus propagates either as an attachment to an email message or by automatically copying itself to Windows network shares.
IN-2004-01: W32/Novarg.A VirusJanuary 27, 2004The CERT/CC has been receiving reports of a new mass-mailing virus known as W32/Novarg.A, W32/Shimg, or W32/Mydoom that has been reported to open a backdoor to the compromised system and possibly launch a denial-of-service attack against a web site at a fixed time in the future. 2003
IN-2003-04: Exploitation of Internet Explorer VulnerabilityOctober 1, 2003The CERT/CC has received reports indicating that attackers are actively exploiting the Microsoft Internet Explorer vulnerability described in VU#865940. IN-2003-03: W32/Sobig.F WormAugust 22, 2003The CERT/CC has been receiving a large volume of reports of a mass mailing worm, referred to as W32/Sobig.F, spreading on the Internet. New information indicates that this worm has additional capabilities that were not realized at the time it first began propagating. IN-2003-02: W32/Mimail VirusAugust 2, 2003On Friday, August 1st 2003 the CERT Coordination Center began to receive an increased number of reports of a new mass mailing virus, now referred to as W32/Mimail, spreading on the Internet. IN-2003-01: Malicious Code Propagation and Antivirus Software UpdatesJuly 2, 2003Recent reports to the CERT/CC have highlighted that the speed at which viruses are spreading is increasing and that users who were compromised may have been under the incorrect impression that merely having antivirus software installed was enough to protect them from all malicious code attacks. 2002
IN-2002-06: W32/Lioten Malicious CodeDecember 17, 2002The CERT/CC has received reports of self-propagating malicious code known as W32/Lioten affecting systems running Windows 2000. This malicious code exploits weak or null passwords in order to propagate. Reports to date indicate that thousands of systems are scanning in a manner consistent with W32/Lioten's known behavior. Various sources have referred to this malicious code as IraqiWorm and iraqi_oil.exe. IN-2002-05: W32/Frethem Malicious CodeJuly 17, 2002The CERT/CC has received a number of reports of malicious code known as W32/Frethem. It affects systems running Microsoft Windows with unpatched versions of Internet Explorer and mail clients that use IE's HTML rendering engine (including Outlook and Outlook Express). Patched systems (or systems that do not use IE's HTML rendering engine for mail) may also be affected if a user manually executes the malicious code. A number of variants of this code have been identified. IN-2002-04: Exploitation of Vulnerabilities in Microsoft SQL ServerMay 22, 2002The CERT/CC has received reports of systems being compromised through the automated exploitation of null or weak default sa passwords in Microsoft SQL Server and Microsoft Data Engine. This activity is accompanied by high volumes of scanning, and appears to be related to recently discovered self-propagating malicious code, referred to by various sources as Spida, SQLsnake, and Digispid. IN-2002-03: Social Engineering Attacks via IRC and Instant MessagingMarch 19, 2002The CERT/CC has received reports of social engineering attacks on users of Internet Relay Chat (IRC) and Instant Messaging (IM) services. Intruders trick unsuspecting users into downloading and executing malicious software, which allows the intruders to use the systems as attack platforms for launching distributed denial-of-service (DDoS) attacks. The reports to the CERT/CC indicate that tens of thousands of systems have recently been compromised in this manner. IN-2002-02: W32/Gibe Malicious CodeMarch 12, 2002The CERT/CC has received numerous reports of a piece of malicious code, written for the Windows platform, commonly known as W32/Gibe. W32/Gibe spreads via email disguised as a Microsoft security bulletin and patch. A user must execute the attached file in order to be infected. The payload is non-destructive, but a backdoor is installed that may allow an intruder access to the system. IN-2002-01: W32/Myparty Malicious CodeJanuary 28, 2002"W32/Myparty" is malicious code written for the Windows platform that spreads as an email file attachment. The malicious code makes use of social engineering to entice a user to execute it. The W32/Myparty payload is non-destructive. 2001
IN-2001-15: W32/Goner WormDecember 4, 2001W32/Goner is a malicious Windows program distributed as an email file attachment and via ICQ file transfers. To a user, the file (gone.scr) appears to be a Windows screen saver. W32/Goner infects a system when a user executes file "gone.scr". IN-2001-14: W32/BadTrans WormNovember 27, 2001W32/BadTrans is a malicious Windows program distributed as an email file attachment. Because of a known vulnerability in Internet Explorer, some email programs, such as Outlook Express and Outlook, may execute the malicious program as soon as the email message is viewed. IN-2001-13: "Kaiten" Malicious Code Installed by Exploiting Null Default Passwords in MS-SQLNovember 27, 2001The CERT/CC has received reports of a new variant of the "Kaiten" malicious code being installed through exploitation of null default sa passwords in Microsoft SQL Server and Microsoft Data Engine. (Microsoft SQL 2000 Server will allow a null sa password to be used, but this is not default behavior.) Various sources have referred to this malicious code as "W32/Voyager," "Voyager Alpha Force," and "W32/CBlade.worm." IN-2001-12: Exploitation of vulnerability in SSH1 CRC-32 compensation attack detectorNovember 5, 2001The CERT/CC has received multiple reports of systems being compromised via the CRC-32 compensation attack detector vulnerability described in VU#945216. We are also receiving reports of increased scanning activity for the SSH service (22/tcp). IN-2001-11: Cache Corruption on Microsoft DNS ServersAugust 31, 2001The CERT/CC has received reports from sites experiencing cache corruption on systems running Microsoft DNS Server. The default configuration of this software allows data from malicious or incorrectly configured servers to be cached in the DNS server. This corruption can result in erronous DNS information later being returned to any clients which use this server. IN-2001-10: "Code Red" Worm Crashes IIS 4.0 Servers with URL Redirection EnabledAugust 16, 2001The CERT/CC has received numerous reports of Windows NT 4.0 IIS 4.0 servers patched according to Microsoft Security Bulletin MS01-033 crashing when scanned by the "Code Red" worm. IN-2001-09: "Code Red II:" Another Worm Exploiting Buffer Overflow in IIS Indexing Service DLLAugust 6, 2001The CERT/CC has received reports of new self-propagating malicious code exploiting the vulnerability described in CA-2001-13 Buffer Overflow In IIS Indexing Service DLL. These reports indicate that the worm has already affected thousands of systems. This new worm is being called "Code Red II," however, except for using the same buffer overflow mechanism, it is different from the original "Code Red" worm described in CA-2001-19 "Code Red" Worm Exploiting Buffer Overflow In IIS Indexing Service DLL. IN-2001-08: "Code Red" Worm Exploiting Buffer Overflow In IIS Indexing Service DLLJuly 19, 2001The CERT/CC has received reports of new self-propagating malicious code exploiting the vulnerability described in CERT Advisory CA-2001-13 Buffer Overflow In IIS Indexing Service DLL. These reports indicate that the "Code Red" worm has already affected over 13,000 hosts. IN-2001-07: W32/Leaves: Exploitation of previously installed SubSeven Trojan HorsesJuly 6, 2001The CERT/CC has received an increasing number of reports regarding the compromise of home user machines running Microsoft Windows. Most of these reports surround the intruder tool SubSeven. SubSeven is often used as a Trojan horse, which allows an intruder to deliver and execute any custom payload and run arbitrary commands on the affected machine. IN-2001-06: Verification of Downloaded SoftwareJune 8, 2001When downloading software from online repositories, it is important to consider the possibility that the site has been compromised. There are precautions that users can take when downloading software. There are also ways that software publishers and distributors can provide verification of the authenticity of their software. IN-2001-05: The "cheese" WormMay 17, 2001The CERT/CC has observed in public and private reports a recent pattern of activity surrounding probes to TCP port 10008. We have obtained an artifact called the 'cheese worm' which may contribute to the pattern. IN-2001-04: "Carko" Distributed Denial-of-Service ToolApril 24, 2001The CERT/CC has received reports that a distributed denial-of-service (DDoS) tool named Carko is being installed on compromised hosts. IN-2001-03: Exploitation of BIND VulnerabilitiesMarch 30, 2001On January 29, 2001 the CERT/CC published CERT Advisory CA-2001-02 detailing multiple vulnerabilities in multiple versions of ISC BIND nameserver software. Two of the vulnerabilities described in the advisory are now actively being exploited by the intruder community to compromise systems. IN-2001-02: Open mail relays used to deliver "Hybris Worm"March 2, 2001The CERT/CC has received reports of intruders using open mail relays to propagate malicious code such as the "Hybris Worm." The code propagates through email messages and newsgroup postings, specifically targeting Windows machines. IN-2001-01: Widespread Compromises via "ramen" ToolkitJanuary 18, 2001The CERT/CC has received reports from sites that have recovered an intruder toolkit called "ramen" from compromised hosts. Ramen, which is publicly available, exploits one of several known vulnerabilities and contains a mechanism to self-propagate. 2000
IN-2000-10: Widespread Exploitation of rpc.statd and wu-ftpd VulnerabilitiesSeptember 15, 2000Recent reports involving intruder exploitation of two vulnerabilities have involved very similar intruder activity. The level of activity and the scope of the attacks suggests that intruders are using scripts and toolkits to automate attacks. IN-2000-09: Systems Compromised Through a Vulnerability in the IRIX telnet daemonAugust 31, 2000We have received reports of intruder activity involving the telnet daemon on SGI machines running the IRIX operating system. Intruders are actively exploiting a vulnerability in telnetd that is resulting in a remote root compromise of victim machines. IN-2000-08: Chat Clients and Network SecurityJune 21, 2000The CERT/CC has received reports and inquiries regarding the security issues inherent in the use of chat clients. IN-2000-07: Exploitation of Hidden File ExtensionsJune 19, 2000There have been a number of recent malicious programs exploiting the default behavior of Windows operating systems to hide file extensions from the user. This behavior can be used to trick users into executing malicious code by making a file appear to be something it is not. IN-2000-06: Exploitation of "Scriptlet.Typelib" ActiveX ControlJune 6, 2000Bubbleboy and kak are email-borne viruses that exploit a vulnerability created by unsafe configuration of the Microsoft ActiveX control named "Scriptlet.Typelib," allowing local files to be created or modified. IN-2000-05: "mstream" Distributed Denial of Service ToolMay 2, 2000In late April 2000, we began receiving reports of sites finding a new distributed denial of service (DDOS) tool that is being called "mstream". This tool enables intruders to use multiple Internet-connected systems to launch packet flooding denial of service attacks against one or more target systems. IN-2000-04: Denial of Service Attacks using NameserversApril 28, 2000Intruders are using nameservers to execute packet flooding denial of service attacks. IN-2000-03: 911 WormApril 4, 2000A worm with variants known as "chode," "foreskin," "dickhair", "firkin," or "911" spreads by taking advantage of unprotected Windows shares. IN-2000-02: Exploitation of Unprotected Windows Networking SharesMarch 3, 2000Updated April 7, 2000 Intruders are actively exploiting Windows networking shares that are made available for remote connections without requiring password authentication. This is not a new problem, but the potential impact on the overall security of the Internet is increasing. IN-2000-01:Windows Based DDOS AgentsFebruary 28, 2000We have received reports indicating intruders are beginning to deploy and utilize windows based denial of service agents to launch distributed denial of service attacks. 1999
IN-99-08: Attacks against IIS web servers involving MDACDecember 10, 1999We have received reports of IIS web servers compromised via a vulnerability in MS Data Access Components (MDAC). This note contains information about identifying attacks and pointers to further information. IN-99-07: Distributed Denial of Service ToolsNovember 18, 1999We have received reports of intruders installing distributed denial of service tools. Tools we have encountered utilize distributed technology to create large networks of hosts capable of launching large coordinated packet flooding denial of service attacks.
IN-99-06: Distributed Network SnifferOctober 25, 1999We have received reports of intruders using distributed network sniffers to capture usernames and passwords. The distributed sniffer consists of a client and a server portion. The sniffer clients have been found exclusively on compromised Linux hosts.
IN-99-05: Systems Compromised Through a Vulnerability in am-utilsSeptember 17, 1999We have received reports of intruder activity involving the am-utils package. Reports submitted to the CERT/CC indicate that intruders are actively exploiting a vulnerability in amd that is resulting in remote users gaining root access to victim machines.
IN-99-04: Similar Attacks Using Various RPC ServicesUpdated October 15, 1999Recent reports involving three RPC service vulnerabilities have involved very similar intruder activity. The level of activity and the scope of the attacks suggests that intruders are using scripts to automate attacks. These attacks appear to attempt multiple exploitations but produce similar results. An update includes information about statd.
IN-99-03: CIH/Chernobyl VirusApril 22, 1999We have received a number of information requests about a computer virus named CIH, or the Chernobyl virus. The CIH virus infects executable files and is spread by executing an infected file. Since many files are executed during normal use of a computer, the CIH virus can infect many files quickly.
IN-99-02: Happy 99 Trojan HorseMarch 29, 1999This incident note describes the Happy99.exe Trojan Horse. Happy99 is not a macro virus and should not be confused with the Melissa Word macro virus.
IN-99-01: "sscan" Scanning ToolJanuary 28, 1999Recently a new scanning tool named "sscan" was announced on various public mailing lists. The sscan tool performs probes against victim hosts to identify services which may potentially be vulnerable to exploitation. 1998
IN-98-07: Windows NT "Remote Explorer" VirusDecember 22, 1998A new virus that attacks Microsoft Windows NT machines has recently received public attention. Some characteristics of the virus are discussed here.
IN-98-06: Automated Scanning and ExploitationDecember 9, 1998We have received reports of intruders executing widespread attacks using scripted tools to control a collection of information-gathering and exploitation tools.
IN-98-05: Probes with Spoofed IP AddressesNovember 24, 1998The CERT Coordination Center has received several reports that intruders are using spoofed IP addresses to conduct scans similar to those discussed in CA-98.09.imapd and CA-97.09.imap_pop.html.
IN-98.04: Advanced ScanningSeptember 29, 1998We have received reports of two scanning techniques being used by intruders to map networks and identify systems: "stealth" scanning and scanning to identify system or network architecture.
IN-98.03: Password Cracking ActivityJuly 17, 1998In an incident recently reported to the CERT/CC, a very large collection of password files was found on a compromised system. In total, the intruder appears to have a list of 186,126 accounts and encrypted passwords. At the time the password file collection was discovered, the intruder had successfully guessed 47,642 of these passwords by using a password-cracking tool.
IN-98.02: New Tools Used For Widespread ScansJuly 2, 1998Intruders launching widespread scans in order to locate vulnerable machines is nothing new; however, a new intruder tool was publicly released last week which scans networks for many different vulnerabilities. The CERT Coordination Center has received numerous reports indicating that this tool is in widespread use within the intruder community.
IN-98.01: Scans to Port 1/tcpmux and unpassworded SGI accountsMay 13, 1998There have been recent reports of widespread scans to port 1. Intruders use these scans to locate IRIX machines. Once the IRIX machines are located, intruders attempt to take advantage of known security weaknesses in default accounts that have no passwords. 2003 | 2002 | 2001 | 2000 | 1999 | 1998 Last updated October 11, 2005 CERT and CERT Coordination Center are registered U.S. Patent and Trademark Office |
