CERT/CC Incident NotesCERT Incident Notes have become a core component of US-CERT's Technical Cyber Security Alerts and Current Activity.
The CERT/CC has been receiving reports of a new mass-mailing virus known as W32/Netsky.B. The virus propagates either as an attachment to an email message or by automatically copying itself to Windows network shares.
The CERT/CC has been receiving reports of a new mass-mailing virus known as W32/Novarg.A, W32/Shimg, or W32/Mydoom that has been reported to open a backdoor to the compromised system and possibly launch a denial-of-service attack against a web site at a fixed time in the future.
The CERT/CC has received reports indicating that attackers are actively exploiting the Microsoft Internet Explorer vulnerability described in VU#865940.
The CERT/CC has been receiving a large volume of reports of a mass mailing worm, referred to as W32/Sobig.F, spreading on the Internet. New information indicates that this worm has additional capabilities that were not realized at the time it first began propagating.
On Friday, August 1st 2003 the CERT Coordination Center began to receive an increased number of reports of a new mass mailing virus, now referred to as W32/Mimail, spreading on the Internet.
Recent reports to the CERT/CC have highlighted that the speed at which viruses are spreading is increasing and that users who were compromised may have been under the incorrect impression that merely having antivirus software installed was enough to protect them from all malicious code attacks.
The CERT/CC has received reports of self-propagating malicious code known as W32/Lioten affecting systems running Windows 2000. This malicious code exploits weak or null passwords in order to propagate. Reports to date indicate that thousands of systems are scanning in a manner consistent with W32/Lioten's known behavior. Various sources have referred to this malicious code as IraqiWorm and iraqi_oil.exe.
The CERT/CC has received a number of reports of malicious code known as W32/Frethem. It affects systems running Microsoft Windows with unpatched versions of Internet Explorer and mail clients that use IE's HTML rendering engine (including Outlook and Outlook Express). Patched systems (or systems that do not use IE's HTML rendering engine for mail) may also be affected if a user manually executes the malicious code. A number of variants of this code have been identified.
The CERT/CC has received reports of systems being compromised through the automated exploitation of null or weak default sa passwords in Microsoft SQL Server and Microsoft Data Engine. This activity is accompanied by high volumes of scanning, and appears to be related to recently discovered self-propagating malicious code, referred to by various sources as Spida, SQLsnake, and Digispid.
The CERT/CC has received reports of social engineering attacks on users of Internet Relay Chat (IRC) and Instant Messaging (IM) services. Intruders trick unsuspecting users into downloading and executing malicious software, which allows the intruders to use the systems as attack platforms for launching distributed denial-of-service (DDoS) attacks. The reports to the CERT/CC indicate that tens of thousands of systems have recently been compromised in this manner.
The CERT/CC has received numerous reports of a piece of malicious code, written for the Windows platform, commonly known as W32/Gibe. W32/Gibe spreads via email disguised as a Microsoft security bulletin and patch. A user must execute the attached file in order to be infected. The payload is non-destructive, but a backdoor is installed that may allow an intruder access to the system.
"W32/Myparty" is malicious code written for the Windows platform that spreads as an email file attachment. The malicious code makes use of social engineering to entice a user to execute it. The W32/Myparty payload is non-destructive.
W32/Goner is a malicious Windows program distributed as an email file attachment and via ICQ file transfers. To a user, the file (gone.scr) appears to be a Windows screen saver. W32/Goner infects a system when a user executes file "gone.scr".
W32/BadTrans is a malicious Windows program distributed as an email file attachment. Because of a known vulnerability in Internet Explorer, some email programs, such as Outlook Express and Outlook, may execute the malicious program as soon as the email message is viewed.
The CERT/CC has received reports of a new variant of the "Kaiten" malicious code being installed through exploitation of null default sa passwords in Microsoft SQL Server and Microsoft Data Engine. (Microsoft SQL 2000 Server will allow a null sa password to be used, but this is not default behavior.) Various sources have referred to this malicious code as "W32/Voyager," "Voyager Alpha Force," and "W32/CBlade.worm."
The CERT/CC has received multiple reports of systems being compromised via the CRC-32 compensation attack detector vulnerability described in VU#945216. We are also receiving reports of increased scanning activity for the SSH service (22/tcp).
The CERT/CC has received reports from sites experiencing cache corruption on systems running Microsoft DNS Server. The default configuration of this software allows data from malicious or incorrectly configured servers to be cached in the DNS server. This corruption can result in erronous DNS information later being returned to any clients which use this server.
The CERT/CC has received numerous reports of Windows NT 4.0 IIS 4.0 servers patched according to Microsoft Security Bulletin MS01-033 crashing when scanned by the "Code Red" worm.
The CERT/CC has received reports of new self-propagating malicious code exploiting the vulnerability described in CA-2001-13 Buffer Overflow In IIS Indexing Service DLL. These reports indicate that the worm has already affected thousands of systems. This new worm is being called "Code Red II," however, except for using the same buffer overflow mechanism, it is different from the original "Code Red" worm described in CA-2001-19 "Code Red" Worm Exploiting Buffer Overflow In IIS Indexing Service DLL.
The CERT/CC has received reports of new self-propagating malicious code exploiting the vulnerability described in CERT Advisory CA-2001-13 Buffer Overflow In IIS Indexing Service DLL. These reports indicate that the "Code Red" worm has already affected over 13,000 hosts.
The CERT/CC has received an increasing number of reports regarding the compromise of home user machines running Microsoft Windows. Most of these reports surround the intruder tool SubSeven. SubSeven is often used as a Trojan horse, which allows an intruder to deliver and execute any custom payload and run arbitrary commands on the affected machine.
When downloading software from online repositories, it is important to consider the possibility that the site has been compromised. There are precautions that users can take when downloading software. There are also ways that software publishers and distributors can provide verification of the authenticity of their software.
The CERT/CC has observed in public and private reports a recent pattern of activity surrounding probes to TCP port 10008. We have obtained an artifact called the 'cheese worm' which may contribute to the pattern.
The CERT/CC has received reports that a distributed denial-of-service (DDoS) tool named Carko is being installed on compromised hosts.
On January 29, 2001 the CERT/CC published CERT Advisory CA-2001-02 detailing multiple vulnerabilities in multiple versions of ISC BIND nameserver software. Two of the vulnerabilities described in the advisory are now actively being exploited by the intruder community to compromise systems.
The CERT/CC has received reports of intruders using open mail relays to propagate malicious code such as the "Hybris Worm." The code propagates through email messages and newsgroup postings, specifically targeting Windows machines.
The CERT/CC has received reports from sites that have recovered an intruder toolkit called "ramen" from compromised hosts. Ramen, which is publicly available, exploits one of several known vulnerabilities and contains a mechanism to self-propagate.
Recent reports involving intruder exploitation of two vulnerabilities have involved very similar intruder activity. The level of activity and the scope of the attacks suggests that intruders are using scripts and toolkits to automate attacks.
We have received reports of intruder activity involving the telnet daemon on SGI machines running the IRIX operating system. Intruders are actively exploiting a vulnerability in telnetd that is resulting in a remote root compromise of victim machines.
The CERT/CC has received reports and inquiries regarding the security issues inherent in the use of chat clients.
There have been a number of recent malicious programs exploiting the default behavior of Windows operating systems to hide file extensions from the user. This behavior can be used to trick users into executing malicious code by making a file appear to be something it is not.
Bubbleboy and kak are email-borne viruses that exploit a vulnerability created by unsafe configuration of the Microsoft ActiveX control named "Scriptlet.Typelib," allowing local files to be created or modified.
In late April 2000, we began receiving reports of sites finding a new distributed denial of service (DDOS) tool that is being called "mstream". This tool enables intruders to use multiple Internet-connected systems to launch packet flooding denial of service attacks against one or more target systems.
Intruders are using nameservers to execute packet flooding denial of service attacks.
A worm with variants known as "chode," "foreskin," "dickhair", "firkin," or "911" spreads by taking advantage of unprotected Windows shares.
Updated April 7, 2000
Intruders are actively exploiting Windows networking shares that are made available for remote connections without requiring password authentication. This is not a new problem, but the potential impact on the overall security of the Internet is increasing.
We have received reports indicating intruders are beginning to deploy and utilize windows based denial of service agents to launch distributed denial of service attacks.
We have received reports of IIS web servers compromised via a vulnerability in MS Data Access Components (MDAC). This note contains information about identifying attacks and pointers to further information.
We have received reports of intruders installing distributed denial of service tools. Tools we have encountered utilize distributed technology to create large networks of hosts capable of launching large coordinated packet flooding denial of service attacks.
We have received reports of intruders using distributed network sniffers to capture usernames and passwords. The distributed sniffer consists of a client and a server portion. The sniffer clients have been found exclusively on compromised Linux hosts.
We have received reports of intruder activity involving the am-utils package. Reports submitted to the CERT/CC indicate that intruders are actively exploiting a vulnerability in amd that is resulting in remote users gaining root access to victim machines.
Recent reports involving three RPC service vulnerabilities have involved very similar intruder activity. The level of activity and the scope of the attacks suggests that intruders are using scripts to automate attacks. These attacks appear to attempt multiple exploitations but produce similar results. An update includes information about statd.
We have received a number of information requests about a computer virus named CIH, or the Chernobyl virus. The CIH virus infects executable files and is spread by executing an infected file. Since many files are executed during normal use of a computer, the CIH virus can infect many files quickly.
This incident note describes the Happy99.exe Trojan Horse. Happy99 is not a macro virus and should not be confused with the Melissa Word macro virus.
Recently a new scanning tool named "sscan" was announced on various public mailing lists. The sscan tool performs probes against victim hosts to identify services which may potentially be vulnerable to exploitation.
A new virus that attacks Microsoft Windows NT machines has recently received public attention. Some characteristics of the virus are discussed here.
We have received reports of intruders executing widespread attacks using scripted tools to control a collection of information-gathering and exploitation tools.
The CERT Coordination Center has received several reports that intruders are using spoofed IP addresses to conduct scans similar to those discussed in CA-98.09.imapd and CA-97.09.imap_pop.html.
We have received reports of two scanning techniques being used by intruders to map networks and identify systems: "stealth" scanning and scanning to identify system or network architecture.
In an incident recently reported to the CERT/CC, a very large collection of password files was found on a compromised system. In total, the intruder appears to have a list of 186,126 accounts and encrypted passwords. At the time the password file collection was discovered, the intruder had successfully guessed 47,642 of these passwords by using a password-cracking tool.
Intruders launching widespread scans in order to locate vulnerable machines is nothing new; however, a new intruder tool was publicly released last week which scans networks for many different vulnerabilities. The CERT Coordination Center has received numerous reports indicating that this tool is in widespread use within the intruder community.
There have been recent reports of widespread scans to port 1. Intruders use these scans to locate IRIX machines. Once the IRIX machines are located, intruders attempt to take advantage of known security weaknesses in default accounts that have no passwords.
CERT and CERT Coordination Center are registered U.S. Patent and Trademark Office