Networking

An interesting read highlighting a technique I've pondered before. My firewall logs are filled to capacity, not to mention my HTTP access logs, with attempts by Code Red to attack my systems. When you think about it though, all these logs represent is a list of servers that are vulnerable to the IIS .ida exploit. I've got one machine that has hit me with HTTP probes over 200 times in the last week. I've tried to contact the admin, but no luck. My next temptation is to crack into the box and just wipe it to stop the annoying alerts I get every few hours.

The popular PDF file format developed by Adobe could become a carrier for viruses - just like .exe and .vbs files. The file format was previously thought invulnerable to viruses, but Network Associates' McAfee antivirus division has identified some malicious code, known as Peachy, which can be hidden in PDF files.

This advisory provides 2 methods for blocking the Code Red worm using Network Based Application Recognition (NBAR) within IOS software on Cisco routers. The first solution classifies inbound traffic using NBAR, then filters traffic on an outbound interface using extended ACLs. The second solution also classifies inbound traffic using NBAR, then uses class-based policing to drop offending traffic. These solutions should be used in conjunction with the recommended patches for IIS servers from Microsoft.

"The network disruption is significant enough to warrant heightened awareness," cautioned the SANS Institute on Tuesday. The institute is a computer security think tank working with the FBI and other authorities to monitor assaults on the Internet. Since its debut Saturday, Code Red II has managed to infiltrate internal networks of Internet service providers and other major companies. The proliferating worm can flood nearby machines with enough traffic to force Web sites offline, Net authorities said.

Whale Communications® today announced that its e-Gap System prevents, out of the box, the latest and more malicious variant of the Code Red worm which leaves organizations servers wide-open to hackers.

Internet Security Systems (ISS) X-Force in conjunction with ISS Emergency Response Services (ERS) has discovered and researched remote vulnerabilities in Raytheon SilentRunner. SilentRunner is a passive network monitoring, discovery and analysis tool. The SilentRunner collector module is the passive network monitoring component of the program. The collector contains multiple buffer overflow vulnerabilities that may be exploited by an attacker on networks monitored by SilentRunner.

The Internet has radically changed the way we communicate with each other. Email is obviously an extremely valuable and ubiquitous form of communication, but with this technology comes certain pitfalls that should be understood. The path that an email message takes to reach its recipient is a complex and varying one, and while in transit that message may come under the potential scrutiny of numerous different people and organizations.

The new worm that was first identified and reported on Saturday has now been analyzed. Here is a summary of the facts issued by www.incidents.org (SANS) based on the excellent analyses referenced at the bottom of this report

EXPLOITED VULNERABILITY
------------------------

By: Aleksandar Stancin (sal@net-security.org)

The following article deals with a little software package known as Tripwire, available for Linux as well as for other Unix variants and Windows. Only the Linux version is open source though, others are commercial.

What is Tripwire?

From Eeye states : We first were contacted about this worm by the Security Focus ARIS Incident Analysts. While they were monitoring various attacks from around the globe they started to see a new attack pattern, and after a handful of packet captures they saw there was a new worm on the loose. So they called up eEye Digital Security to allow us to perform an analysis of this new worm.