CERT/CC Incident Notes
The CERT/CC has observed in public and private reports a recent pattern of activity surrounding probes to TCP port 10008. We have obtained an artifact called the 'cheese worm' which may contribute to the pattern.
The CERT/CC has received reports that a distributed denial-of-service (DDoS) tool named Carko is being installed on compromised hosts.
On January 29, 2001 the CERT/CC published CERT Advisory CA-2001-02 detailing multiple vulnerabilities in multiple versions of ISC BIND nameserver software. Two of the vulnerabilities described in the advisory are now actively being exploited by the intruder community to compromise systems.
The CERT/CC has received reports of intruders using open mail relays to propagate malicious code such as the "Hybris Worm." The code propagates through email messages and newsgroup postings, specifically targeting Windows machines.
The CERT/CC has received reports from sites that have recovered an intruder toolkit called "ramen" from compromised hosts. Ramen, which is publicly available, exploits one of several known vulnerabilities and contains a mechanism to self-propagate.
Recent reports involving intruder exploitation of two vulnerabilities have involved very similar intruder activity. The level of activity and the scope of the attacks suggests that intruders are using scripts and toolkits to automate attacks.
We have received reports of intruder activity involving the telnet daemon on SGI machines running the IRIX operating system. Intruders are actively exploiting a vulnerability in telnetd that is resulting in a remote root compromise of victim machines.
The CERT/CC has received reports and inquiries regarding the security issues inherent in the use of chat clients.
There have been a number of recent malicious programs exploiting the default behavior of Windows operating systems to hide file extensions from the user. This behavior can be used to trick users into executing malicious code by making a file appear to be something it is not.
Bubbleboy and kak are email-borne viruses that exploit a vulnerability created by unsafe configuration of the Microsoft ActiveX control named "Scriptlet.Typelib," allowing local files to be created or modified.
In late April 2000, we began receiving reports of sites finding a new distributed denial of service (DDOS) tool that is being called "mstream". This tool enables intruders to use multiple Internet-connected systems to launch packet flooding denial of service attacks against one or more target systems.
Intruders are using nameservers to execute packet flooding denial of service attacks.
A worm with variants known as "chode," "foreskin," "dickhair", "firkin," or "911" spreads by taking advantage of unprotected Windows shares.
Updated April 7, 2000
Intruders are actively exploiting Windows networking shares that are made available for remote connections without requiring password authentication. This is not a new problem, but the potential impact on the overall security of the Internet is increasing.
We have received reports indicating intruders are beginning to deploy and utilize windows based denial of service agents to launch distributed denial of service attacks.
We have received reports of IIS web servers compromised via a vulnerability in MS Data Access Components (MDAC). This note contains information about identifying attacks and pointers to further information.
We have received reports of intruders installing distributed denial of service tools. Tools we have encountered utilize distributed technology to create large networks of hosts capable of launching large coordinated packet flooding denial of service attacks.
We have received reports of intruders using distributed network sniffers to capture usernames and passwords. The distributed sniffer consists of a client and a server portion. The sniffer clients have been found exclusively on compromised Linux hosts.
We have received reports of intruder activity involving the am-utils package. Reports submitted to the CERT/CC indicate that intruders are actively exploiting a vulnerability in amd that is resulting in remote users gaining root access to victim machines.
Recent reports involving three RPC service vulnerabilities have involved very similar intruder activity. The level of activity and the scope of the attacks suggests that intruders are using scripts to automate attacks. These attacks appear to attempt multiple exploitations but produce similar results. An update includes information about statd.
We have received a number of information requests about a computer virus named CIH, or the Chernobyl virus. The CIH virus infects executable files and is spread by executing an infected file. Since many files are executed during normal use of a computer, the CIH virus can infect many files quickly.
This incident note describes the Happy99.exe Trojan Horse. Happy99 is not a macro virus and should not be confused with the Melissa Word macro virus.
Recently a new scanning tool named "sscan" was announced on various public mailing lists. The sscan tool performs probes against victim hosts to identify services which may potentially be vulnerable to exploitation.
A new virus that attacks Microsoft Windows NT machines has recently received public attention. Some characteristics of the virus are discussed here.
We have received reports of intruders executing widespread attacks using scripted tools to control a collection of information-gathering and exploitation tools.
The CERT Coordination Center has received several reports that intruders are using spoofed IP addresses to conduct scans similar to those discussed in CA-98.09.imapd and CA-97.09.imap_pop.html.
We have received reports of two scanning techniques being used by intruders to map networks and identify systems: "stealth" scanning and scanning to identify system or network architecture.
In an incident recently reported to the CERT/CC, a very large collection of password files was found on a compromised system. In total, the intruder appears to have a list of 186,126 accounts and encrypted passwords. At the time the password file collection was discovered, the intruder had successfully guessed 47,642 of these passwords by using a password-cracking tool.
Intruders launching widespread scans in order to locate vulnerable machines is nothing new; however, a new intruder tool was publicly released last week which scans networks for many different vulnerabilities. The CERT Coordination Center has received numerous reports indicating that this tool is in widespread use within the intruder community.
There have been recent reports of widespread scans to port 1. Intruders use these scans to locate IRIX machines. Once the IRIX machines are located, intruders attempt to take advantage of known security weaknesses in default accounts that have no passwords.
Last updated May 17, 2001
Copyright 2001 Carnegie Mellon University.