FedCIRC Advisory FA-99-06 May 25, 1999 The CERT Coordination Center periodically issues the CERT summary to draw attention to the types of attacks currently being reported to our incident response team, as well as to other noteworthy incident and vulnerability information. The summary includes pointers to sources of information for dealing with the problems. Past CERT summaries are available from [1]http://www.cert.org/summaries/ ______________________________________________________________________ Recent Activity Since the last CERT summary, issued in February 1999 ([2]CS-99.01), we have seen an increase in virus activity and an increase in the use of some older, known attacks. Protect your systems. Use current software versions, install patches as they become available, and update your scanning tools and anti-virus software with the latest virus signatures or definitions. Be leery of unsolicited documents or executable programs received in electronic mail. Be wary of software that comes from untrusted sources. 1. Virus Activity In the last three months, we have received many reports of virus activity. Current versions of anti-virus software can help to protect your systems from these viruses. It is important to take great caution with any email or Usenet attachments that contain executable content. If attachments are in a message, we recommend that you save the file to the local drive and scan the file with an anti-virus scanning product before you open or run the file. Be aware that this is not a guarantee that the contents of the file are safe, but it will check for viruses and Trojan horses that your scanning software can detect. Melissa The Melissa virus spreads mainly as Microsoft Word 97 and Word 2000 attachments in email. It can be detected and removed by current versions of anti-virus software. For more information see CERT Advisory CA-99-04 Melissa Macro Virus [3]http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Viru s.html Frequently Asked Questions About the Melissa Virus [4]http://www.cert.org/tech_tips/Melissa_FAQ.html CIH/Chernobyl The CIH virus infects executable files and is spread by executing an infected file. Since many files are executed during normal use of a computer, the CIH virus can infect many files quickly. The most common version of the virus becomes active on April 26, but there are other versions that become active on the 26th day of other months (especially June 26). For more information, see Incident Note IN-99-03 CIH/Chernobyl Virus [5]http://www.cert.org/incident_notes/IN-99-03.html Frequently Asked Questions About the CIH Virus [6]http://www.cert.org/tech_tips/CIH_FAQ.html Happy99 Happy99.exe is a Trojan horse virus. The first time Happy99.exe is executed, a fireworks display saying "Happy 99" appears on the computer screen. At the same time, it modifies system files to email itself to other people. For more information, see IN-99-02 Happy99.exe Trojan Horse [7]http://www.cert.org/incident_notes/IN-99-02.html CA-99-02 Trojan Horses [8]http://www.cert.org/advisories/CA-99-02-Trojan-Horses.html 2. Resurgence of SYN Attacks Recently we have received an increased number of reports of SYN attacks that result in a denial of service. This is a known exploitation method for which protection is available. For information about how SYN attacks work and how to protect your systems, see CERT Advisory CA-96.21 TCP SYN Flooding and IP Spoofing Attacks [9]http://www.cert.org/advisories/CA-96.21.tcp_syn_flooding.h tml For more information about denial of service attacks, see Denial of Service [10]http://www.cert.org/tech_tips/denial_of_service.html 3. Continued Widespread Scans We are still receiving daily reports of intruders using tools to scan networks for multiple vulnerabilities. Intruder scanning tools continue to become more sophisticated, varying from scripted tools and stealth scanning techniques to a tool that incorporates probes for known vulnerabilities, remote operating system identification, and a scripting language that simplifies automation of probes and exploitation attempts. For more information, see "sscan" Scanning Tool [11]http://www.cert.org/incident_notes/IN-99-01.html Automated Scanning and Exploitation [12]http://www.cert.org/incident_notes/IN-98-06.html Probes with Spoofed IP Addresses [13]http://www.cert.org/incident_notes/IN-98-05.html Advanced Scanning [14]http://www.cert.org/incident_notes/IN-98.04.html New Tools Used for Widespread Scans [15]http://www.cert.org/incident_notes/IN-98.02.html The most frequent reports involve well-known vulnerabilities in mountd, IMAP, and POP3. These services are installed and enabled by default in some operating systems. See the following advisories for more information: sunrpc (TCP port 111) and mountd (635) [16]http://www.cert.org/advisories/CA-98.12.mountd.html IMAP (TCP port 143) [17]http://www.cert.org/advisories/CA-98.09.imapd.html POP3 (TCP port 110) [18]http://www.cert.org/advisories/CA-98.08.qpopper_vul.html While these scans involve known vulnerabilites for which patches are available, the scans and exploitation attempts still result in sites being compromised because system security has not been kept up-to-date. Protect your systems. Make sure that all systems at your site have current versions of patches and that your machines are properly secured. 4. Web Server Attacks We have been receiving reports of attacks exploiting vulnerabilities in sample applications in Cold Fusion and IIS. The attacks result in read and write access on the web server, allowing intruders to change web pages at will. For information, see Allaire Security Bulletin ASB99-02 ColdFusion 4.0 Example Applications and Sample Code Exposes Servers [19]http://www.allaire.com/security/ Microsoft Internet Information Server 4.0 Security Checklist [20]http://www.microsoft.com/security/products/iis/checklist. asp ______________________________________________________________________ What's New and Updated Since the last CERT summary, we have developed new and updated * Advisories * Incident notes * Security improvement modules * Technical reports * Information about computer security education There are descriptions of these documents and links to them on our What's New web page at [21]http://www.cert.org/nav/whatsnew.html ______________________________________________________________________ This document is available from: [22]http://www2.fedcirc.gov/advisories/FA-99-06.html ______________________________________________________________________ FedCIRC Contact Information Email: [23]fedcirc@fedcirc.gov Phone: +1 888-282-0870 (24-hour toll-free hotline) Phone: +1 412-268-6321 (24-hour hotline) Fax: +1 412-268-6989 Postal address: FedCIRC CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. FedCIRC personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from [24]http://www2.fedcirc.gov/keys.html If you prefer to use DES, please call the FedCIRC hotline for more information. Getting security information FedCIRC publications and other security information are available from our web site [25]http://www.fedcirc.gov/ FedCIRC (Federal Computer Incident Response Capability) is operated by the CERT/CC for the U.S. General Services Administration. FedCIRC provides security services to U.S. Federal civilian agencies. Copyright 1999 Carnegie Mellon University. Conditions for use, disclaimers, and sponsorship information can be found in [26]http://www.cert.org/legal_stuff.html * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. References 1. http://www2.fedcirc.gov/summaries/ 2. http://www2.fedcirc.gov/summaries/CS-99.01.html 3. http://www2.fedcirc.gov/advisories/CA-99-04-Melissa-Macro-Virus.html 4. http://www2.fedcirc.gov/tech_tips/Melissa_FAQ.html 5. http://www2.fedcirc.gov/incident_notes/IN-99-03.html 6. http://www2.fedcirc.gov/tech_tips/CIH_FAQ.html 7. http://www2.fedcirc.gov/incident_notes/IN-99-02.html 8. http://www2.fedcirc.gov/advisories/CA-99-02-Trojan-Horses.html 9. http://www2.fedcirc.gov/advisories/CA-96.21.tcp_syn_flooding.html 10. http://www2.fedcirc.gov/tech_tips/denial_of_service.html 11. http://www.cert.org/incident_notes/IN-99-01.html 12. http://www.cert.org/incident_notes/IN-98-06.html 13. http://www.cert.org/incident_notes/IN-98-05.html 14. http://www.cert.org/incident_notes/IN-98.04.html 15. http://www.cert.org/incident_notes/IN-98.02.html 16. http://www.cert.org/advisories/CA-98.12.mountd.html 17. http://www.cert.org/advisories/CA-98.09.imapd.html 18. http://www.cert.org/advisories/CA-98.08.qpopper_vul.html 19. http://www.allaire.com/security/ 20. http://www.microsoft.com/security/products/iis/checklist.asp 21. http://www.cert.org/nav/whatsnew.html 22. http://www2.fedcirc.gov/advisories/FA-99-06.html 23. mailto:fedcirc@fedcirc.gov 24. http://www2.fedcirc.gov/keys.html 25. http://www.fedcirc.gov/ 26. http://www.cert.org/legal_stuff.html