</HEAD >

Management Summary

g0dzg1ft

HoneyNet Research Group

Ready Response/ISSO

Revision History
Revision 1.023rd May 2002Revised by: _0bfu5cati0n
Release Version

Management Summary

Date : 27th May 2002

From : tigerteam@honeyp.edu on behalf of g0dzg1ft

To : important.managers@honeyp.edu

CC : SEC_DEPT

BCC : Sunzi@honeyp.edu; 0bfu5cati0n@honeyp.edu

Subject : New Exploit Information

As promised in my earlier email, please find below the information about the new tool we have captured lurking on one of our systems. I have tried to conform to "layman" terms as much as possible, but if anyone would like this explaining further please do not hesitate to contact us.

Summary

This tool is designed to run on the linux platform, and affected us due to a redundant server >which was still internet active. It will / can not affect the normal systems used on a day to day basis due the fact they are running microsoft operating systems.

This means that the corporate systems are not at risk from this tool being installed, however, it could affect these systems if it used to attack them. The likelihood of such an event happening is, in our opinion, low due to the security setup we have. If these were not in place, we would consider this to be a high risk.

We feel that there are only minor changes that need to take place within our environment to further protect us and these are being carried out by sunzi as we speak.

Backgound

On the 6th May this year, we discovered that one of our systems had been compromised. Although this system is essentially a non production server attached to the internet, we felt it necessary to investigate this due to the sheer volume of traffic we could see being transmitted. The "unidentified" binary discovered does not yet appear on any of the vulnerability sites, therefore I presume it to be a hybrid of an existing tool (or a combination of tools) developed by the blackhat community.

The mechanics of this have been found to be of a very malicious nature, as its intention is to carry out denial of service attacks (further information can be found in last months "vulnerability" report). The tool carries the types of attack detailed below :-

o Ping of death

o Reflective DNS attack

o DNS Amplification Attack

o Land Attack

The above attacks are all carried out using different payloads (the amount of data transmitted), and should it have been used against one of our main sites, it would have removed our internet presence. Our team are currently documenting the advisory to submit it to the relevant vulnerability information sites (see "Vulnerability sources.doc" sent in a previous email) and reviewing our firewall filtering rules to attempt to decrease the likelihood of us being subject to this type attacks. Although we cannot fully protect ourselves from these types of attacks, we can make sure that these attacks are less likely to affect us.

Even though this is a new type of tool, it does not increase the likelihood of us being subject to a Denial of service attack. There are plenty of malicious tools already in existence with similar features and capabilities, so the chances of such an attack remains the same as set out in last months report.

If you are unsure about any content of this email, or require further information, please give any of our team a call.

Thanks for your time,

g0dzg1ft

Network Intrusion Specialist

Honeyp.edu Tiger Team

Email : g0dzg1ft@honeyp.edu

Ext : 999 or if not available, 911