Ready Response/ISSO
Copyright © 2002 by HoneyNet Research Group Ready Response/ISSO
Revision History | ||
---|---|---|
Revision 1.0 | 23rd May 2002 | Revised by: _0bfu5cati0n |
Release Version |
Date : 27th May 2002 From : tigerteam@honeyp.edu on behalf of g0dzg1ft To : important.managers@honeyp.edu CC : SEC_DEPT BCC : Sunzi@honeyp.edu; 0bfu5cati0n@honeyp.edu Subject : New Exploit Information As promised in my earlier email, please find below the information about the new tool
we have captured lurking on one of our systems. I have tried to conform to "layman" terms
as much as possible, but if anyone would like this explaining further please do not hesitate
to contact us.
Summary
This tool is designed to run on the linux platform, and affected us due to a redundant server
which was still internet active. It will / can not affect the normal systems used on a day to
day basis due the fact they are running microsoft operating systems.
This means that the corporate systems are not at risk from this tool being installed, however,
it could affect these systems if it used to attack them. The likelihood of such an event
happening is, in our opinion, low due to the security setup we have. If these were not in
place, we would consider this to be a high risk.
We feel that there are only minor changes that need to take place within our environment
to further protect us and these are being carried out by sunzi as we speak.
Backgound
On the 6th May this year, we discovered that one of our systems had been compromised.
Although this system is essentially a non production server attached to the internet,
we felt it necessary to investigate this due to the sheer volume of traffic we could see
being transmitted. The "unidentified" binary discovered does not yet appear on any of the
vulnerability sites, therefore I presume it to be a hybrid of an existing tool (or a
combination of tools) developed by the blackhat community.
The mechanics of this have been found to be of a very malicious nature, as its intention
is to carry out denial of service attacks (further information can be found in last months
"vulnerability" report). The tool carries the types of attack detailed below :-
o Ping of death o Reflective DNS attack o DNS Amplification Attack o Land Attack
The above attacks are all carried out using different payloads (the amount of data
transmitted), and should it have been used against one of our main sites, it would have
removed our internet presence. Our team are currently documenting the advisory to submit
it to the relevant vulnerability information sites (see "Vulnerability sources.doc" sent
in a previous email) and reviewing our firewall filtering rules to attempt to decrease
the likelihood of us being subject to this type attacks. Although we cannot fully
protect ourselves from these types of attacks, we can make sure that these attacks are
less likely to affect us.
Even though this is a new type of tool, it does not increase the likelihood of us being
subject to a Denial of service attack. There are plenty of malicious tools already in
existence with similar features and capabilities, so the chances of such an attack remains
the same as set out in last months report.
If you are unsure about any content of this email, or require further information, please
give any of our team a call.
Thanks for your time,
g0dzg1ft
Network Intrusion Specialist Honeyp.edu Tiger Team Email : g0dzg1ft@honeyp.edu Ext : 999 or if not available, 911