Management Summary

g0dzg1ft

HoneyNet Research Group

Ready Response/ISSO

Revision History
Revision 1.023rd May 2002Revised by: _0bfu5cati0n
Release Version

Management Summary

Date : 27th May 2002 From : tigerteam@honeyp.edu on behalf of g0dzg1ft To : important.managers@honeyp.edu CC : SEC_DEPT BCC : Sunzi@honeyp.edu; 0bfu5cati0n@honeyp.edu Subject : New Exploit Information As promised in my earlier email, please find below the information about the new tool

we have captured lurking on one of our systems. I have tried to conform to "layman" terms

as much as possible, but if anyone would like this explaining further please do not hesitate

to contact us.

Summary

This tool is designed to run on the linux platform, and affected us due to a redundant server

which was still internet active. It will / can not affect the normal systems used on a day to

day basis due the fact they are running microsoft operating systems.

This means that the corporate systems are not at risk from this tool being installed, however,

it could affect these systems if it used to attack them. The likelihood of such an event

happening is, in our opinion, low due to the security setup we have. If these were not in

place, we would consider this to be a high risk.

We feel that there are only minor changes that need to take place within our environment

to further protect us and these are being carried out by sunzi as we speak.

Backgound

On the 6th May this year, we discovered that one of our systems had been compromised.

Although this system is essentially a non production server attached to the internet,

we felt it necessary to investigate this due to the sheer volume of traffic we could see

being transmitted. The "unidentified" binary discovered does not yet appear on any of the

vulnerability sites, therefore I presume it to be a hybrid of an existing tool (or a

combination of tools) developed by the blackhat community.

The mechanics of this have been found to be of a very malicious nature, as its intention

is to carry out denial of service attacks (further information can be found in last months

"vulnerability" report). The tool carries the types of attack detailed below :-

o Ping of death o Reflective DNS attack o DNS Amplification Attack o Land Attack

The above attacks are all carried out using different payloads (the amount of data

transmitted), and should it have been used against one of our main sites, it would have

removed our internet presence. Our team are currently documenting the advisory to submit

it to the relevant vulnerability information sites (see "Vulnerability sources.doc" sent

in a previous email) and reviewing our firewall filtering rules to attempt to decrease

the likelihood of us being subject to this type attacks. Although we cannot fully

protect ourselves from these types of attacks, we can make sure that these attacks are

less likely to affect us.

Even though this is a new type of tool, it does not increase the likelihood of us being

subject to a Denial of service attack. There are plenty of malicious tools already in

existence with similar features and capabilities, so the chances of such an attack remains

the same as set out in last months report.

If you are unsure about any content of this email, or require further information, please

give any of our team a call.

Thanks for your time,

g0dzg1ft

Network Intrusion Specialist Honeyp.edu Tiger Team Email : g0dzg1ft@honeyp.edu Ext : 999 or if not available, 911