[Dshield] [Fwd: Potential Internet Attack Targeting Microsoft Beginning August 16, 2003]

Jon R. Kibler Jon.Kibler at aset.com
Fri Aug 15 19:53:16 GMT 2003

I know that this is nothing new, but I thought that you may like to see the DHS announcement that the CIA is distributing regarding the DDOS attacks by the worm.

Jon R. Kibler
A.S.E.T., Inc.
Charleston, SC  USA

stephfa at ncix.gov wrote:
>                                DHS Advisory 
>         Potential Internet Attack Targeting Microsoft Beginning August 16, 2003 
>                                 OVERVIEW
> The National Cyber Security Division (NCD) of the DHS / Information Analysis and Infrastructure
> Protection Directorate is issuing this advisory to heighten awareness of potential Internet
> disruptions beginning August 16, 2003.  An Internet worm dubbed "msblast", "lovesan", or
> "blaster" began spreading on August 11th that takes advantage of a recently announced
> vulnerability in computers running some versions of the Microsoft Windows operating system. 
> DHS addressed this issue in an advisory available at
> http://www.dhs.gov/interweb/assetlibrary/Advisory_Internet_Impact_MS2.PDF. NCD would like
> to highlight that this worm contains additional code which may cause infected computers to attempt
> repetitive connections to a popular Microsoft web site, www.windowsupdate.com beginning just
> after midnight on the morning of August 16th. 
>                                   IMPACT
> Because of the significant percentage of infected computers using high speed connections to the
> Internet (DSL or cable for example) the conditions exist for a phenomena known as a distributed
> denial of service (DDoS) attack against the Microsoft web site beginning on August 16th.  Steps
> are being taken by Microsoft and by Internet Service Providers to mitigate the impact of the
> DDoS.  Owners of computers infected by the worm may experience a general slowness of their
> computer along with difficulty in connecting to Internet sites or local network resources.  Systems
> that are still infected on August 16th may stop spreading the worm and may begin flooding the
> Microsoft Update site with repeated connection requests.  Other customers who attempt to use the
> site to update their Microsoft Windows operating systems on or after August 16th might
> experience slowness in response or inability to connect to the update site. 
>                                  DETAILS
> Windowsupdate.com is used as a starting point for users of Microsoft Windows operating systems
> for software updates.  The code in the worm instructs infected computers to repeatedly connect to
> that site beginning on the 16th of August.  Starting on January 1, 2004, the worm will switch to
> cyclic behavior in which it attacks the Microsoft web site from the 16th of each month to the end of
> the month.  Between the 1st and 15th of the month, infected computers may attempt to scan for
> other vulnerable systems in order to spread the worm.  The worm uses the clock in the infected
> computer to determine when to start and stop; therefore Microsoft may begin seeing attacks on the
> morning of the 15th due to time zone differences around the world.  This pattern of spreading from
> the 1st to the 15th and flooding Microsoft between the 16th and the end of the month may continue
> indefinitely. 
>                            RECOMMENDATIONS
> The worm takes advantage of a serious vulnerability in several versions of the Microsoft Windows
> operating system.  DHS encourages system administrators and computer owners to update
> vulnerable versions of Microsoft Windows operating systems as soon as possible before August
> 15th. 
> Details on which computers are vulnerable and instructions for cleaning infected computers are
> available at http://www.microsoft.com/security/incident/blast.asp. 
> DHS also encourages system administrators and computer owners to update antivirus software
> with the latest signatures available from their respective software vendor. 
> In order to limit the spreading of the worm, DHS further suggests that Internet Service Providers
> and network administrators consider blocking TCP 
> and UDP ports 69, 135, 139, 445, and 4444 for inbound connections unless absolutely needed
> for business or operational purposes. 
> DHS encourages recipients of this Advisory to report information concerning suspicious or criminal
> activity to local law enforcement, local FBI's Joint 
> Terrorism Task Force (in Washington, DC/Northern Virginia; (202) 278-2000) or the Homeland
> Security Operations Center (HSOC).  The HSOC may be contacted at:   Phone: (202) 282-8101.
> DHS intends to update this advisory should it receive additional relevant information, including
> information provided to it by the user community. 
> Based on this notification, no change to the Homeland Security AdvisorySystem (HSAS) level is
> anticipated; the current HSAS level is YELLOW. 

More information about the list mailing list