[Dshield] CA eTrust TARGET Advisory - Monitoring New "Attack"Activity

Thor Larholm thor at pivx.com
Wed Oct 1 22:21:33 GMT 2003

This is caused by an exploit based on the Object Data vulnerability
variant which still remains unpatched. Once infected, the users HOSTS
file is changed to redirect mistyped queries and his DNS server settings
are changed.


Thor Larholm
PivX Solutions, LLC - Senior Security Researcher
http://www.pivx.com/larholm/unpatched - Unpatched IE vulnerabilities

-----Original Message-----
From: Kenton Smith [mailto:ksmith at chartwelltechnology.com] 
Sent: Wednesday, October 01, 2003 2:45 PM
To: list at dshield.org
Subject: [Dshield] CA eTrust TARGET Advisory - Monitoring New

Anyone have any insight on this? I don't run any Windows DNS servers
externally, however it looks as though this happens through IE, so may
affect any Windows DNS server.

They list a CERT advisory note - IN-2003-04, but this doesn't say
anything specifically about the DNS thing.


Computer Associates
Channel Flash

Virus Information CenterSecurity Advisory:
eTrust TARGET Tracking 
Suspicious Network Activity
Computer Associates (CA) eTrust Threat Analysis and Response Global
Emergency Team (TARGET) is currently tracking and researching a new
suspicious network activity that has received some attention on
NTBugTraq. This suspicious activity involves involuntary changes to the
DNS server settings on Windows 2000 and XP (not an exhaustive list). 

At this time, we are advising our customers to monitor for such
suspicious changes and report them to our support organization.
Additionally, monitoring the Windows Registry on critical servers for
changes is another potential warning that this activity is affecting
your network. Early analysis indicates this change may be the result of
the execution of a script after visiting a certain website. 

Please visit the eTrust TARGET Information Center for additional
information as CA's global research teams tracks this activities

eTrust TARGET - Islandia, NY


If you would like us to remove your name from this mail list, please
send an email to listserv at listserv.ca.com with the text "SIGNOFF
Channel-Partner" in the body of the email and leave the Subject field
Computer Associates

list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list