[Dshield] Back to InfoCon Green

Johannes B. Ullrich jullrich at sans.org
Tue Aug 16 01:07:54 GMT 2005

Back to InfoCon Green

As of Tuesday, 1:45 AM GMT (Monday 20:45 EDT), we moved back to infocon

We moved to 'Yellow' on Friday, after we did see a number of exploits
released for last weeks Microsoft Windows vulnerabilities, in particular
MS05-039 (PnP) which is exploitable remotely.

As expected, we did see various bots, in particular 'Zotob' take
advantage of this vulnerability. At this point, the situation is however
static. New bot variations keep getting developed, but they do not add
any fundamental new variation of the exploit. We expect that most
exploitable systems have been compromised at this point.

The last week showed once more that there is no more patch window.
Defense in depth is your only chance to survive the early release of
malware. In this particular case, three distinct best practices can
mitigate the vulnerability:

- close port 445 at least at the perimeter.
- patch systems quickly.
- eliminate NULL sessions.

Neither one of these measures is perfect, and some may not be applicable
to your network (e.g. you may require NULL sessions in some circumstances).

Another development brought to conclusion in this event is the lesser
importance of 'worms' with respect to more sophisticated 'bots'. We
received a number of bots using the PnP vulnerability. Antivirus
scanners did not identify most of them. In many cases, the same bot was
packed diffrently or some function where added to evade detection.

Malware can only develop as fast as it is developing in this case
because of extensive code sharing in the underground. The only way we
can keep up with this development is by sharing information as
efficiently. Being able to do so openly will make it only easier to do
this sharing. Please join our effort, and share future observations with
us. We will continue to turn them over quickly and make them available
via out diaries for everybody to read and to learn from.

I would like to thank in particular handlers Lorna and Tom for their
extensive analysis of all the malware submitted.

Johannes Ullrich                        jullrich at sans.org
Chief Research Officer                     (617) 639 5000
PGP Key: https://secure.dshield.org/PGPKEYS

"We use [isc.sans.org] every day to keep on top of
 security at our bank" Matt, Network Administrator.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url : http://www.dshield.org/pipermail/list/attachments/20050815/53675a94/signature.bin

More information about the list mailing list