[Snort-users] IDS signatures for alert released by SANS/CIS today? (03/08/01)

Beckster beckster at ...1127...
Thu Mar 8 17:18:42 EST 2001


Howdy all,

I participated in the CIS conference call that took place this
afternoon and one of the questions was what IDS's offer signatures for
these exploits?  No one was able to answer the question and Alan Paller
said he would be in touch with Marty to inquire about Snort's
capabilities.  Sadly I could not provide any info...*head hanging*

Anyway, I wanted to give you all a heads up - see the announcement
below.

Regards,
Becky

Large Criminal Hacker Attack on Windows NT E-Banking and E-
Commerce Sites

2:10 PM EST March 08, 2001

In the largest criminal Internet attack to date, a group of 
Eastern European hackers has spent a year systematically 
exploiting known Windows NT vulnerabilities to steal customer 
data. More than a million credit cards have been taken and more 
than 40 sites have been victimized.

The FBI and Secret Service are taking the unprecedented step of 
releasing detailed forensic information from ongoing 
investigations because of the importance of the attacks.

This note is being sent to SANS Institute alumni before the 
information becomes public so you can check and patch your 
systems before copycat criminals appear.

The Center for Internet Security will be releasing a tool that 
automatically checks your systems for the vulnerabilities and 
also looks for files the FBI has found present on many 
compromised systems. 

The Center's tools are normally available only to members, but 
because of the importance of the problem, the Center agreed to 
make it available to all who need it.  Center members have 
already received an invitation to the conference call this 
afternoon to get more data on the attack. If your organization is 
not a member, we encourage you to join in this important 
initiative to fight back against computer crime. See 
www.cisecurity.org for a list of members and how to join.

Here's the data available so far.

Over the past several months, the National Infrastructure 
Protection Center (NIPC) has been coordinating investigations 
into a series of organized hacker activities specifically 
targeting U.S. computer systems associated with e-commerce or e-
banking.  Despite previous advisories, many computer owners have 
not patched their systems, allowing these kinds of attacks to 
continue, and prompting this updated release of information.  

More than 40 victims located in 20 states have been identified 
and notified in ongoing investigations in 14 Federal Bureau of 
Investigation Field Offices and 7 United States Secret Service 
Field Offices.  These investigations have been closely 
coordinated with foreign law enforcement authorities, and the 
private sector.  Specially trained prosecutors in the Computer 
and Telecommunication Coordinator program in U.S. Attorneys' 
Offices in a variety of districts have participated in the 
investigation, with the assistance of attorneys in the Computer 
Crime and Intellectual Property Section at the Department of 
Justice.                        

The investigations have disclosed several organized hacker groups 
from Eastern Europe, specifically Russia and the Ukraine, that 
have penetrated U.S. e-commerce computer systems by exploiting 
vulnerabilities in unpatched Microsoft Windows NT operating 
systems.  These vulnerabilities were originally reported and 
addressed in Microsoft Security Bulletins MS98-004 (re-released 
in MS99-025), MS00-014, and MS00-008.  As early as 1998, 
Microsoft discovered these vulnerabilities and developed and 
publicized patches to fix them.  Computer users can download 
these patches from Microsoft for free.  

Once the hackers gain access, they download proprietary 
information, customer databases, and credit card information. The 
hackers subsequently contact the victim company through 
facsimile, email, or telephone.  After notifying the company of 
the intrusion and theft of information, the hackers make a veiled 
extortion threat by offering Internet security services to patch 
the system against other hackers.  They tell the victim that 
without their services, they cannot guarantee that other hackers 
will not access the network and post the credit card information 
and details about the compromise on the Internet.  If the victim 
company is not cooperative in making payments or hiring the group 
for their security services, the hackers' correspondence with the 
victim company has become more threatening.  Investigators also 
believe that in some instances the credit card information is 
being sold to organized crime groups.   There has been evidence 
that the stolen information is at risk whether or not the victim 
cooperates with the demands of the intruders.  To date, more than 
one million credit card numbers have been stolen.

The NIPC has issued an updated Advisory 01-003 at www.nipc.gov 
regarding these vulnerabilities being exploited.  The update 
includes specific file names that may indicate whether a system 
has been compromised.  If these files are located on your 
computer system, the NIPC Watch in Washington D.C. should be 
contacted at (202) 323-3204/3205/3206.  Incidents may also be 
reported online at www.nipc.gov/incident/cirr.htm. For detailed 
information on the vulnerabilities that are being exploited, 
please refer to the NIPC Advisory 00-60, and NIPC Advisory 01-
003. 


NIPC ADVISORY 01-003

This advisory is an update to the NIPC Advisory 00-060, "E-
Commerce Vulnerabilities", dated December 1, 2000.   Since the 
advisory was published, the FBI has continued to observe hacker 
activity targeting victims associated with e-commerce or e-
finance/banking businesses.  In  many cases, the hacker activity 
had been ongoing for several months before the victim became 
aware of the intrusion.   The NIPC emphasizes the recommendation 
that all computer network systems administrators check relevant 
systems and consider applying the updated patches as necessary, 
especially for systems related to e-commerce or e-
banking/financial businesses.  The patches are available on 
Microsoft=s web site, and users should refer to the URLs listed 
below.

The following vulnerabilities have been previously reported:  

Unauthorized Access to IIS Servers through Open Database 
Connectivity (ODBC) Data Access with Remote Data Service (RDS):
Systems Affected:  Windows NT running IIS with RDS enabled.
Details: Microsoft Security Bulletin MS99-025, NIPC CyberNotes 
99-22

http://www.microsoft.com/technet/security/bulletin/ms99-025.asp
http://www.nipc.gov/warnings/advisories/1999/99-027.htm,
http://www.nipc.gov/cybernotes/cybernotes.htm

Summary:  Allows unauthorized users to execute shell commands on 
the IIS system as a privileged use; Allows unauthorized access to 
secured, non-published files on the IIS system; On a multi-homed 
Internet-connected IIS systems, using Microsoft Data Access 
Components (MDAC), allows unauthorized users to tunnel Structured 
Query Language (SQL) and other ODBC data requests through the 
public connection to a private back-end network.

SQL Query Abuse Vulnerability
Affected Software Versions:  Microsoft SQL Server Version 7.0 and 
Microsoft Data Engine (MSDE) 1.0
Details:  Microsoft Security Bulletin MS00-14, NIPC CyberNotes 
20-05

http://www.microsoft.com/technet/security/bulletin/ms00-014.asp
http://www.nipc.gov/cybernotes/cybernotes.htm

Summary:  The vulnerability could allow the remote author of a 
malicious SQL query to take unauthorized actions on a SQL Server 
or MSDE database.

Registry Permissions Vulnerability
Systems Affected:  Windows NT 4.0 Workstation, Windows NT 4.0 
Server
Details:  Microsoft Security Bulletin MS00-008, NIPC CyberNotes 
20-08 and 20-22


http://www.microsoft.com/technet/security/bulletin/ms00-008.asp
http://www.nipc.gov/cybernotes/cybernotes.htm
Summary: Users can modify certain registry keys such that:
"       a malicious user could specify code to launch at 
system crash
"       a malicious user could specify code to launch at 
next login
"       an unprivileged user could disable security 
measures

Web Server File Request Parsing

While they have not been shown to be a vector for the current 
attacks, Microsoft has advised us that the vulnerabilities 
addressed by Microsoft bulletin MS00-086 are very serious, and we 
encourage web site operators to consider applying the patch 
provided with this bulletin as well as the three that are under 
active exploitation.

http://www.microsoft.com/technet/security/bulletin/ms00-014.asp
http://www.nipc.gov/cybernotes/cybernotes.htm

Summary:  The vulnerability could allow a malicious user to run 
system commands on a web server.

New Information:  In addition to the above exploits, several 
filenames have been identified in connection with the intrusions, 
specific to Microsoft Windows NT systems.  The presence of any of 
these files on your system should be reviewed carefully because 
they may indicate that your system has been compromised:
ntalert.exe
sysloged.exe
tapi.exe
20.exe
21.exe
25.exe
80.exe
139.exe
1433.exe
1520.exe
26405.exe
i.exe

In addition, system administrators may want to check for the 
unauthorized presence of any of the following executable files, 
which are often used as hacking tools:
lomscan.exe
mslom.exe
lsaprivs.exe 
pwdump.exe
serv.exe 
smmsniff.exe

Recipients of this Advisory are encouraged to report computer 
crime to the NIPC Watch at (202) 323-3204/3205/3206.  Incidents 
may also be reported online at  www.nipc.gov/incident/cirr.htm.




More information about the Snort-users mailing list