Increased activity targeting MS03-032

[Phil Rodrigues <Phil.Rodrigues () UCONN EDU>]

(I am never sure of the cross-talk between here and UNISOG, but I get the
sense some people only read this, so...)

Hi all,

We are seeing an increasing number of hosts infected through the IE flaw
discussed in MS03-032.  The current MS patch does *not* protect versus
this, or as the CERT says "The CERT/CC is unaware of a complete solution
for this vulnerability".  Symantec and NAI have classified the current
activity as a Trojan, but Symantec does not currently automatically
protect against this (and does not plan to until 10-08 as of this
writing).

http://vil.nai.com/vil/content/v_100719.htm
http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.html

The CERT put out an update about this activity yesterday:

http://www.cert.org/incident_notes/IN-2003-04.html

This is a simple table of the # of unique hosts at UConn that have sent
port 53 traffic to the 3 "bad DNS" servers (referenced in Full-Disclosure)
per day:

09-25 000
09-26 006
09-27 015
09-28 050
09-29 097
09-30 136
10-01 177
10-02 136 (so far)

Look for outbound 53/udp traffic to these servers to see how many hosts
are infected in your network:

216.127.92.38
69.57.146.14
69.57.147.175

Maybe these as well:

207.44.194.56
64.191.59.85
64.191.95.139

To be clear: the MS03-032 patch does *not* protect against this
vulnerability.  MS has stated they will patch vs this (on cnn) but did not
give a date.  Good luck!

Phil

=======================================
Philip A. Rodrigues
Network Analyst, UITS
University of Connecticut

email: phil.rodrigues () uconn edu
phone: 860.486.3743
fax: 860.486.6580
web: http://www.security.uconn.edu
=======================================

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.