cyber alert level raised

[Doug Pearson <dodpears () INDIANA EDU>]

In response to observed active exploit[1] of the PCT vulnerability[2], announced in Microsoft Bulletin MS04-011[3], 
some AV vendors have raised alert status. The IT-ISAC reports that some IDS are "detecting and blocking attacks against 
many institutions. The attacks are attempting to steal data and/or break into payment systems."

US-CERT reports that it is "aware of network activity that is consistent with scanning and/or exploit attempts against 
this vulnerability. Reports indicate increased network traffic to ports 443/tcp and 31337/tcp. The PCT protocol runs 
over SSL (443/tcp) and the known exploit code connects a command shell on 31337/tcp."

REN-ISAC monitoring of port 443 traffic[4] on the Internet2 Abilene network does indicate elevated levels of activity.

According to the US-CERT overview of the vulnerability: "A vulnerability exists in the Private Communications Transport 
(PCT) protocol, which is part of the Microsoft Secure Sockets Layer (SSL) library. Exploitation of this vulnerability 
may permit a remote attacker to compromise the system. An exploit for this issue currently being used to compromise 
vulnerable systems running SSL-enabled IIS 5.0. Note the vulnerability exists in any SSL-enabled program which is 
running on vulnerable Windows systems. Windows 2003 Server is not affected if PCT is disabled."

MS04-11 is effective in patching against the exploit.

[1] http://www.us-cert.gov/current/current_activity.html#pct
[2] http://www.kb.cert.org/vuls/id/586540
[3] http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
[4] http://www.ren-isac.net/monitoring/port.cgi?port-443


Regards,

Doug Pearson
Research and Education Networking ISAC
http://www.ren-isac.net
Watch Desk 24x7: +1(317)278-6630

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.