Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: ISC returning to Green; Comcast Problems; Microsoft Update Spoof SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
ISC returning to Green; Comcast Problems; Microsoft Update Spoof

Internet Storm Center Returning to Green

You may have noticed that the InfoCon has returned to Green. We do this not because we think the DNS cache poisoning is solved, but due to that we now understand the issues and have clear things people should do to protect themselves. Here are the suggestions we have for you:

- add the right key to the registry on NT

(Note: Windows systems are not protected even with their magic registry entry IF they trust an upstream dns system that doesn't clear additional dns records from the answer to the query and site the article.
- upgrade to the right SP on W2K

- not forward to vulnerable windows DNS caches

- not forward to pre-BIND9 bind DNS caches

And a heads-up to ISP's and others running BIND4 and BIND8
- Please upgrade to BIND9 if you are likely to have people forwarding
to you with a MSFT DNS cache.

Thanks to Kyle, Swa, Eric and Donald for their input. You guys are awesome.

A heartfelt thanks to all of you who participated in the research and investigation on this issue. It is because of you and you willingness to assist that we are as successful as we are.

Comcast Problems

We have received a couple of inquiries regarding the unavailablity of Comcast. Apparently Comcast is experiencing problems nationwide due to an equipment update. This does not appear to have any connection to the DNS Cache Poisoning that we have been following over the last few days.

The Comcast technical problems should be resolved shortly and all will return to normal.

[Note: additional discussion of this issue is happening at"> ]

Microsoft Update Spoof

With Microsoft Patch Tuesday looming on the horizon we thought it wise to alert everyone to a malicious email that is circulating the globe.
"A mass SPAM email has been sent out claiming to be from Microsoft. This email spoofs users into thinking that they must update their Windows software. Upon clicking on the link, users are forwarded to a fraudulent website. This website is hosted in Australia, and was up at the time of this alert."

When the link is clicked it installs a Trojan program. The Trojan program (Wupdate-20050401.exe) is installed and opens a backdoor to your computer.

This is a reminder to everyone, "Microsoft Does NOT Email Update Links".

Deb Hale

Handler on Duty

279 Posts
ISC Handler
Apr 8th 2005

Sign Up for Free or Log In to start participating in the conversation!