Remember Zotob? In Internet-Security time, it was a long long time ago. Almost 2 months now. The Friday before Zotob hit the news we went to infocon yellow, in order to warn people about the upcoming storm.
Now this week started in a very similar way, with a large number of microsoft patches. In particular the MS DTC vulnerability (MS05-051) has a lot of promisse. Like the PnP vulnerability used for Zotob, it could target Win2k quite efficiently. At this point, the only thing missing is a widely available exploit, but given that there are a number of private/commercial exploits, a public one is probably right around the corner.
So what should you do today before you head home for the weekend:
The obvious thing is to apply patch MS05-051 on at least your Win2k systems. We do know the port 3372 scanning started in full force, likely in order to acquire target lists. If you can't patch, at least make sure port 3372 is closed. Windows 2000 does not come with its own host based firewall. But you can use IPSec policies to acchive the same effect. See this paper by David Taylor for details.
What will happen this weekend? I invited other handlers to add their own opinions/predications to this story. In my opinion, we will not see widespread exploits. This can change quickly, but is also dangerous in its own way. Zotob showed very nicely how an exploit will not get too much attention until it hits a couple of high profile targets. The scenario I am most afraid of is the use of an exploit by a small group to attack high value targets. Remember the "russian key logger" episode (Berbew)? A group exploited a number of well known web sites using the IIS ssl vulnerability, and came back months later to plant an Internet Explorer exploit. We are "ripe" for a repeat of this scenario, in particular the rich selection of new client exploits released.
What should you do this weekend? Stay close to your pager. In particular, don't consider yourself safe as long as CNN isn't reporting about it. Make sure your IDS is setup with MS05-051 signatures, see if you can just log all port 3372 traffic. Use the rest of today to collect some data so you have a baseline if things turn bad. I don't like to recommend to turn systems off. but well, there is nothing more secure then a system diconnected from power.
Please use our forum to share your own opinions and predictions.
I will be teaching next: Defending Web Applications Security Essentials - SANS Munich July 2019
Oct 14th 2005
1 decade ago