El FBI y los servicios secretos han tomado una iniciativa sin precedentes analizando la información y utilizando técnicas de investigación forense dada la importancia de los ataques.
La información fue facilitada a la comunidad SANS un poco antes de hacerse pública de forma que Uds. puedan asegurar sus sistemas.
En un par de días el Centro para la Seguridad de Internet proporcionará un apequeña utilidad para que los usuarios puedan comprobar sus sistemas y si son vulnerables, así como para buscar los ficheros que el FBI ha encontrado en varios sistemas afectados, de forma que podrá saber si su sistema ha sido usado por el grupo hacker.
Las herramientas desarrolladas por el Centro solamente estan disponibles para sus usarios registrados, pero debido a la gravedad del problema han acordado desarrollar una nueva herramienta creada por Steve Gibson (de Gibson Research)accesible para todo aquel que la necesite.
Los miembros del Centro ya han recibido una invitación para la conferencia que se dará con objeto de conocer m s informaci¢n sobre este ataque. Si su organizaci¢n aun no es miembro les animamos a unirse a esta importante iniciativa destinada a la lucha contra los delitos inform ticos. Visiten http://www.cisecurity.org donde podr n ver un listado de miembros registrados y la forma de unirse al proyecto.
Alan
Alan Paller
Director of Research
The SANS Institute
Reprfoducimos la informaci¢n original en Ingl’s:
Here’s the data available so far.
Over the past several months, the National Infrastructure Protection Center (NIPC) has been coordinating investigations into a series of organized hacker activities specifically targeting U.S. computer systems associated with e-commerce or e- banking. Despite previous advisories, many computer owners have not patched their systems, allowing these kinds of attacks to continue, and prompting this updated release of information.
More than 40 victims located in 20 states have been identified and notified in ongoing investigations in 14 Federal Bureau of Investigation Field Offices and 7 United States Secret Service Field Offices. These investigations have been closely coordinated with foreign law enforcement authorities, and the private sector. Specially trained prosecutors in the Computer and Telecommunication Coordinator program in U.S. Attorneys’ Offices in a variety of districts have participated in the investigation, with the assistance of attorneys in the Computer Crime and Intellectual Property Section at the Department of Justice.
The investigations have disclosed several organized hacker groups from Eastern Europe, specifically Russia and the Ukraine, that have penetrated U.S. e-commerce computer systems by exploiting vulnerabilities in unpatched Microsoft Windows NT operating systems.
These vulnerabilities were originally reported and addressed in Microsoft Security Bulletins MS98-004 (re-released in MS99-025), MS00-014, and MS00-008. As early as 1998, Microsoft discovered these vulnerabilities and developed and publicized patches to fix them.
Computer users can download these patches from Microsoft for free.
Once the hackers gain access, they download proprietary information, customer databases, and credit card information. The hackers subsequently contact the victim company through facsimile, email, or telephone. After notifying the company of the intrusion and theft of information, the hackers make a veiled extortion threat by offering Internet security services to patch the system against other hackers.
They tell the victim that without their services, they cannot guarantee that other hackers will not access the network and post the credit card information and details about the compromise on the Internet. If the victim company is not cooperative in making payments or hiring the group for their security services, the hackers’ correspondence with the victim company has become more threatening. Investigators also believe that in some instances the credit card information is being sold to organized crime groups. There has been evidence that the stolen information is at risk whether or not the victim cooperates with the demands of the intruders. To date, more than one million credit card numbers have been stolen.
The NIPC has issued an updated Advisory 01-003 at http://www.nipc.gov regarding these vulnerabilities being exploited. The update includes specific file names that may indicate whether a system has been compromised. If these files are located on your computer system, the NIPC Watch in Washington D.C. should be contacted at (202) 323-3204/3205/3206.
Incidents may also be reported online at http://www.nipc.gov/incident/cirr.htm.
For detailed information on the vulnerabilities that are being exploited, please refer to the NIPC Advisory 00-60, and NIPC Advisory 01- 003.
NIPC ADVISORY 01-003
This advisory is an update to the NIPC Advisory 00-060, «E- Commerce Vulnerabilities», dated December 1, 2000. Since the advisory was published, the FBI has continued to observe hacker activity targeting victims associated with e-commerce or e- finance/banking businesses. In many cases, the hacker activity had been ongoing for several months before the victim became aware of the intrusion. The NIPC emphasizes the recommendation that all computer network systems administrators check relevant systems and consider applying the updated patches as necessary, especially for systems related to e-commerce or e-banking/financial businesses. The patches are available on Microsoft’s web site, and users should refer to the URLs listed below.
The following vulnerabilities have been previously reported:
Unauthorized Access to IIS Servers through Open Database Connectivity (ODBC) Data Access with Remote Data Service (RDS):
Systems Affected: Windows NT running IIS with RDS enabled.
Details: Microsoft Security Bulletin MS99-025, NIPC CyberNotes 99-22
http://www.microsoft.com/technet/security/bulletin/ms99-025.asp
http://www.nipc.gov/warnings/advisories/1999/99-027.htm
http://www.nipc.gov/cybernotes/cybernotes.htm
Summary: Allows unauthorized users to execute shell commands on the IIS system as a privileged use; Allows unauthorized access to secured, non-published files on the IIS system; On a multi-homed Internet-connected IIS systems, using Microsoft Data Access Components (MDAC), allows unauthorized users to tunnel Structured Query Language (SQL) and other ODBC data requests through the public connection to a private back-end network.
SQL Query Abuse Vulnerability
Affected Software Versions: Microsoft SQL Server Version 7.0 and Microsoft Data Engine (MSDE) 1.0
Details: Microsoft Security Bulletin MS00-14, NIPC CyberNotes 20-05
http://www.microsoft.com/technet/security/bulletin/ms00-014.asp
http://www.nipc.gov/cybernotes/cybernotes.htm
Summary: The vulnerability could allow the remote author of a malicious SQL query to take unauthorized actions on a SQL Server or MSDE database.
Registry Permissions Vulnerability
Systems Affected: Windows NT 4.0 Workstation, Windows NT 4.0 Server
Details: Microsoft Security Bulletin MS00-008, NIPC CyberNotes 20-08 and 20-22
http://www.microsoft.com/technet/security/bulletin/ms00-008.asp
http://www.nipc.gov/cybernotes/cybernotes.htm
Summary: Users can modify certain registry keys such that:
a malicious user could specify code to launch at system crash a malicious user could specify code to launch at next login an unprivileged user could disable security measures
Web Server File Request Parsing
While they have not been shown to be a vector for the current attacks, Microsoft has advised us that the vulnerabilities addressed by Microsoft bulletin MS00-086 are very serious, and we encourage web site operators to consider applying the patch provided with this bulletin as well as the three that are under active exploitation.
http://www.microsoft.com/technet/security/bulletin/ms00-014.asp
http://www.nipc.gov/cybernotes/cybernotes.htm
Summary: The vulnerability could allow a malicious user to run system commands on a web server.
New Information: In addition to the above exploits, several filenames have been identified in connection with the intrusions, specific to Microsoft Windows NT systems. The presence of any of these files on your system should be reviewed carefully because they may indicate that your system has been compromised:
ntalert.exe
sysloged.exe
tapi.exe
20.exe
21.exe
25.exe
80.exe
139.exe
1433.exe
1520.exe
26405.exe
i.exe
In addition, system administrators may want to check for the unauthorized presence of any of the following executable files, which are often used as hacking tools:
lomscan.exe
mslom.exe
lsaprivs.exe
pwdump.exe
serv.exe
smmsniff.exe
Recipients of this Advisory are encouraged to report computer crime to the NIPC Watch at (202) 323-3204/3205/3206. Incidents may also be reported online at http://www.nipc.gov/incident/cirr.htm.
