GCSC July 2008
FIRE – User downloaded various free and demo media converter programs (as local admin) and was rootkitted. Detected by machine gun sounds. FIRE – HTML delivery resulting in bot. Detected by external report. FIRE – Mac Leopard test server for Apple Update services (no mA plan yet!!) installed w/SSH (SA violation) access w/no root password. Bot installed. Detected by AB messages to the admin.
Return-Path: Authentication-Results: mta694.mail.mud.yahoo.com from=yahoo.com; domainkeys=pass (ok) Received: from (HELO n69.bullet.mail.sp1.yahoo.com) ( ) by mta694.mail.mud.yahoo.com with SMTP; Tue, 29 Jul :54: Received: from [ ] by n69.bullet.mail.sp1.yahoo.com with NNFMP; 29 Jul :54: Received: from [ ] by t3.bullet.sp1.yahoo.com with NNFMP; 29 Jul :54: Received: from [ ] by omp405.mail.sp1.yahoo.com with NNFMP; 29 Jul :54: Received: (qmail invoked by uid 60001); 29 Jul :54: DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Received:X-Mailer:Date:From:Reply- To:Subject:To:MIME-Version:Content-Type:Message-ID; b=PGeIP8IkHw/JqGgMAEOGSryZgnfhW4rkgsPflamkUolTp8 Wb/4ybRK/xXK3n0axQynm2ktRgZbABmMBwTJ3a7T3uGu 0DvSZ5/dsPupHXyxwcj7hmJQG5JP5H0ow28tfZ0yHzQi/M+ fyu3Rff4iMXLO9gmGiCXwvJ36fi2yDrH8I=; Received: from [ ] by web45712.mail.sp1.yahoo.com via HTTP; Tue, 29 Jul :54:26 PDT
d FNAL patched: ~> 510$ dig in txt +short " is GREAT: 26 queries in 1.6 seconds from 26 ports with std dev 17757" ~> 511$ dig in txt +short porttest.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net. " is GREAT: 26 queries in 1.6 seconds from 26 ports with std dev 18019"
The only detected instance is in MIS on True64. The released exploit is coded for Windows.
Known issue since 10/2006 (see MS KB ) FERMI GPO pushed out Patches available
Q: A:
Lots of activity Starts through malicious s (.doc,.ppt,.pdf,.swf) or web sites or scanning Steals local hashes Moves to other systems via shares, remote desktops, others Tries to get admin access Focus on interactive access Leaves some systems ‘dormant’ Can compromise an entire domain Tries network equipment also -Deny logon over network for local accounts -Don’t store cached credentials -Randomize local admin password at every logon* -Don’t run as admin!!! -Separation of accounts DA’s and SMS admins evaluating the provided tools, settings and lessons learned to eval our site.
Security Plans being finalized Integration testing beginning soon Covers: -Meeting Maker -VPN - -Jabber -Web (non-KCA) -Databases -Basically (most) anything that cannot accept (technically and per policy) Kerberos/Active Directory/KCA authentication Part of the FNAL Authentication Strategies. Guidance docs will be available.
Web filters on order. Expect full implementation by calendar year end. Fail open operation. Transparent to the users. Subscription updates. Some categories blocked, others require acknowledgement. Affected: Userland web traffic/’business’ type computing Unaffected: Farms Negotiated: Standard/’Business’ servers
Alerting for now, no blocking (blocking soon) Offsite RDP detection coming soon Need to evaluate TB2 Kerberos support