Had I been processing information properly this past weekend, I’d have noticed that
SANS[*1] had moved their “Infocon” threat level to Yellow from the normal “Green” due to the MS05-039 (PnP) vulnerability:
We moved to ‘Yellow’ on Friday, after we did see a number of exploits released for last weeks Microsoft Windows vulnerabilities, in particular MS05-039 (PnP) which is exploitable remotely.
As expected, we did see various bots, in particular ‘Zotob’ take advantage of this vulnerability. At this point, the situation is however static. New bot variations keep getting developed, but they do not add any fundamental new variation of the exploit. We expect that most exploitable systems have been compromised at this point.
The last week showed once more that there is no more patch window. Defense in depth is your only chance to survive the early release of malware. In this particular case, three distinct best practices can mitigate the vulnerability:
– close port 445 at least at the perimeter.
– patch systems quickly.
– eliminate NULL sessions.
Neither one of these measures is perfect, and some may not be applicable to your network (e.g. you may require NULL sessions in some circumstances).
Another development brought to conclusion in this event is the lesser importance of ‘worms’ with respect to more sophisticated ‘bots’. We received a number of bots using the PnP vulnerability. Antivirus scanners did not identify most of them. In many cases, the same bot was packed differently or some function where added to evade detection.
Malware can only develop as fast as it is developing in this case because of extensive code sharing in the underground. The only way we can keep up with this development is by sharing information as efficiently. Being able to do so openly will make it only easier to do this sharing. Please join our effort, and share future observations with us. We will continue to turn them over quickly and make them available via out diaries for everybody to read and to learn from.
I would like to thank in particular handlers Lorna and Tom for their extensive analysis of all the malware submitted.
Yes, the Internet is still “broken”, but it was never working all that well to begin with. The Infocon is intended to measure change. We can’t stay on yellow for ever.
(Emphasis added)