Re: On-going Internet Emergency and Domain Names
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -- Gadi Evron <ge@linuxbox.org> wrote:
There is a current on-going Internet emergency: a critical 0day vulnerability currently exploited in the wild threatens numerous desktop systems which are being compromised and turned into bots, and the domain names hosting it are a significant part of the reason why this attack has not yet been mitigated.
This incident is currenly being handled by several operational groups.
...and before people starting bashing Gadi for being off-topic, etc., I'll side with him on the fact that this particular issue appears to be quite serious. Please check the facts regarding this issue before firing up your flame-throwers -- this weekend could prove to be a quite horrible one. - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.0 (Build 214) wj8DBQFGDcayq1pz9mNUZTMRAj48AKCVdw3bZ63ryIAI6f/NSbABZR10VACg3iZf thCHKv5hpQ6Dqrq+iY4j1J8= =MoWp -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
So, is there a list of domains that we could null-route if we could convince our DNS managers to set us up as the SOA for those domains on our local DNS servers - thus protecting our own customers somewhat? I won't discount the assertion that there is some sort of emergency occurring. I would however, like to see a bit of a reference to where we can learn more about what is going on (I assume this is the javascript exploit I heard about a couple days ago). Thanks. Fergie wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
- -- Gadi Evron <ge@linuxbox.org> wrote:
There is a current on-going Internet emergency: a critical 0day vulnerability currently exploited in the wild threatens numerous desktop systems which are being compromised and turned into bots, and the domain names hosting it are a significant part of the reason why this attack has not yet been mitigated.
This incident is currenly being handled by several operational groups.
...and before people starting bashing Gadi for being off-topic, etc., I'll side with him on the fact that this particular issue appears to be quite serious.
Please check the facts regarding this issue before firing up your flame-throwers -- this weekend could prove to be a quite horrible one.
- - ferg
-----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.0 (Build 214)
wj8DBQFGDcayq1pz9mNUZTMRAj48AKCVdw3bZ63ryIAI6f/NSbABZR10VACg3iZf thCHKv5hpQ6Dqrq+iY4j1J8= =MoWp -----END PGP SIGNATURE-----
-- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
-- Jeff Shultz
On Fri, 30 Mar 2007, Jeff Shultz wrote:
So, is there a list of domains that we could null-route if we could convince our DNS managers to set us up as the SOA for those domains on our local DNS servers - thus protecting our own customers somewhat?
I won't discount the assertion that there is some sort of emergency occurring. I would however, like to see a bit of a reference to where we can learn more about what is going on (I assume this is the javascript exploit I heard about a couple days ago).
I'm afraid disclosing these URLs at this time is not wise. The SANS ISC released strings from them which would help you mitigate. This email is about the problem with the current incident (which is being handled) as the latest example of a situation going bad. Thanks, Gadi.
On Fri, 30 Mar 2007 19:44:23 -0700 Jeff Shultz <jeffshultz@wvi.com> wrote:
So, is there a list of domains that we could null-route if we could convince our DNS managers to set us up as the SOA for those domains on our local DNS servers - thus protecting our own customers somewhat?
I won't discount the assertion that there is some sort of emergency occurring. I would however, like to see a bit of a reference to where we can learn more about what is going on (I assume this is the javascript exploit I heard about a couple days ago).
No -- it's a 0day in Internet Explorer involving animated cursors -- and it can be spread by visiting an infected web site or even by email. See http://blogs.zdnet.com/security/?p=141&tag=nl.e622 http://www.avertlabs.com/research/blog/?p=230 http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FANICMOO%2EAX&VSect=T or see lots of news stories about it at http://news.google.com/?ned=us&ncl=1114901719&hl=en --Steve Bellovin, http://www.cs.columbia.edu/~smb
On Sat, 31 Mar 2007, Fergie wrote:
...and before people starting bashing Gadi for being off-topic, etc., I'll side with him on the fact that this particular issue appears to be quite serious.
Wow, if both gadi and fergie say its important, it must be a real showstopper. --matt@snark.net------------------------------------------<darwin>< Moral indignation is a technique to endow the idiot with dignity. - Marshall McLuhan
participants (5)
-
Fergie
-
Gadi Evron
-
Jeff Shultz
-
Matt Ghali
-
Steven M. Bellovin