Editor's Note: This is the full text of an e-mail alert from CERT warning U.S. companies to block traffic from certain Internet addresses. The full report is attached below this message.
Date: Wed, 28 Nov 2007 08:39:25 -0700
Subject: [ITSCC_Membership] CIIN-07-332-01 Cyber Incidents Suspected of Impacting Private Sector Networks
Non-Member Confidential Information
Security Notice: All contents on this mailing list are private to the IT-ISAC Membership. Information Technology—Information Sharing & Analysis Center Confidentiality Notice: This message is being sent by or on behalf of a network security professional. It is intended for the ISAC Organization Operations Center to whom it is addressed and to all of their vetted members. Information contained within may be shared within and among your approved organizational membership ONLY, forwarding to organizations outside of an ISAC WITHOUT prior written permission is expressly denied. This communication may contain information that is proprietary, privileged or confidential and is NOT INTENDED FOR PUBLIC DISSEMINATION or distribution to the Federal Government/Agencies/GFIRST. Organizational failures to comply with IT-ISAC dissemination policies are subject to review and possible termination from future information-sharing activities. Distribution outside of the approved member organization is prohibited.
Please find attached the US-CERT CIIN involving "Cyber Incidents Suspected of Impacting Private Sector Networks." Do not disseminate this notice outside of your organization without the proper approval of US-CERT. If you have any questions or comments, please contact the US-CERT SOC at (888) 282-0870.
No organization is authorized to research, take action against or touch the 21 IP addresses or domain names that are identified within this CIIN.
Do Not publicly post this CIIN to any of your public facing Web sites
(See attached file: CIIN-07-332-01-Cyber Incidents Impacting Private Sector.pdf)
ITSCC_Membership mailing list
US-CERT Critical Infrastructure Information Notice 07-332-01 November 28, 2007 Page 1 of 2 US-CERT Critical Infrastructure Information Notice CIIN-07-332-01 November 28, 2007 "Cyber Incidents Suspected of Impacting Private Sector Networks (U//FOUO) Overview (U//FOUO)"
U S-CERT is aware of sophisticated attempts to compromise private sector networks, including critical infrastructures. The level of sophistication and scope of these cyber-security incidents indicate they are coordinated and targeted at private sector systems. The primary infection vector has been Trojan e-mails; however, there is also evidence of compromised websites redirecting users to malicious sites without the users knowledge. These methods attempt to exploit a variety of web browser and application vulnerabilities in addition to zero-day exploits in order to install malicious code. US-CERT has been correlating this activity from a number of reporting entities and has compiled this notice to provide organizations with detection capabilities.
Please note that while the files and Intrusion Detection System (IDS) signatures listed below have not been independently tested by US-CERT, they were contributed by trusted members of public and private sector communities who have successfully used them to detect this activity.
Detection Information (U//FOUO) US-CERT is providing the following signatures to help detect potential malicious activity related to this report. windowupdates.net, 126.96.36.199, huigezi.com, daystar.meibu.com, huigezi.org, mylostlove1.6600.org, localhost.3322.org, cvnxus.8800.org, 3322.net, sasi.xicp.net, 3322.org, likeyoug.9966.org, 188.8.131.52, jieyu007.3322.org, 184.108.40.206, 8866.org, 220.127.116.11, 9966.org, 18.104.22.168, 8800.org, 22.214.171.124
US-CERT Critical Infrastructure Information Notice 07-332-01 November 28, 2007 Page 2 of 2
Recommendations (U//FOUO) US-CERT recommends that organizations apply the above signatures into their IDS and border devices and actively monitor for anomalous activity. Organizations should follow their established internal procedures if any suspected malicious activity is observed, and report their findings to US-CERT for correlation against other incidents. In addition, US-CERT strongly encourages all organizations to remind users of the following preventative measures when working with e-mail:
Do not trust unsolilited e-mail.
Treat all e-mail attachments with caution.
Do not click links in unsolicited e-mail messages.
Install anti-virus software, and keep its virus signature files up to date.
Turn off the option to automatically download attachments
Block executable and unknown file types at the e-mail gateway.
Configure your e-mail client for security.
Employ the use of a spam filter.
For additional information, refer to the Using Caution with Email Attachments document located on the US-CERT website.
Report to US-CERT (U//FOUO) Please report any validated incidents involving this activity to the US-CERT for further correlation, analysis and assistance. E-mail: firstname.lastname@example.org Voice: 1-888-282-0870 Incident Reporting Form: https://forms.us-cert.gov/report/
WARNING: This document is UNCLASSIFIED//FOR OFFICIAL USE ONLY (U//FOUO). It contains information that may be exempt from public release under the Freedom of Information Act (5 U.S.C.552). It is to be controlled, stored, handled, transmitted, distributed, and disposed of in accordance with Department of Homeland Security policy relating to FOUO information and is not to be released to the public or other personnel who do not have a valid "need to know" without prior approval of the US-CERT Operations Center at 1-888-282-0870. No portion of this report should be furnished to the media, either in written or verbal form.