It looks like you're using an Ad Blocker.

Please white-list or disable in your ad-blocking tool.

Thank you.


Some features of ATS will be disabled while you continue to use an ad-blocker.


SCI/TECH: Internet Threats 6/3/2004

page: 1

log in


posted on Jun, 3 2004 @ 12:59 PM
After an unusually quiet couple of weeks, things have started to pick up with regards to hostile activities on the Internet. Apparently back from holiday, the virus/worm authors have gotten busy releasing new malicious software. Two new worms (and variants) are spreading from computer-to-computer by exploiting well know security flaws on machines running Microsoft Windows operating systems.

These worms are among the most worrisome type because, in addition to spreading, they open “backdoors” that allow infected machines to be controlled remotely across the Internet. Once compromised the machines can have sensitive data stolen off them, be used to relay Spam messages, or launch further attacks against other computers. MS Windows users can protect themselves by applying the necessary security update patches from Microsoft, running antivirus software with up-to-date signature files, and using a firewall to guard their Internet connection. Linux and Macintosh users are immune to these new worms.

“Korgo” worm

This Korgo (aka Padobot) variant was found in the very end of May, 2004. It is very similar to other Korgo variants. It spreads throughout the Internet using a vulnerability in Microsoft Windows LSASS. A description of the vulnerability can be found in Microsoft Security Bulletin MS04-011


“Plexus” Worm

Plexus is an Internet worm spreading in three ways simultaneously: as an email attachment, via file-sharing networks and using the LSASS and RPC DCOM vulnerabilites in MS Windows like Sasser and Lovesan respectively. In addition, Plexus carries a potentially dangerous payload. Plexus contains rewritten code from Mydoom. It is written in MS Visual C++ and compressed with FSG: 16208 bytes and 57856 bytes. The main texts are encrypted.

Kaspersky Labs
Trend Micro

While these new worms are spreading, the top worms are still “Netsky,” “Sasser,” and “Bagle” that were making the rounds last month.
McAfee’s AVERT
Symantec Security Response

These new worms account for an increase in scanning activity for TCP port 445, as they look for vulnerable hosts to infect. Internet monitoring has also noted increases in port activity associated with Messenger Spam. This may indicate a new method of using zombie computers to automate the distribution of annoying directed pop-up advertising.

Not explained is the increase in TCP port 8000 scanning. TCP/8000 is commonly associated with Proxy Servers but may involve a vulnerability in Hewlett Packard’s “Web JetAdmin” printing software. Exploit code for this flaw has been made available on the Internet. Those using this software are urged to install the latest version provided by HP as soon as possible.
Security Tracker
HP Web Jet Admin

[Edited on 3-6-2004 by Banshee]

posted on Jun, 4 2004 @ 03:41 AM
Denial of Service Vulnerabilities in Linksys Routers

Just added today, the kind of notice you don't want to hear. Several popular broadband routers (devices used to share and protect high-speed Inernet connections) made by Linksys are vulnerable to sabotage and no fix is currently available.

I will quote the article from SANS Internet Storm Center here because the page will eventually be archived.

Alan McCaig of reported two local denial of service vulnerabilities in the following models of Linksys routers:

Linksys BEFSR41
Linksys BEFSRU31
Linksys BEFSR11
Linksys BEFSX41
Linksys BEFSR81 v2/v3
Linksys BEFW11S4 v3
Linksys BEFW11S4 v4

The threat posed by these vulnerabilities is mitigated somewhat, as they are apparently only exploitable from the LAN side of the router. However, they will leave the device in a deadlocked state requiring a reset to factory defaults to return to working order. If the user has made significant modifications beyond these defaults this would likely be the source of much chagrin.

Currently, the only fix is to not randomly click on untrusted links.

While the exploit cannot beconducted directly across the Internet, a malicious user could craft a web link to trigger it. Such links could be placed on website or in HTML email. If you have a Linksys router it may be worth checking the model number to see if it coud be affected.

If a fix is provided it should be announced


log in