Since the U.S. military moved into the "shock and awe" phase of its campaign early Friday, Web surfers have encountered intermittent problems reaching Uruklink.net, the Iraq government's main Web site. But those access difficulties are apparently due to a surge of Internet visitors, along with some untimely technical changes, rather than to damage from the bombing or a government shutdown. In fact, on Thursday, following the start of the U.S.-led attack, traffic to Uruklink.net hit a record. According to a counter at the site's home page, over 14,200 people visited March 20, making it the busiest day at the site. Uruklink.net currently displays a computer-generated date of March 21, 2003. Atop the home page are prominent links to streaming video versions of last month's interview between Hussein and CBS News anchor Dan Rather. The heavy shelling of Baghdad has apparently not yet affected Iraq's primary e-mail servers, mail.uruklink.net and mail.warkaa.net. Both systems were still responding to network queries late Friday EST. The Web site of Iraq's Satellite TV channel was also still online. For reasons not apparent, the administrators of Iraq's network changed the Internet protocol (IP) address of Uruklink.net and a couple of the country's other primary Web sites on Thursday. Meanwhile, one of Iraq's domain name servers -- the systems that route traffic to the appropriate destination -- appears to be offline. As a result, the Iraqi sites' ability to handle the increased traffic is hobbled.Internet traffic to and from Iraq's Web sites and e-mail systems is carried primarily by satellite links provided by Atlanta International Teleport of Georgia and Satellite Media Services of England.

Similarly, the home page of Iraq's BabilOnline newspaper, operated by Saddam Hussein's son Uday, set a traffic record Thursday. A counter on the site's home page racked up over 1,000 visits, twice its average.

http://62.145.94.111/ - Uruklink.net

http://www.babilonline.net/

www.salon.com/tech/feature/2003/03/21/iraq_online

A survey released today by the Computing Technology Industry Association showed that nearly two-thirds of reported security breaches were primarily the result of human error.Both industry and government officials stressed the need for more education and certification of IT professionals, especially in security. But calling for education is one thing and paying for it is another, the speakers said.

GCN.COM --GCN Daily

The Homeland Security Department today reminded Internet users to be vigilant for cyberattacks in light of President Bush’s ultimatum last night to Iraqi President Saddam Hussein. The department and other federal agencies are monitoring “the Internet for signs of a potential terrorist attack, cyberterrorism, hacking and state-sponsored information warfare,” a Homeland Security statement said. “Industry and public Internet users are reminded of the importance of employing sound security practices and reporting unusual activity or intrusion attempts to DHS or local law enforcement.”

www.securityfocus.com/news/3205

www.gcn.com/vol1_no1/daily-updates/21419-1.html

www.fcw.com/fcw/articles/2003/0317/web-home-03-18-03.asp

www.washingtonpost.com/wp-dyn//A46583-2003Mar18.html

www.computerworld.com///story/0,10801,79483,00.html

US Army attacked via new Windows flaw

Microsoft warned customers on Monday that a security hole in Windows 2000 and the company's Web server software is allowing online attackers to take control of corporate servers.

The flaw, known as a buffer overflow, is in a component of the software that handles the World Wide Web Distributed Authoring and Versioning (WebDAV) protocol in Microsoft's Internet Information Server (IIS). A specially formatted Web request to the WebDAV component can overflow the memory allocated to such requests and cause another, malicious program to be run instead. The technique can be used to take control of the server.

The flaw affects only IIS 5.0 on Windows 2000 servers.

www.msnbc.com/news/886524.asp?0si=-
www.eweek.com/article2/0,3959,938096,00.asp
news.zdnet.co.uk/story/0,,t269-s2132071,00.html
www.fcw.com/fcw/articles/2003/0317/web-hack-03-18-03.asp microsoft.com/technet/treeview//security/bulletin/MS03-007.asp

Microsoft warns of exploit in Windows 2000, IIS

By Paul Roberts
IDG News Service

WebDAV is a set of extensions to HTTP that allows users to edit and manage files on remote Web servers.

Attacks could come in the form of malformed WebDAV requests to a machine running IIS version 5.0. Because WebDAV requests typically use the same port as other Web traffic (Port 80), attackers would only need to be able to establish a connection with the Web server to exploit the vulnerability, Microsoft said. Machines running the Windows NT and Windows XP operating systems are not vulnerable, according to Microsoft.

Adding to the danger of the new vulnerability is the fact that many administrators may not know that they have the WebDAV serbicve enabled on their ISS server, Hameroff said. The service is enabled by default on ISS 5, according to Hameroff

www.nwfusion.com/news/2003/0317micropubli.html

++++++++

5 Network Vuln scanners tested

InfoSecurityMag tests these network vulnerability scanners:

Internet Security Systems' Internet Scanner 6.21
eEye Digital Security's Retina 4.9
Symantec's NetRecon 3.5
SAINT's SAINT 4.1
Nessus1.2.6 and NessusWX1.4.2

Read the results and get tips on scanning today's NOS here:

www.infosecuritymag.com/2003/mar/cover.shtml

+++++++++

Tricky Windows worm poses as game

A new email-aware worm, Bibrog-B, poses as a computer game in an attempt to dupe users.
The worm, which is spreading (modestly) by email and through file sharing networks, is more subtle and devious than most Windows worms. Its payload contains not just malicious code but a shooting game too.
When users infect themselves via a virus they might notice something is wrong with their PC. The game component of Bibrog-B masks its true purposes.
While the shooting game is running, the worm is copying itself across the user's hard drive and preparing to forward itself to all contacts in the Outlook address book, or via file-sharing networks.
In a particularly devious twist the worm makes changes to an infected user's Internet browser so that it can display fake versions of genuine Web sites such as Hotmail, Citibank, MSN and Yahoo. Security firms believe this is an attempt to steal usernames and passwords.
"Many people assume a virus that destroys data is as bad as it gets. However, a virus which can swipe confidential details such as account information is a much greater potential danger," said Graham Cluley, senior technology consultant for Sophos Anti-Virus.
The payload of the worm comes in the form of an executable attachment. Blocking such attachments in email, which have little or no legitimate use, is probably the simplest and most effective way to guard against Bibrog and other similar viruses
More details of the Bibrog worm are available here.

www.theregister.co.uk/content/56/29768.html

++++++++++

Code Red II Variant on the Prowl

Security experts are watching a new variant of the Code Red II worm that began appearing on some monitoring networks Tuesday. The worm is nearly identical to its ancestor, save for a modified drop-dead date that is now several thousand years in the future. Known as Code Red.F, the worm uses the same infection method as the previous versions, attacking Web servers running Microsoft Corp.'s IIS software. The worm so far has infected only a few machines, and because most administrators patched their servers after the initial Code Red outbreak in 2001, it is unlikely to spread extensively, experts say. All of the Code Red worms exploit an unchecked buffer in the Index Server in the IIS software. They then spread by infecting one machine and then scanning a list of random IP addresses and attempting to connect to port 80.

www.eweek.com/article2/0,3959,924269,00.asp

www.theregister.co.uk/content/56/29724.html

www.nwfusion.com/news/2003/0312newcode.html

www.informationweek.com/story/IWK20030312S0005

++++++++

Windows broadband users targeted by attackers

The CERT Coordination Center security organization based at Carnegie Mellon University said Tuesday it has seen an increase in exploitation of weak administrator passwords on systems running Microsoft's Windows 2000 or Windows XP operating systems.

Attacks are being particularly - though not exclusively - targeted at home broadband users running those operating systems, according to CERT/CC. The weakness specifically refers to nonexistent or easily discovered passwords on Server Message Block (SMB) file shares, with thousands of systems being compromised in this way, CERT/CC said in an advisory.

Windows uses the SMB protocol to share files and printer resources with other computers. The two versions of the operating system referred to in the CERT bulletin transfer information via TCP/IP. These systems are vulnerable to attacks using tools such as W32/Deloder, GT-bot, sdbot, and W32/Slackor. Older operating systems which share SMB information differently are not vulnerable, according to CERT/CC.

According to CERT/CC, attackers who gain access in this way could:

• Exercise remote control.

• Expose confidential data.

• Install other malicious software.

• Change or delete files.

• Install or support tools for use in distributed denial-of-service attacks against other computers.

www.cert.org/advisories/CA-2003-08.html

www.nwfusion.com/news/2003/0312windobroad.html

Deloder worm targets weak passwords

IDG News Service

A new worm on the Internet targets computers running the Microsoft Windows operating system, using easy-to-guess passwords for the Administrator account, according to alerts posted by a number of antivirus companies.  The worm attempts to connect to other computers on a network through TCP port 445, randomly generating IP addresses to locate vulnerable machines. Port 445 is used to access shared files on Windows machines with the Server Message Block protocol. When a vulnerable Windows machine is located, the worm attempts to log on to the machine's Administrator account by trying 50 likely passwords such as "admin," "password," "12345," and "administrator," F-Secure said. If the worm succeeds in breaking the Administrator account password, it places copies of a backdoor, (trojan) program known as "inst.exe" in several locations on the infected machine and copies itself as Dvldr32.exe

www.nwfusion.com/news/2003/0310deloader.html

www.cert.org/current/current_activity.html#W32.Deloder

www.sophos.com/virusinfo/analyses/w32delodera.html