SANS is evaluating moving to a heightened YELLOW alert status for the Internet Storm Center. As malicious individuals are most likely trying to craft new Internet worms, hopefully this event will be delayed as long as possible, so that everyone can complete the job of patching up.
INTERNET STORM CENTERhttp://www.incidents.org/
Internet Storm Center evaluates moving from GREEN to YELLOW http://www.incidents.org/diary.php?date=2004-04-23
Potential Microsoft PCT worm (MS04-011)
In response to observed active exploit of the PCT vulnerability, announced in Microsoft Bulletin MS04-011, some AV vendors have raised alert status. The IT-ISAC reports that some IDS are "detecting and blocking attacks against many institutions. The attacks are attempting to steal data and/or break into payment systems."
An exploit for this issue currently being used to compromise vulnerable systems running SSL-enabled IIS 5.0. Note the vulnerability exists in any SSL-enabled program which is running on vulnerable Windows systems. Windows 2003 Server is not affected if PCT is disabled."
Possible move to Yellow
We are closely monitoring the IIS exploit and may move to Yellow this evening.
* * * * * * *
CERT -- More on the new PCT Exploit
Exploit for Microsoft PCT vulnerability releasedhttp://www.us-cert.gov/current/current_activity.html#pct
Exploit code has been publicly released that takes advantage of a buffer overflow vulnerability in the Microsoft Private Communication Technology (PCT) protocol. The vulnerability allows a remote attacker to execute arbitrary code with SYSTEM privileges. More information about the vulnerability is available in TA04-104A and VU#586540.
US-CERT is aware of network activity that is consistent with scanning and/or exploit attempts against this vulnerability. Reports indicate increased network traffic to ports 443/tcp and 31337/tcp. The PCT protocol runs over SSL (443/tcp) and the known exploit code connects a command shell on 31337/tcp. Note that the exploit code could be modified to use a different port or to execute different code. This vulnerability is remedied by the patches described in Microsoft Security Bulletin MS04-011.