Security Gap 5 of the most serious in 2001

During the year 2001, CERT / CC has received more than 118,907 email messages and more than 1417 telephone calls. A total of 2.437 found security holes and as many reported incidents occurred 52.658 during the year 2001. Here, we describe 5 security holes most often in 2001:
1. The weakness in BIND system.
The function of the BIND name recognition is as a web of characters (www.vaksin.com) is not a number (192.168.0.1), because people remember names better than the given number of digits the use of BIND name was considered very necessary, for that is in the form a special body and make use of the Internet standard for this domain name, for more details you can read about this in BIND http://www.faqs.org/rfcs/rfc1794.html for details menjalaskan what BIND.
Domain Name System (DNS) servers are used in various versions of ISC BIND (Berkeley Internet Software Consursium Internet Name Domain). If the operation is normally BIND, the impact can be generated is a security hole or a vulnerability we can exploit.
 ISC BIND 8 code buffer overflow in transaction signature (TSIG = Signatrure Transaction Handling Code)
In this process, BIND 8 will mengechek error on valid input key. if the transaction code is not in BIND will find it through the normal process and continued demand, and jumped into the draft code to send an error message. If the demand is assumed to be overload or exceed the capacity of the memory, then the results we can membypass system. so easily outside the network can be entered in the computer system network (LAN / WAN) as a whole.
 ISC BIND 4 buffer overflows in the "nslookupComplain ()" security hole in BIND 4 have penggunanann array of characters, which are used to build the error message (error message) on the attacker put syslog.penyerang or pengexploitan on this security hole by sending the format control Special BIND 4 servers. if the construction of the demand is considered as a normal request would disrupt the normal operation of the DNS server.
 ISC BIND 4 input validation error in nslookupComplain () This security hole is almost the same as "ISC BIND 4 buffer overflows in the" nslookupComplain () "and this weakness may be in the patch with a version newer BIND as BIND 4.9.5-P1.
 Server from ISC BIND variables may close some gaps in the information security code process BIND 4 and BIND 8 to follow a remote attacker to access the program stack, so that they can find some security holes in BIND server.
2. SADMIND / IIS WORM
The attacker uses the code to create their own mengexploit several security holes (vulneribility) on solaris system and the IIS server.
Does exploit it?
Exploit reply essentially derived from the word meaning is to dig or search, so the purpose of the exploit here is a program that can be used to find the weaknesses of an application program. one who has more ability in the field of Internet and network but he has qualities that could be damaging their use of this exploit the program by combining with the virus software product. Guanakan logic in this application program can be various kinds, SADMIND / IIS WORM is a type of virus that can mendeface (to replace a web page that attacked). SADMIND / IIS WORM is a type of attack exploits attack solaris system and install the software for the system to attack IIS web server microsft.
The workings of SADMIN / IIS WORM:
The first time the worm will infect and after that the worm will infect itself to solaris system and will scan other solaris system and IIS systems. IIS system is infected with the virus will change its web interface. The attacker can use to search for exploits on the web keamaanan gap and seek the highest level in solaris system and by using a command such as IUSR_namakomputer windows account on the system. if a system administrator at the office using the default system then it can happen, now is the point of the default system here, consider the case if one administrator is the pair IIS (Internet Information Server) by default, the default user name of the comp is IUSR_namakomputer, so if the virus has got the namakomputer server worm tries to infect your computer by using the default system first.
3. "CODE RED" Worm
Code Red was first detected on 19 June 2001.kelemahan that have occurred in microsft IIS 4.0 and IIS 5.0 OS running on Windows NT, Windows 2000, and the beta version of Windows XP. Security hole in the striker (Intruder) to run code on an infected machine.
Since the technique was made to seek pengexploitan security hole in the system, then the system administrators in the system require to mempatch os to the latest patches to avoid the possibility of a future. Lots of bugs found in an application program (a bug in unicode) and many more.
So if the "bug" is??.
Bug according to the basic word literally means the head lice, then whether the relationship between infestation with the computer program, to be honest "I do not know". If you think the world of computers or IT world, the bug is a mistake or error in an application program that occurs after the program became.
To find bugs or errors of a particular program then someone will create another program to mengexploitnya, if it can be mass attack or cause much damage (mass destructive) will digabungkanlah program with a virus, so that the work of the program more effective and more damaging, things like that that used in the worm "CODE RED".
4. W32/Sircam
Sircam This is one of the most widely virus attack until now. This worm attacks via email and this is quite vicious and destructive, worm viruses are not used in dasaranya virus type destroyer, but now the boundary between the worm virus does not appear again, once a pure virus attacks, and worms pure self copying, resulting in the number of worms, and effek side, the computer would hang, and slow performance of the computer.
Others as if now, viruses and worms are no longer visible limits, type of worm it was a lot of that is destroyed. This worm infects the system with 2 ways:
 When an email attachment is opened from the worm code executed
 With mengkopikan itself into a network share that is not protected.
---------- .------------ spread via email
Worm or virus is using two languages in the text bodynya, namely Ingris Language and Spanish.
English example
Hi! How are you? (variation)
See you later. Thanks
The contents of the variations can be:
I send you this file in order to have your advice
I hope you like the file that I Sendo you
I hope you can help me with this file that I send
This is the file with the information you ask for
Examples in Spanish:
Hola como estas?
(variation)
Nos vemos pronto, gracias.
The contents of the variations are as follows:
Te mando este Archivo the que me des tu punto de vista
Espero te guste este Archivo que te mando
Espero me puedas ayudar con el Archivo que te mando
Este es el Archivo con que me la Informacion pediste
Sircam will send a file with 2 extensions. Sample file is as follows:
"setup.exe.pif"


------ spread through the network is not terprotect Sharring .-----------


Sircam will mengkopikan himself into Sharring network by using the following command:
 Copies itself to \ \ [share] \ Recycled \ SirC32.EXE
 Appends "@ win \ Recycled \ SirC32.exe" to autoexec.bat.
If the found sharing network he will make a windows share folder as follows:
 Copies \ \ [share] \ Windows \ rundll32.exe to \ \ [share] \ Windows \ run32.exe
 Copies itself to \ \ [share] \ Windows \ rundll32.exe
 When the virus is run from rundll32.exe, it will run run32.exe
The way to deal with the prevention of this virus is as follows:
 Filter all email using a firewall
 Exercise care in opening attachments
 Use the antivirus with the latest updates

5. W32/nimda
These include Nimda worm type virus.
This virus attacks the system, taken from earlier, such as code red, sircam, and sadmind.
He attacked the OS system windows95, 98, NT, ME, and 2000. The attack can be done in various ways:
 From the client to the client using the media email
 From the client to the client through the network share
 From the web server to the client by browsing to an infected web
 From the client to a web server that has terexploit on various microsoft 4.0/IIS IIS 5.0
 From the client to the web server via scanning for backdoors like CODE RED II and SADMIND / IIS
------ on distribution via email .--------
This virus will use MIME as penginfeksiannya.
Does that MIME?
MIME is the "Multipurpose Internet Mail Extensions", its function is to transfer data in the form of non-US-ASCII. for information you can read the MIME on the http://www.ietf.org/rfc/rfc2045.txt.
Emails sent by the Nimda follow the form as follows:
Text with different subjects and bervariable, the length of the attachment of about 57,344 and worm bite will send an email back every 10 days.
----- ----- distribution using Browser
For the spread of worms using the Internet Explorer will send the script as follows:
" onmouseover="this.style.backgroundColor='#ebeff9'" onmouseout="this.style.backgroundColor='#fff'">