CERT Coordination Center 1999 Annual Report

From January through December 1999, the CERT/CC received 32,967 email messages and 2,099 hotline calls reporting computer security incidents or requesting information. We received 419 vulnerability reports and handled 8,268 computer security incidents during this period. More than 4,387,088 hosts were affected by these incidents.

Some of the most serious intruder activities reported to the CERT/CC in 1999 were:

• Growth and Evolution of Distributed Systems Intruder Tools
  The CERT/CC received reports of intruders using distributed systems intruder tools (DSIT). The use of these tools was reported in an alert and an incident note (CA-99-17 and IN-99-07) and these tools were the subject of a November workshop. While not new, DSIT have grown in use and in sophistication. With DSIT, a single command from an attacker can cause several thousand concurrent attacks on one or multiple targets. Damage to systems can include those used to do the attack as well as the targeted victim. For the targeted victim the impact can be severe. For example, in a denial-of-service attack using distributed technology, the targeted system receives simultaneous attacks flooding the network normally used to communicate and trace the attacks in addition to preventing legitimate traffic from traversing the network.
• Virus and Trojan Horse Activity; Melissa; CIH/Chernobyl; Happy99; and ExploreZip
  Reported in CA-99-04, the Melissa virus spreads mainly as Microsoft Word 97 and Word 2000 attachments in email. Because Melissa propagates by automatically emailing copies of infected files to other users, it had the potential to cause severe problems across the Internet. In addition to its ability to cause denial of service by overloading mail systems, the virus could also cause confidential documents to be leaked without the users knowledge.
  
  Reported in IN-99-03, the CIH (Chernobyl) virus infects executable files and is spread by executing an infected file. Since many files are executed during normal use of a computer, the CIH virus can infect many files quickly. The most common version of the virus became active on April 26, but there are other versions that become active on the 26th day of other months.
  
  Reported in IN-99-02 and CA-99-02, Happy99.exe is a Trojan horse. The first time Happy99.exe is executed, a fireworks display saying "Happy 99" appears on the computer screen. At the same time, it modifies system files to email itself to other people.
  
  Reported in CA-99-06, the ExploreZip program is a Trojan horse affecting Windows 95/98/NT systems. It modifies system files and destroys files. For ExploreZip to work, a person must open or run an infected email attachment, which allows the program to install a copy of itself on the victim's computer and enables further propagation. ExploreZip may also behave as a worm, propagating to other network machines without human interaction.
  
• RPC Vulnerabilities
  In a significant number of incidents reported, intruders exploited at least one of three RPC vulnerabilities. As reported in alerts throughout the year (CA-99-05, CA-99-08, and IN-99-04) the vulnerable services are; rpc.cmsd; statd and automoutd; and ttbserverd. Exploitations of these vulnerable services can lead to root compromise.