CERT Coordination Center 2000 Annual Report

From January through December 2000, the CERT/CC received 56,365 email messages and more than 1,280 hotline calls reporting computer security incidents or requesting information. We received 774 vulnerability reports and handled 21,756 computer security incidents during this period. More than 9,350,0001 hosts were affected by these incidents.

Some of the most serious intruder activities reported to the CERT/CC in 2000 were:

• Distributed Denial of Service (DDoS)
  The year began with extensive denial-of-service attacks using tools that take advantage of the distributed nature of the Internet. In addition to continued reports of denial-of-service problems, a denial-of-service tool called "stacheldraht" was discovered (CA-2000-01), which elaborated on and supplemented information released in an earlier denial-of-service advisory (CA-1999-17).
• BIND
  Intruders root compromised systems through vulnerabilities in BIND including the "NXT bug" described in advisory CA-1999-14. The CERT/CC published advice on protecting systems that run BIND nameservers in CA-1999-14 and CA-200003.
• FTP
  Intruders exploited vulnerabilities in WU-FTPD and other FTP daemons to gain root access. They scanned large network blocks searching for vulnerable machines and used automated tools to compromise the ones they found. In some cases, the intruder tool included a denial-of-service tool, a password sniffer, and more.
• rcp.statd
  Intruders used vulnerabilities in rpc.statd to gain root access and execute programs of their choice. As with the FTP exploitations, intruders performed widespread scans for this vulnerability and used toolkits to automate their attacks on vulnerable machines. As a result, they were able to compromise hundreds of hosts in a single incident. (CA-2000-17 and IN-2000-10).
• ActiveX Controls
  In 2000, we received reports of email-borne viruses that exploit a vulnerability in the Microsoft ActiveX control named "Scriptlet.Typelib." This ActiveX control allows local files to be created or modified, so it is unsafe to allow untrusted programs to access this control (IN-2000-06). Additionally, we published information about a serious vulnerability in the HHCtrl ActiveX control. This vulnerability allows remote intruders to execute arbitrary code, if the intruder can cause a compiled help file (CHM) to be accessed locally (CA-2000-12).
• "Love Letter"
  A malicious VBScript program that spreads in a variety of ways. In addition to damage caused by "Love Letter," some sites suffered considerable network degradation as a result of mail, file, and web traffic generated as a result of "Love Letter." The CERT/CC published details in CERT advisory CA-200004.