Threat Level: yellow Handler on Duty: Russ McRee

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

*ANI exploit code drives INFOCon to Yellow

Published: 2007-03-31
Last Updated: 2007-03-31 14:31:15 UTC
by Kevin Liston (Version: 1)
0 comment(s)
The ANI vulnerability has been been of recent concern.  I've been waiting for a few key events to be confirmed before adjusting the INFOCon.  We don't take these decisions lightly.

Rating systems such as Symantec's ThreatCon (currently at 2 of 4,)  FS/ISAC's Cyber Threat Advisory (currently at Guarded,) and our INFOCon (now at Yellow) all have their particular niche.  Symantec focuses on their AV and managed-security-service customers.  FS/ISAC focuses on financial institutions.  The Internet Storm Center's INFOCon intent is to "to reflect changes in malicious traffic and the possibility of disrupted connectivity."

In the initial stages of this event, we did not satisfy the criteria to raise the INFOCon level.  Now, we have a different landscape.

  • Exploit code has been publicly released which allows trivial modification to add any arbitrary payload.
  • The number of malicious sites reported is rising rapidly, limiting the efficacy of blacklisting.
  • The number of compromised sites pointing to malicious sites is also on the rise.
Recommendations:
  • Keep anti-virus up-to-date.  So far this is the most effective layer, particularly generic signatures that detect non-compliant ANI files.  Also, the secondary payloads downloaded by these exploits are often detectable (not always though.)
  • Content-filtering.  If your environment supports it, dropping ANI files (not based on file extention, but actual file-inspection) may be prudent until patches are deployed.  This will impact your myspace.com browsing experience though.
We intend to maintain INFOCon Yellow status and reassess every 24 hours. (~1400 UTC)
Keywords:
0 comment(s)
Diary Archives