CERT Coordination Center 2001 Annual Report

From January through December 2001, the CERT/CC received 118,907 email messages and more than 1,417 hotline calls reporting computer security incidents or requesting information. We received 2,437 vulnerability reports and handled 52,658 computer security incidents during this period.

Some of the most serious intruder activities reported to the CERT/CC in 2001 were:

• Multiple Vulnerabilities in BIND
  Intruders root compromised systems through vulnerabilities in the Internet Software Consortium's Berkeley Internet Name Domain (BIND) server. The CERT/CC published advice on protecting systems that run BIND in CA2001-02.
  
  In March 2001, intruders continued to compromise systems using two of the vulnerabilities described in CA-2001-The CERT/CC published additional advice in IN-2001-03, identifying the attack profiles and toolkits used in such attacks.
  
• sadmind/IIS Worm
  Intruders used a piece of self-propagating malicious code (referred to here as sadmind/IIS) to exploit vulnerabilities in Solaris systems and IIS servers, thereby compromising systems and defacing web pages. The sadmind/IIS worm exploits a vulnerability in Solaris systems and subsequently installs software to attack Microsoft IIS web servers. In addition, it includes a component to propagate itself automatically to other vulnerable Solaris systems (CA-2001-11).
• "Code Red" Worm
  The "Code Red" worm received a great deal of attention this year. On June 19, 2001, the CERT/CC published CA-2001-13, describing a vulnerability in Indexing Services used by Microsoft IIS 4.0 and IIS 5.0. One month later, the CERT/CC began receiving a large number of reports of a worm commonly referred to as "Code Red," a self-propagating malicious code that exploits IIS-enabled systems. The CERT/CC detailed the Code Red attack cycle, systems affected, and the system and network footprints in CA-2001-19 and CA-2001-23.
  
  In early August, the CERT/CC received reports of new self-propagating malicious code exploiting the vulnerability described in CA-2001-13. The "Code Red II" worm causes system level compromise and leaves a backdoor on certain machines running Windows 2000 (IN-2001-09).
  
• W32/Sircam Malicious Code
  On July 25, 2001, the CERT/CC received reports of a malicious code that spreads through email and potentially through unprotected network shares. Sircam has a direct impact on both the computer which was infected as well as those with which it communicates over email (CA-200122).
• W32/Nimda Worm
  The CERT/CC received reports of malicious code known as the "W32/Nimda worm" or the "Concept Virus (CV) v.5." This worm propagates itself via several methods, including email, network shares, or through an infected web site. Nimda also spreads from client to web server by scanning for back doors left behind by the "Code Red II" and "sadmind/IIS" worms. On September 18, The CERT/CC issued an advisory on Nimda (CA-2001-26).