The Internet is buzzing with news concerning a potential malware threat from a Microsoft Windows vulnerability which was patched this past Tuesday. I'd like to take this opportunity to remind our valued clients of our policies and procedures in instances such as this.

* We do our best to protect the hosts inside our network from such threats, by both patching and port-blocking on our boundary network and firewall devices.

* We ask that you also stay current on your patches, not only on your servers here, but also on any internal hosts used to access them. This is crucial because many of our clients use VPN technology to communicate with servers in our datacenter. Our port blocking and firewalling efforts have NO AFFECT on the contents and payload of VPN-tunnelled/excrypted traffic. This means that even if we have successfully stopped the malware from entering our network from "the wild" you or your users can still "infect" your own servers via a VPN connection.

* If an outbreak of some malware does occur, our first priority will be to secure our network from further spread. If your servers are infected, and being used to spread further malware or similarly abusive traffic, we will have no choice but to disconnect them from the network. We reserve the right to block any malicious traffic, or remove any system from our network being used to generate malicious traffic.

* We are available to assist clients in patching or repairing systems, but be aware that our priorities in the midst of an event will be protecting those clients and systems that are NOT affected first. In other words we may not be available to assist immediately as our resources will be focussed on prevention of the spread before curing of the ill.

It is therefore in your best interest to patch your systems now.

For more information on this issue, please see:
http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx

http://www.dhs.gov/dhspublic/display?content=5789

http://www.eweek.com/article2/0,1895,2002142,00.asp

Excellent sources of up-to-date information should an event occur are:
SANS' Internet Storm Center
CERT
US-CERT

Regards,
--Chuck Goolsbee
V.P., Technical Operations
digital.forest

A "zero-day" Windows exploit has been discovered as of yesterday. You can track the discovery and analysis of this on various security and Internet-operations websites. From our observations, this exploit can affect FULLY PATCHED servers, despite claims to the contrary by Microsoft. It was discovered on one of our hosting servers yesterday, which was fully patched (including update KB835732).

There are no current virus scanning signatures for this exploit (on the server side) so it must be manually discovered. We strongly suggest that owners of colocated Microsoft Windows servers take whatever precautions they can, as they become available. We also suggest that server owners read the above referenced web pages to learn how to spot the exploit, and disable it. Take this knowledge and closely search and monitor your systems, both here at digital.forest and on your local networks.

We are updating our intrusion detection systems to monitor for this exploit, but given that it is still unknown how this exploit gets onto servers we'll only be able to spot already infected machines. If we find them, the server owners will be notified.

Thank you for your cooperation and understanding.

Please note that Apple has released some security-related updates in the past weeks, including a new OS version (10.3.4) which includes these updates. Experience has shown that staying up-to-date with security-related patches can limit exposure if an exploit is released "into the wild." While we have yet to see a MacOS X worm or similar malware, we still prefer to update when the vendor releases a patch. OS updates are handled a little differently, as they usually involve changes outside the realm of security, and require some testing prior to deployment.

NOTE: If we have administrative access to a client-owned server we almost always install security patches when they are released. The nature of our network, directly connected to very high bandwidth "backbone" connections, means that we have a much greater risk and exposure to newly released malware, especially of the "worm" type, as they spread automatically.

These recent patches from Apple cover a set of vulnerabilities which are classified as "Trojan Horses" which means they require user intervention to activate. However we felt it necessary to apply the patches, if only to set a precedence for our MacOS X using clients with regards to how we handle security-related patches.

If you have a server colocated here running MacOS X, or MacOS X Server that you manage yourself, we strongly suggest that you run Software Update on a regular schedule. Install any security-related patches as soon as you are comfortable. Based on our experience with other platforms, it is better to be patched prior to the release of an actual exploit.

Our methodology for handling unpatched machines if there is a known exploit "in the wild" is to remove them from our network until patched. This is how we were able to survive high-profile issues such as CodeRed, SQLSlammer, etc with minimal downtime and very low infection rates. Our Windows and UNIX using clients already know this, but given the recent widespread publicity about these MacOS X issues, we thought we should make the rest of our clients aware of this policy.

Thank you for your attention to this matter.

A new, particularly annoying virus is going around the net today. Called W32.Beagle.K@mm, it is distributed via email and masquerades as a security warning from a site administrator. The version you may receive that appears to be from digital.forest looks like this:

From: administration@forest.net
Date: March 3, 2004 8:20:26 AM PST
To: info@forest.net
Subject: Email account utilization warning.

Hello user of Forest.net e-mail server,

Our  antivirus software has detected a large ammount of  viruses  outgoing 
from your  email  account,  you may use  our  free  anti-virus tool  to clean up
your computer  software.

For further  details  see the attach.

For security reasons attached file  is password  protected. The password is  "57242".

The Management,
     The  Forest.net team                                http://www.forest.net

There will be an attachment. Opening the attachment on an affected system (including most versions of Microsoft Windows) will result in a "back door" security hole being opened on the system, and the virus will then attempt to propagate itself from that system.

Further information on this virus can be found here. Once again, this mail did not come from digital.forest; the virus is simply spoofing official-looking return addresses in our domain, as well as many others.