US-CERT Alerts    http://www.us-cert.gov/ncas/alerts    Alerts warn about vulnerabilities, incidents, and other security issues that pose a significant risk.    en        	TA13-193A: Exploit Tool Targets Vulnerabilities in McAfee ePolicy Orchestrator (ePO)	http://www.us-cert.gov/ncas/alerts/TA13-193A			Original release date: July 12, 2013<br />		<h3>Systems Affected</h3>		<p>McAfee ePolicy Orchestrator (ePO)</p>				<h3>Overview</h3>		<p>A new exploit tool targets two vulnerabilities in McAfee���s ePolicy Orchestrator (ePO).��</p>				<h3>Description</h3>		<p>A��new exploit��tool specifically built to attack McAfee���s ePolicy Orchestrator (ePO) targets two vulnerabilities found in ePO versions 4.6.5 and earlier. In order to exploit these vulnerabilities the attacker must be on the local network.</p>				<h3>Impact</h3>		<p>The��tool��allows an attacker on the local network to add rogue systems to an enterprise ePO server, steal domain credentials if they are cached within ePO, upload files to the ePO server, and execute commands on the ePO server as well as any systems managed by ePO.</p>				<h3>Solution</h3>		<p><strong>Identify Vulnerable ePO Versions</strong></p><p>To determine whether your instance of ePO is vulnerable, please refer to <a href="https://kc.mcafee.com/corporate/index?page=content&id=KB52634">KB52634</a>��and <a href="https://kc.mcafee.com/corporate/index?page=content&id=KB59938">KB59938</a>:</p><ol><li>The ePO 4.x console is accessible only via a web interface and the Patch version (build number) will always be displayed in the Windows Internet Explorer title bar, including the first page where a user will log on to the ePO 4.x console.</li><li>For ePO 4.5 Patch 6, the Internet Explorer title will display the following information:</li></ol><p>ePolicy Orchestrator 4.5.6 (Build: 137) -�� Microsoft Internet Explorer</p><ol><li value="3">For ePO 4.6 Patch 5, the Internet Explorer title will display the following information:</li></ol><p>ePolicy Orchestrator 4.6.5 (Build: 168) -�� Microsoft Internet Explorer</p><p><strong>Update ePO</strong></p><p>This tool poses a significant risk to enterprises that use ePO and the following mitigation steps are strongly advised.</p><ol><li>Upgrade ePO to one of the following versions:<ul><li>ePO 5.0, released March 25, 2013;</li><li>ePO 4.5.7, released on May 23, 2013; or</li><li>ePO 4.6.6, released on March 26, 2013.</li></ul></li></ol><p><strong>Restrict Access to ePO</strong></p><p>Additionally, US-CERT recommends that administrators use dedicated remote administration consoles and set strict access controls that only allow specified systems to connect to the ePO server, reducing the potential attack surface.</p>				<h3>References</h3>		<ul>					<li><a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0141">Vulnerability Summary for CVE-2013-0141</a></li>					<li><a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0140">Vulnerability Summary for CVE-2013-0140 </a></li>					<li><a href="https://kc.mcafee.com/corporate/index?page=content&id=sb10042">McAfee Security Bulletin - ePO update fixes two vulnerabilities reported by Verizon</a></li>					<li><a href="http://www.kb.cert.org/vuls/id/209131">Vulnerability Note VU#209131</a></li>				</ul>				<h3>Revision History</h3>		<ul>					<li>July 12, 2013: Initial Release</li>					</ul>		<hr />		<p>This product is provided subject to this <a href="http://www.us-cert.gov/privacy/notification">Notification</a> and this <a href="http://www.us-cert.gov/privacy/">Privacy & Use</a> policy.</p>		<br />			 Fri, 12 Jul 2013 18:19:38 +0000 US-CERT 5635 at http://www.us-cert.gov	TA13-190A: Microsoft Updates for Multiple Vulnerabilities	http://www.us-cert.gov/ncas/alerts/TA13-190A			Original release date: July 09, 2013<br />		<h3>Systems Affected</h3>		<ul><li><span face="">Microsoft Windows</span></li><li><span face="">Microsoft .NET Framework</span></li><li><span face="">Microsoft Silverlight</span></li><li><span face="">Microsoft Office</span></li><li><span face="">Microsoft Visual Studio</span></li><li><span face="">Microsoft Lync</span></li><li><span face="">Internet Explorer</span></li><li><span face="">Windows Defender </span></li></ul>				<h3>Overview</h3>		<p>Select Microsoft software products contain multiple vulnerabilities. Microsoft has released updates to address these vulnerabilities.</p>				<h3>Description</h3>		<p>The <a href="http://technet.microsoft.com/en-us/security/bulletin/ms13-jul">Microsoft Security Bulletin Summary for July 2013</a> describes multiple vulnerabilities in Microsoft software. Microsoft has released updates to address these vulnerabilities.</p>				<h3>Impact</h3>		<p>These vulnerabilities could allow remote code execution or elevation of privilege.</p>				<h3>Solution</h3>		<p><strong>Apply Updates</strong></p><p>Microsoft has provided updates for these vulnerabilities in the <a href="http://technet.microsoft.com/en-us/security/bulletin/ms13-jul">Microsoft Security Bulletin Summary for July 2013</a>, which describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as <a href="http://www.us-cert.gov/redirect?url=http%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Fwsus%2Fdefault.aspx" target="_blank">Windows Server Update Services</a> (WSUS). Home users are encouraged to enable <a href="http://www.us-cert.gov/redirect?url=http%3A%2F%2Fwindows.microsoft.com%2Fen-us%2Fwindows-vista%2FTurn-automatic-updating-on-or-off" target="_blank">automatic updates</a>.</p>				<h3>References</h3>		<ul>					<li><a href="http://technet.microsoft.com/en-us/security/bulletin/ms13-jul">Microsoft Security Bulletin Summary for July 2013</a></li>					<li><a href="http://technet.microsoft.com/en-us/windowsserver/bb332157.aspx">Microsoft Windows Server Update Services</a></li>					<li><a href="http://windows.microsoft.com/en-us/windows-vista/Turn-automatic-updating-on-or-off">Turn Automatic Updating On or Off</a></li>				</ul>				<h3>Revision History</h3>		<ul>					<li>Initial Release</li>					</ul>		<hr />		<p>This product is provided subject to this <a href="http://www.us-cert.gov/privacy/notification">Notification</a> and this <a href="http://www.us-cert.gov/privacy/">Privacy & Use</a> policy.</p>		<br />			 Tue, 09 Jul 2013 18:56:02 +0000 US-CERT 5629 at http://www.us-cert.gov	TA13-175A: Risks of Default Passwords on the Internet	http://www.us-cert.gov/ncas/alerts/TA13-175A			Original release date: June 24, 2013<br />		<h3>Systems Affected</h3>		<p>Any system using password authentication accessible from the internet may be affected. Critical infrastructure and other important embedded systems, appliances, and devices are of particular concern.</p>				<h3>Overview</h3>		<p>Attackers can easily identify and access internet-connected systems that use shared default passwords. It is imperative to change default manufacturer passwords and restrict network access to critical and important systems.</p>				<h3>Description</h3>		<h4>What Are Default Passwords?</h4><p>Factory default software configurations for embedded systems, devices, and appliances often include simple, publicly documented passwords. These systems usually do not provide a full operating system interface for user management, and the default passwords are typically identical (shared) among all systems from a vendor or within product lines.��Default passwords are intended for initial testing, installation, and configuration operations, and many vendors recommend changing the default password before deploying the system in a production environment.</p><h4>What Is the Risk?</h4><p>Attackers can easily obtain default passwords and identify internet-connected target systems. Passwords can be found in product documentation and compiled lists available on the internet. It is possible to identify exposed systems using search engines like <a href="http://www.shodanhq.com/">Shodan</a>, and it is feasible to scan the entire IPv4 internet, as demonstrated by such research as</p><ul><li><a href="https://community.rapid7.com/community/metasploit/blog/2010/08/02/shiny-old-vxworks-vulnerabilities">Shiny Old VxWorks Vulnerabilities</a></li><li><a href="https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play">Security Flaws in Universal Plug and Play: Unplug, Don't Play</a></li><li><a href="https://community.rapid7.com/community/metasploit/blog/2013/04/23/serial-offenders-widespread-flaws-in-serial-port-servers">Serial Offenders: Widespread Flaws in Serial Port Servers</a></li><li><a href="https://speakerdeck.com/hdm/derbycon-2012-the-wild-west">The Wild West</a></li><li><a href="http://internetcensus2012.bitbucket.org/paper.html">Internet Census 2012</a></li></ul><p>Attempting to log in with blank, default, and common passwords is a widely used attack technique.</p>				<h3>Impact</h3>		<p>An attacker with knowledge of the password and network access to a system can log in, usually with root or administrative privileges. Further consequences depend on the type and use of the compromised system. Examples of incident activity involving unchanged default passwords include</p><ul><li>Internet Census 2012 Carna Botnet distributed scanning</li><li>Fake Emergency Alert System (EAS) warnings about zombies</li><li>Stuxnet and Siemens SIMATIC WinCC software</li><li>Kaiten malware and older versions of Microsoft SQL Server</li><li>SSH access to jailbroken Apple iPhones</li><li>Cisco router default Telnet and enable passwords</li><li>SNMP community strings</li></ul>				<h3>Solution</h3>		<h4>Change Default Passwords</h4><p>Change default passwords as soon as possible and absolutely before deploying the system on an untrusted network such as the internet. Use a sufficiently strong and unique password. See US-CERT Security Tip <a href="http://www.us-cert.gov/ncas/tips/ST04-002">ST04-002</a> and <em><a href="https://www.us-cert.gov/reading_room/PasswordMgmt2012.pdf">Password Security, Protection, and Management</a></em> for more information on password security.</p><h4>Use Unique Default Passwords</h4><p>Vendors can design systems that use unique default passwords. Such passwords may be based on some inherent characteristic of the system, like a MAC address, and the password may be physically printed on the system.</p><h4>Use Alternative Authentication Mechanisms</h4><p>When possible, use alternative authentication mechanisms like Kerberos, x.509 certificates, public keys, or multi-factor authentication. Embedded systems may not support these authentication mechanisms and the associated infrastructure.</p><h4>Force Default Password Changes</h4><p>Vendors can design systems to require password changes the first time a default password is used. Recent versions of DD-WRT wireless router firmware operate this way.</p><h4>Restrict Network Access</h4><p>Restrict network access to trusted hosts and networks. Only allow internet access to required network services, and unless absolutely necessary, do not deploy systems that can be directly accessed from the internet. If remote access is required, consider using VPN, SSH, or other secure access methods and be sure to change default passwords.</p><p>Vendors can design systems to only allow default or recovery password use on local interfaces, such as a serial console, or when the system is in maintenance mode and only accessible from a local network.</p><h4><strong>Identify Affected Products</strong></h4><p>It is important to identify software and systems that are likely to use default passwords. The following list includes software, systems, and services that commonly use default passwords:</p><ul><li>Routers, access points, switches, firewalls, and other network equipment</li><li>Databases</li><li>Web applications</li><li>Industrial Control Systems (ICS) systems</li><li>Other embedded systems and devices</li><li>Remote terminal interfaces like Telnet and SSH</li><li>Administrative web interfaces</li></ul><p>Running a vulnerability scanner on your network can identify systems and services using default passwords. Freely available scanners include Metasploit and OpenVAS.</p>				<h3>References</h3>		<ul>					<li><a href="https://www.us-cert.gov/Home-Network-Security">Home Network Security </a></li>					<li><a href="http://www.us-cert.gov/ncas/tips/st04-002">Choosing and Protecting Passwords </a></li>					<li><a href="https://www.us-cert.gov/reading_room/PasswordMgmt2012.pdf">Password Security, Protection, and Management </a></li>					<li><a href="http://www.us-cert.gov/sites/default/files/publications/HomeRouterSecurity2011.pdf">Small Office/Home Office Router Security </a></li>					<li><a href="http://www.sans.edu/research/security-laboratory/article/default-psswd">The Risk of Default Passwords</a></li>					<li><a href="http://www.shodanhq.com/">SHODAN - Computer Search Engine</a></li>					<li><a href="https://community.rapid7.com/community/metasploit/blog/2010/08/02/shiny-old-vxworks-vulnerabilities">Shiny Old VxWorks Vulnerabilities</a></li>					<li><a href="https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play">Security Flaws in Universal Plug and Play: Unplug, Don't Play</a></li>					<li><a href="https://community.rapid7.com/community/metasploit/blog/2013/04/23/serial-offenders-widespread-flaws-in-serial-port-servers">Serial Offenders: Widespread Flaws in Serial Port Servers</a></li>					<li><a href="http://speakerdeck.com/hdm/derbycon-2012-the-wild-west">The Wild West</a></li>					<li><a href="http://internetcensus2012.bitbucket.org/paper.html">Internet Census 2012</a></li>					<li><a href="http://articles.chicagotribune.com/2013-02-14/business/chi-zombie-hack-blamed-on-easy-passwords-20130214_1_karole-white-ioactive-labs-passwords">Zombie hack blamed on easy passwords</a></li>					<li><a href="http://www.thebdr.net/articles/fcc/eas/EAS-Q5.pdf">Secure EAS Codec s Prevent Zombie Attacks</a></li>					<li><a href="http://www.wired.com/threatlevel/2010/07/siemens-scada/">SCADA System's Hard-Coded Password Circulated Online for Years</a></li>					<li><a href="http://www.pcworld.com/article/201442/article.html">After Worm, Siemens Says Don't Change Passwords</a></li>					<li><a href="http://www.cert.org/incident_notes/IN-2001-13.html">"Kaiten" Malicious Code Installed by Exploiting Null Default Passwords in Microsoft SQL Server</a></li>					<li><a href="http://www.dd-wrt.com/wiki/index.php/Web_Interface#Username_and_Password">Web Interface - DD-WRT Wiki</a></li>					<li><a href="http://www.metasploit.com/">Penetration Testing Software | Metasploit</a></li>					<li><a href="http://www.openvas.org/">Open Vulnerability Assessment System</a></li>				</ul>				<h3>Revision History</h3>		<ul>					<li>Initial release</li>					</ul>		<hr />		<p>This product is provided subject to this <a href="http://www.us-cert.gov/privacy/notification">Notification</a> and this <a href="http://www.us-cert.gov/privacy/">Privacy & Use</a> policy.</p>		<br />			 Mon, 24 Jun 2013 19:11:00 +0000 US-CERT 5578 at http://www.us-cert.gov	TA13-169A: Oracle Releases Updates for Javadoc and Other Java SE Vulnerabilities	http://www.us-cert.gov/ncas/alerts/TA13-169A			Original release date: June 18, 2013 | Last revised: June 19, 2013<br />		<h3>Systems Affected</h3>		<p>Any system using Oracle Java including</p><ul><li>JDK and JRE 7 Update 21 and earlier</li><li>JDK and JRE 6 Update 45 and earlier</li><li>JDK and JRE 5.0 Update 45 and earlier</li><li>JavaFX 2.2.21 and earlier</li></ul><p>Website owners that host Javadoc HTML API documentation</p>				<h3>Overview</h3>		<p>Oracle released the <a href="http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html">June 2013 Critical Patch Update for Oracle Java SE</a>. This patch contains 40 new security fixes across Java SE products and a fix to the <a href="http://www.oracle.com/technetwork/java/javase/documentation/index-jsp-135444.html">Javadoc Tool</a>. API documentation in HTML format generated by the Javadoc tool that contains a right frame may be vulnerable to frame injection when hosted on a web server.</p>				<h3>Description</h3>		<p>Oracle's June Critical Patch Update includes a fix to the <a href="http://www.oracle.com/technetwork/java/javase/documentation/index-jsp-135444.html">Javadoc Tool</a>. API documentation in HTML format generated by the Javadoc tool that contains a right frame may be vulnerable to frame injection when hosted on a web server. Additional information can be found in <a href="http://www.kb.cert.org/vuls/id/225657">CERT Vulnerablity Report VU#225657</a>. It is recommened that sites hosting such pages should re-generate the API documentation using the latest Javadoc tool and replace the current pages with the re-generated Javadoc output. In cases where regenerating API documentation is not feasible, a Java API Documentation Updater Tool that updates API documentation "in place" is available <a href="http://www.oracle.com/technetwork/java/javase/downloads/index.html">Oracle's Java SE Downloads page</a>.</p><p>��</p>				<h3>Impact</h3>		<p>An attacker can cause one of the frames within a Javadoc-generated web page to be replaced with a malicious page. This vulnerability could be used for phishing or social engineering, or it could be used for browser exploitation if combined with another browser-related vulnerability.</p>				<h3>Solution</h3>		<p><strong>Apply Updates</strong></p><p>Oracle has released the <a href="http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html">June 2013 Java Critical Patch Update</a> to address this vulnerability. Oracle Java Development Toolkit (JDK) and Javadoc users are advised to apply the <a href="http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html">June 2013 Java Critical Patch Update</a> and regenerate and republish affected Javadoc HTML pages.</p><p><strong>Fix-in-Place Tool</strong></p><p>Oracle has released a fix-in-place tool named <a href="http://www.oracle.com/technetwork/java/javase/documentation/index-jsp-135444.html">Java API Documentation Updater Tool</a>. This fix-in-place tool can process directories or folders to search for HTML files to be remediated without having to regenerate existing Javadocs. When presented directories/folders and their sub-directories or sub-folders, the <a href="http://www.oracle.com/technetwork/java/javase/documentation/index-jsp-135444.html">Java API Documentation Updater Tool</a> will search for files with the following names:</p><ul><li>index.htm</li><li>index.html</li><li>toc.htm</li><li>toc.html</li></ul><p>For each file that matches the names noted above, the <a href="http://www.oracle.com/technetwork/java/javase/documentation/index-jsp-135444.html">Java API Documentation Updater Tool</a> will search the file for the affected JavaScript text and replace it with the remediated version. Note that this tool will not detect Javadoc pages that have been renamed to something other than one of the above page names.</p>				<h3>References</h3>		<ul>					<li><a href="http://www.us-cert.gov/ncas/current-activity/2013/06/18/Oracle-Java-SE-Critical-Patch-Update-Announcement-June-2013">Oracle Java SE Critical Patch Update Announcement - June 2013</a></li>					<li><a href="http://www.kb.cert.org/vuls/id/225657">Vulnerability Note VU#225657</a></li>					<li><a href="http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html">Oracle Java SE Critical Patch Update Advisory - June 2013</a></li>					<li><a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1571">CVE-2013-1571</a></li>					<li><a href="http://www.oracle.com/technetwork/java/javase/documentation/index-jsp-135444.html">Javadoc Tool</a></li>				</ul>				<h3>Revision History</h3>		<ul>					<li>Initial Release</li>					</ul>		<hr />		<p>This product is provided subject to this <a href="http://www.us-cert.gov/privacy/notification">Notification</a> and this <a href="http://www.us-cert.gov/privacy/">Privacy & Use</a> policy.</p>		<br />			 Tue, 18 Jun 2013 20:37:17 +0000 US-CERT 5618 at http://www.us-cert.gov	TA13-168A: Microsoft Updates for Multiple Vulnerabilities	http://www.us-cert.gov/ncas/alerts/TA13-168A			Original release date: June 17, 2013 | Last revised: June 18, 2013<br />		<h3>Systems Affected</h3>		<ul><li>Microsoft Windows</li><li>Microsoft Internet Explorer</li><li>Microsoft Office</li></ul>				<h3>Overview</h3>		<p>Select Microsoft software products contain multiple vulnerabilities. Microsoft has released updates to address these vulnerabilities.</p>				<h3>Description</h3>		<p>The <a href="http://technet.microsoft.com/en-us/security/bulletin/ms13-jun">Microsoft Security Bulletin Summary for��June 2013</a> describes multiple vulnerabilities in Microsoft software. Microsoft has released updates to address these vulnerabilities.</p>				<h3>Impact</h3>		<p>These vulnerabilities could allow remote code execution, information disclosure, denial of service, or elevation of privilege.</p>				<h3>Solution</h3>		<p><strong>Apply Updates</strong></p><p>Microsoft has provided updates for these vulnerabilities in the <a href="http://technet.microsoft.com/en-us/security/bulletin/ms13-jun">Microsoft Security Bulletin Summary for��June 2013</a>, which describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as <a href="http://www.us-cert.gov/redirect?url=http%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Fwsus%2Fdefault.aspx" target="_blank">Windows Server Update Services</a> (WSUS). Home users are encouraged to enable <a href="http://www.us-cert.gov/redirect?url=http%3A%2F%2Fwindows.microsoft.com%2Fen-us%2Fwindows-vista%2FTurn-automatic-updating-on-or-off" target="_blank">automatic updates</a>.</p>				<h3>References</h3>		<ul>					<li><a href="http://www.us-cert.gov/redirect?url=http%3A//technet.microsoft.com/en-us/security/bulletin/ms13-jun">Microsoft Security Bulletin Summary for June 2013</a></li>					<li><a href="http://www.us-cert.gov/redirect?url=http%3A//technet.microsoft.com/en-us/windowsserver/bb332157.aspx">Microsoft Windows Server Update Services</a></li>					<li><a href="http://www.us-cert.gov/redirect?url=http%3A//windows.microsoft.com/en-us/windows-vista/Turn-automatic-updating-on-or-off">Turn Automatic Updating On or Off</a></li>				</ul>				<h3>Revision History</h3>		<ul>					<li>Initial Release</li>					</ul>		<hr />		<p>This product is provided subject to this <a href="http://www.us-cert.gov/privacy/notification">Notification</a> and this <a href="http://www.us-cert.gov/privacy/">Privacy & Use</a> policy.</p>		<br />			 Mon, 17 Jun 2013 15:00:13 +0000 US-CERT 5615 at http://www.us-cert.gov	TA13-141A: Washington, DC Radio Station Web Site Compromises	http://www.us-cert.gov/ncas/alerts/TA13-141A			Original release date: May 20, 2013 | Last revised: May 22, 2013<br />		<h3>Systems Affected</h3>		<ul><li>Microsoft Windows systems running Adobe Reader, Acrobat, or Oracle Java</li></ul>				<h3>Overview</h3>		<p>On May 16, 2013, US-CERT was notified that both www.federalnewsradio[.]com and www.wtop[.]com had been compromised to redirect Internet Explorer users to an exploit kit. As of May 17, 2013, US-CERT analysis confirms that no malicious code remains on either site.</p>				<h3>Description</h3>		<p>The compromised websites were modified to contain a hidden iframe referencing a JavaScript file on a dynamic-DNS host. The file returned from this site was identified as the Fiesta exploit kit. The kit uses one of several known vulnerabilities to attempt to download an executable:</p><ul style="list-style-type: disc"><li><p><a href="http://www.adobe.com/support/security/bulletins/apsb09-04.html">CVE-2009-0927: Stack-based buffer overflow in Adobe Reader and Adobe Acrobat</a></p></li><li><p><a href="http://www.adobe.com/support/security/bulletins/apsb10-07.html">CVE-2010-0188: Unspecified vulnerability in Adobe Reader and Acrobat</a></p></li><li><p><a href="http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html">CVE-2013-0422</a><a href="http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html">: Multiple vulnerabilities in Oracle Java 7 before Update 11</a></p></li></ul><p>Any systems visiting running vulnerable versions of Adobe Reader or Acrobat or Oracle Java may have been compromised.</p>				<h3>Impact</h3>		<p>The exploit kit, once successful, delivers and executes a known variant of the ZeroAccess Trojan. Additionally, according to <a href="http://www.invincea.com/2013/05/k-i-a-wtop-com-fednewsradio-and-tech-blogger-john-dvorak-blog-site-hijacked-exploits-java-and-adobe-to-distribute-fake-av-2/">open source reporting</a>, the malware also downloads and installs a variant of FakeAV/Kazy malware.</p><p>The ZeroAccess Trojan attempts to beacon to one of two hardcoded command-and-control addresses, 194[.]165[.]17[.]3 and 209[.]68[.]32[.]176. The beaconing occurs using an HTTP GET using the Opera/10 user-agent string.</p><p>After beaconing, the malware then downloads a custom Microsoft Cabinet file and the malware uses port 16464/udp to connect to the peer-to-peer network. This cabinet file contains several lists of IP addresses, as well as a fake flash installer.</p>				<h3>Solution</h3>		<p><strong>Apply Updates</strong></p><p>Updated software that addresses the vulnerabilities referenced in this incident has been available for years. It is imperative to apply current security updates to software that is commonly targeted by attackers.</p><ul><li>Adobe provided updates for the Adobe Reader and Acrobat vulnerabilities (<a href="http://www.adobe.com/support/security/bulletins/apsb09-04.html">CVE-2009-0927</a> and��<a href="http://www.adobe.com/support/security/bulletins/apsb10-07.html">CVE-2010-0188</a>) in Adobe Security Bulletins <a href="https://www.adobe.com/support/security/bulletins/apsb09-04.html">APSB09-04</a> and <a href="http://www.adobe.com/support/security/bulletins/apsb10-07.html">APSB10-07</a> respectively.</li><li>Oracle released <a href="http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html">Oracle Security Alert for CVE-2013-0422</a> to address the Java vulnerability.</li></ul><p>In order to defend against additional vulnerabilities, install the most recent versions of Adobe Reader, Acrobat, and Oracle Java. At the time of publication, Adobe Security Bulletin <a href="http://www.adobe.com/support/security/bulletins/apsb13-15.html">APSB13-15</a> documents current security updates for Adobe Reader and Acrobat, and <a href="http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html">Oracle Java SE Critical Patch Update Advisory - April 2013</a> documents vulnerabilities addressed by Java 7 Update 21.</p><p><strong>Identify Compromised Systems</strong><br /><br />Monitor activity to the following IP addresses as a potential indicator of compromise where permitted and practical:</p><ul><li>209[.]68[.]32[.]176</li><li>194[.]165[.]17[.]3</li></ul>				<h3>References</h3>		<ul>					<li><a href="http://wtop.com/41/3319697/WTOP-and-Federal-News-Radio-Websites-Back-After-Cyber-Attack/">WTOP and Federal News Radio Websites Back After Cyber Attack</a></li>					<li><a href="http://www.invincea.com/2013/05/k-i-a-wtop-com-fednewsradio-and-tech-blogger-john-dvorak-blog-site-hijacked-exploits-java-and-adobe-to-distribute-fake-av-2/">K.I.A. ��� WTOP.com, FedNewsRadio and Tech Blogger John Dvorak Blog Site Hijacked ��� Exploits Java and Adobe to Distribute Fake A/V</a></li>					<li><a href="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0927">Stack-based buffer overflow in Adobe Reader and Adobe Acrobat</a></li>					<li><a href="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0188">Unspecified vulnerability in Adobe Reader and Acrobat</a></li>					<li><a href="http://www.adobe.com/support/security/bulletins/apsb09-04.html">Adobe Security Bulletin APSB09-04</a></li>					<li><a href="http://www.adobe.com/support/security/bulletins/apsb10-07.html">Adobe Security Bulletin APSB10-07</a></li>					<li><a href="http://www.adobe.com/support/security/bulletins/apsb13-15.html">Adobe Security Bulletin APSB13-15</a></li>					<li><a href="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422">Multiple vulnerabilities in Oracle Java 7 before Update 11</a></li>					<li><a href="http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html">Oracle Security Alert for CVE-2013-0422</a></li>					<li><a href="http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html">Oracle Java SE Critical Patch Update Advisory - April 2013</a></li>				</ul>				<h3>Revision History</h3>		<ul>					<li>Initial release</li>						<li>Updated Solution section</li>					</ul>		<hr />		<p>This product is provided subject to this <a href="http://www.us-cert.gov/privacy/notification">Notification</a> and this <a href="http://www.us-cert.gov/privacy/">Privacy & Use</a> policy.</p>		<br />			 Mon, 20 May 2013 21:59:55 +0000 US-CERT 5603 at http://www.us-cert.gov	TA13-134A: Microsoft Updates for Multiple Vulnerabilities	http://www.us-cert.gov/ncas/alerts/TA13-134A			Original release date: May 14, 2013<br />		<h3>Systems Affected</h3>		<ul><li>Microsoft Windows</li><li>Internet Explorer</li><li>Microsoft .NET Framework</li><li>Microsoft Lync</li><li>Microsoft Office</li><li>Microsoft Windows Essentials</li></ul>				<h3>Overview</h3>		<p>Select Microsoft software products contain multiple vulnerabilities. Microsoft has released updates to address these vulnerabilities.</p>				<h3>Description</h3>		<p>The <a href="http://technet.microsoft.com/en-us/security/bulletin/ms13-may">Microsoft Security Bulletin Summary for May 2013 </a>describes multiple vulnerabilities in Microsoft software. Microsoft has released updates to address these vulnerabilities.</p>				<h3>Impact</h3>		<p>A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system.</p>				<h3>Solution</h3>		<p><strong>Apply Updates</strong><br /><br />Microsoft has provided updates for these vulnerabilities in the <a href="http://technet.microsoft.com/en-us/security/bulletin/ms13-may">Microsoft Security Bulletin Summary for May 2013</a>, which describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as <a class="offsite" href="http://technet.microsoft.com/en-us/wsus/default.aspx" target="_blank">Windows Server Update Services</a> (WSUS). Home users are encouraged to enable <a class="offsite" href="http://windows.microsoft.com/en-us/windows-vista/Turn-automatic-updating-on-or-off" target="_blank">automatic updates</a>.</p>				<h3>References</h3>		<ul>					<li><a href="http://technet.microsoft.com/en-us/security/bulletin/ms13-may">Microsoft Security Bulletin Summary for May 2013</a></li>					<li><a href="http://technet.microsoft.com/en-us/windowsserver/bb332157.aspx">Windows Server Update Services</a></li>					<li><a href="http://windows.microsoft.com/en-us/windows-vista/Turn-automatic-updating-on-or-off">Turn automatic updating on or off</a></li>				</ul>				<h3>Revision History</h3>		<ul>					<li>Initial Release 5/14/2013</li>					</ul>		<hr />		<p>This product is provided subject to this <a href="http://www.us-cert.gov/privacy/notification">Notification</a> and this <a href="http://www.us-cert.gov/privacy/">Privacy & Use</a> policy.</p>		<br />			 Tue, 14 May 2013 20:08:46 +0000 US-CERT 5598 at http://www.us-cert.gov	TA13-107A: Oracle Has Released Multiple Updates for Java SE	http://www.us-cert.gov/ncas/alerts/TA13-107A			Original release date: April 17, 2013 | Last revised: April 19, 2013<br />		<h3>Systems Affected</h3>		<ul><li>JDK and JRE 7 Update 17 and earlier</li><li>JDK and JRE 6 Update 43 and earlier</li><li>JDK and JRE 5.0 Update 41 and earlier</li><li>JavaFX 2.2.7 and earlier</li></ul>				<h3>Overview</h3>		<p>Oracle has released a Critical Patch Update (CPU) for Java SE. Oracle strongly recommends that customers apply CPU fixes as soon as possible.</p>				<h3>Description</h3>		<p><a href="http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html">Oracle Java SE Critical Patch Update Advisory - April 2013</a> describes the update:<br /><br /><em>A Critical Patch Update is a collection of patches for multiple security vulnerabilities. The Critical Patch Update for Java SE also includes non-security fixes. Critical Patch Updates are cumulative and each advisory describes only the security fixes added since the previous Critical Patch Update and Security Alert. Thus, prior Critical Patch Update and Security Alert advisories should be reviewed for information regarding earlier accumulated security fixes.</em></p><p>Systems administrators are advised to pay additional attention to Oracle advisories due to the increasing volume of vulnerabilities being patched with each release.</p>				<h3>Impact</h3>		<p>A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system.</p>				<h3>Solution</h3>		<p><strong>Apply Updates</strong></p><p><a href="http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html">Oracle Java SE Critical Patch Update Advisory - April 2013</a> includes the following information:</p><p><em>Developers can download the latest release from http://www.oracle.com/technetwork/java/javase/downloads/index.html.</em></p><p><em>Users running Java SE with a browser can download the latest release from http://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release.</em></p><p><em>The latest JavaFX release is included with the latest update of JDK and JRE 7. For JDK and JRE 6 users, the latest Java FX release is available from http://www.oracle.com/technetwork/java/javafx/</em></p>				<h3>References</h3>		<ul>					<li><a href="http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html">Oracle Java SE Critical Patch Update Advisory - April 2013</a></li>				</ul>				<h3>Revision History</h3>		<ul>					<li>April 17, 2013: Initial release</li>						<li>April 18, 2013: Minor update to description</li>					</ul>		<hr />		<p>This product is provided subject to this <a href="http://www.us-cert.gov/privacy/notification">Notification</a> and this <a href="http://www.us-cert.gov/privacy/">Privacy & Use</a> policy.</p>		<br />			 Wed, 17 Apr 2013 18:02:48 +0000 US-CERT 5587 at http://www.us-cert.gov	TA13-100A: Microsoft Updates for Multiple Vulnerabilities	http://www.us-cert.gov/ncas/alerts/TA13-100A			Original release date: April 10, 2013 | Last revised: April 11, 2013<br />		<h3>Systems Affected</h3>		<ul><li>Microsoft Windows</li><li>Microsoft Remote Desktop Client</li><li>Microsoft Antimalware Client</li><li>Microsoft Sharepoint</li></ul>				<h3>Overview</h3>		<p>Select Microsoft software products contain multiple vulnerabilities. Microsoft has released updates to address these vulnerabilities.</p>				<h3>Description</h3>		<div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p>The <a href="http://technet.microsoft.com/en-us/security/bulletin/ms13-apr">Microsoft Security Bulletin Summary for��April 2013 </a>describes multiple vulnerabilities in Microsoft software. Microsoft has released updates to address these vulnerabilities.</p></div></div></div>				<h3>Impact</h3>		<div class="field field-name-field-alert-impact field-type-text-long field-label-hidden"><div class="field-items"><div class="field-item even"><p>A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system.</p></div></div></div>				<h3>Solution</h3>		<div class="field field-name-field-alert-solution field-type-text-long field-label-hidden"><div class="field-items"><div class="field-item even"><p><strong>Apply Updates</strong><br /><br />Microsoft has provided updates for these vulnerabilities in the <a href="http://technet.microsoft.com/en-us/security/bulletin/ms13-apr">Microsoft Security Bulletin Summary for��April 2013</a>, which describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as <a class="offsite" href="http://technet.microsoft.com/en-us/wsus/default.aspx" target="_blank">Windows Server Update Services</a> (WSUS). Home users are encouraged to enable <a class="offsite" href="http://windows.microsoft.com/en-us/windows-vista/Turn-automatic-updating-on-or-off" target="_blank">automatic updates</a>.</p></div></div></div>				<h3>References</h3>		<ul>					<li><a href="http://technet.microsoft.com/en-us/security/bulletin/ms13-apr">Microsoft Security Bulletin Summary for April 2013</a></li>					<li><a href="http://technet.microsoft.com/en-us/windowsserver/bb332157.aspx">Microsoft Windows Server Update Services</a></li>					<li><a href="https://www.update.microsoft.com/">Microsoft Update</a></li>					<li><a href="http://windows.microsoft.com/en-us/windows7/Updating-your-computer">Microsoft Update Overview</a></li>					<li><a href="http://windows.microsoft.com/en-us/windows-vista/Turn-automatic-updating-on-or-off">Turn Automatic Updating On or Off</a></li>				</ul>				<h3>Revision History</h3>		<ul>					<li>Initial Release</li>						<li>Fixed redirect links</li>					</ul>		<hr />		<p>This product is provided subject to this <a href="http://www.us-cert.gov/privacy/notification">Notification</a> and this <a href="http://www.us-cert.gov/privacy/">Privacy & Use</a> policy.</p>		<br />			 Wed, 10 Apr 2013 16:05:43 +0000 US-CERT 5580 at http://www.us-cert.gov	TA13-088A: DNS Amplification Attacks	http://www.us-cert.gov/ncas/alerts/TA13-088A			Original release date: March 29, 2013 | Last revised: July 08, 2013<br />		<h3>Systems Affected</h3>		<ul><li>Domain Name System (DNS) servers</li></ul>				<h3>Overview</h3>		<p align="left">A Domain Name Server (DNS) amplification attack is a popular form of distributed denial of service (DDoS) that relies on the use of publically accessible open recursive DNS servers to overwhelm a victim system with DNS response traffic.</p>				<h3>Description</h3>		<p align="left">A Domain Name Server (DNS) Amplification attack is a popular form of Distributed Denial of Service (DDoS), in which attackers use publically accessible open DNS servers to flood a target system with DNS response traffic. The primary technique consists of an attacker sending a DNS name lookup request to an open DNS server with the source address spoofed to be the target���s address. When the DNS server sends the DNS record response, it is sent instead to the target. Attackers will typically submit a request for as much zone information as possible to maximize the amplification effect. In most attacks of this type observed by US-CERT, the spoofed queries sent by the attacker are of the type, ���ANY,��� which returns all known information about a DNS zone in a single request. Because the size of the response is considerably larger than the request, the attacker is able to increase the amount of traffic directed at the victim. By leveraging a botnet to produce a large number of spoofed DNS queries, an attacker can create an immense amount of traffic with little effort. Additionally, because the responses are legitimate data coming from valid servers, it is extremely difficult to prevent these types of attacks. While the attacks are difficult to stop, network operators can apply several possible mitigation strategies.</p><p>While the most common form of this attack that US-CERT has observed involves DNS servers configured to allow unrestricted recursive resolution for any client on the Internet, DNS amplification attacks are equally likely with authoritative name servers that do not provide recursive resolution. The attack method is similar to open recursive resolvers, but is more difficult to mitigate as even a server configured with best practices can still be used in an attack. In the case of authoritative servers, the focus should be on using Response Rate Limiting to restrict the amount of traffic.</p>				<h3>Impact</h3>		<p>A misconfigured Domain Name System (DNS) server can be exploited to participate in a distributed denial of service (DDoS) attack.</p>				<h3>Solution</h3>		<h2>DETECTION</h2><p>While it is not easy to identify authoritative name servers used in DNS reflection attacks as vulnerability is not caused by a misconfiguration, there are several freely available options for detecting open recursive resolvers.�� Several organizations offer free, web-based scanning tools that will search a network for vulnerable open DNS resolvers.�� These tools will scan entire network ranges and list the address of any identified open resolvers.</p><p><em>Open DNS Resolver Project</em><br /><a href="http://openresolverproject.org">http://openresolverproject.org</a><br />The Open DNS Resolver Project has compiled a list of DNS servers that are known to serve as globally accessible open resolvers. The query interface allows network administrators to enter IP ranges in CIDR format [1].</p><p><em>The Measurement Factory</em><br /><a href="http://dns.measurement-factory.com">http://dns.measurement-factory.com</a><br />Like the Open DNS Resolver Project, the Measurement Factory maintains a list of Internet accessible DNS servers and allows administrators to search for open recursive resolvers [2]. In addition, the Measurement Factory offers a free tool to test a single DNS resolver to determine if it allows open recursion. This will allow an administrator to determine if configuration changes are required and verify that configuration changes have been successful [3]. Finally, the site offers statistics showing the number of public resolvers detected on the different Autonomous System (AS) networks, sorted by the highest number found [4].</p><p><em>DNSInspect</em><br /><a href="http://www.dnsinspect.com">http://www.dnsinspect.com</a><br />Another freely available, web-based tool for testing DNS resolvers is DNSInspect. This site is similar to The Measurement Factory���s ability to assess an individual resolver for vulnerability, but offers the ability to test an entire DNS Zone for several other possible configuration and security issues [5].</p><h4>Indicators</h4><p>In a typical recursive DNS query, a client sends a query request to a local DNS server requesting the resolution of a name or the reverse resolution of an IP address. The DNS server performs the necessary queries on behalf of the client and returns a response packet with the requested information or an error [6, page 21]. The specification does not allow for unsolicited responses. In a DNS amplification attack, the main indicator is a query response without a matching request. ��</p><h2>MITIGATION</h2><p>Unfortunately, due to the massive traffic volume that can be produced by one of these attacks, there is often little that the victim can do to counter a large-scale DNS amplification-based distributed denial-of-service attack. However, it is possible to reduce the number of servers that can be used by attackers to generate the traffic volumes.</p><p>While the only effective means of eliminating the use of recursive resolvers in this type of attack is to eliminate unsecured recursive resolvers, this requires an extensive effort by various parties. According to the Open DNS Resolver Project, of the 27 million known DNS resolvers on the Internet, approximately ���25 million pose a significant threat��� of being used in an attack [1]. However, several possible techniques are available to reduce the overall effectiveness of such attacks to the Internet community as a whole. Where possible, configuration links have been provided to assist administrators with making the recommended changes. The configuration information has been limited to BIND9 and Microsoft���s DNS Server, which are two widely deployed DNS servers on federal networks. If you are running a different DNS server, please consult your vendor���s documentation for configuration details.</p><h3>Source IP Verification</h3><p>Because the DNS queries being sent by the attacker-controlled clients must have a source address spoofed to appear as the victim���s system, the first step to reducing the effectiveness of DNS amplification is for Internet Service Providers to reject any DNS traffic with spoofed addresses. The Network Working Group of the Internet Engineering Task Force released Best Current Practice 38 document in May 2000 and Best Current Practice 84 in March 2004 that describes how an Internet Service Provider can filter network traffic on their network to reject packets with source addresses not reachable via the actual packet���s path [7]. The changes recommended in this document would cause a routing device to evaluate whether it is possible to reach the source address of the packet via the interface that transmitted the packet. If it is not possible, then the packet obviously has a spoofed source address. This configuration change would substantially reduce the potential for most popular types of DDoS attacks. As such, we highly recommend to all network operators to perform network ingress filtering if possible.</p><h3>Disabling Recursion on Authoritative Name Servers</h3><p>Many of the DNS servers currently deployed on the Internet are exclusively intended to provide name resolution for a single domain. In these systems, DNS resolution for private client systems may be provided by a separate server and the authoritative server acts only as a DNS source of zone information to external clients. These systems do not need to support recursive resolution of other domains on behalf of a client, and should be configured with recursion disabled.</p><h4>Bind9</h4><p>Add the following to the global options [8]:<br /><code>options {<br />�������� allow-query-cache { none; };<br />�������� recursion no;<br />};</code></p><h4>Microsoft DNS Server</h4><p>In the Microsoft DNS console tool [9]:</p><ol><li>Right-click the DNS server and click Properties.</li><li>Click the Advanced tab.</li><li>In Server options, select the ���Disable recursion��� check box, and then click OK.</li></ol><h3>Limiting Recursion to Authorized Clients</h3><p>For DNS servers that are deployed within an organization or Internet Service Provider, the resolver should be configured to perform recursive queries on behalf of authorized clients only. These requests typically should only come from clients within the organization���s network address range. We highly recommend that all server administrators restrict recursion to only clients on the organization���s network.</p><h4>BIND9</h4><p>In the global options, include the following [10]:<br /><code>acl corpnets { 192.168.1.0/24; 192.168.2.0/24; };<br />options {<br />�� allow-query { any; };<br />�� allow-recursion { corpnets; };<br />};</code></p><h4>Microsoft DNS Server</h4><p>It is not currently possible to restrict recursive DNS requests to a particular client address range in Microsoft DNS Server. To approximate the functionality of the BIND access control lists in Microsoft���s DNS Server, a different caching-only name server should be set up internally to provide recursive resolution. A firewall rule should be created to block incoming access to the caching-only server from outside the organization���s network. The authoritative name server functionality would then need to be hosted on a separate server, but configured to disable recursion as previously described.</p><h3>Response Rate Limiting (RRL) of Recursive Name Servers</h3><p>There is currently an experimental feature available as a set of patches for BIND9 that allows an administrator to limit the maximum number of responses per second being sent to one client from the name server [11]. This functionality is intended to be used on authoritative domain name servers only as it will affect performance on recursive resolvers. To provide the most effective protection, we recommend that authoritative and recursive name servers are on different systems, with RRL implemented on the authoritative server and access control lists implemented on the recursive server. This will reduce the effectiveness of DNS amplification attacks by reducing the amount of traffic coming from any single authoritative server while not affecting the performance of the internal recursive resolvers.</p><h4>BIND9</h4><p>There are currently patches available for 9.8.latest and 9.9.latest to support RRL on UNIX systems. Red Hat has made updated packages available for Red Hat Enterprise Linux 6 to provide the necessary changes in advisory RHSA-2013:0550-1. On BIND9 implementation running the RRL patches, include the following lines to the options block of the authoritative views [12]:<br /><code>rate-limit {<br />������ responses-per-second 5;<br />������ window 5;<br />};</code></p><h4>Microsoft DNS Server</h4><p>This option is currently not available for Microsoft DNS Server.</p><p><em><strong>Disclaimer:</strong></em> RRL of DNS responses may prevent legitimate hosts from receiving answers. Such hosts may be at increased risk for successful DNS cache poisoning attacks.</p>				<h3>References</h3>		<ul>					<li><a href="http://openresolverproject.org">[1] Open DNS Resolver Project</a></li>					<li><a href="http://dns.measurement-factory.com/cgi-bin/openresolverquery.pl">[2] The Measurement Factory, "List Open Resolvers on Your Network"</a></li>					<li><a href="http://dns.measurement-factory.com/cgi-bin/openresolvercheck.pl">[3] The Measurement Factory, "Open Resolver Test"</a></li>					<li><a href="http://dns.measurement-factory.com/surveys/openresolvers/ASN-reports/latest.html">[4] The Measurement Factory, "Open Resolvers for Each Autonomous System"</a></li>					<li><a href="http://www.dnsinspect.com">[5] "DNSInspect," DNSInspect.com</a></li>					<li><a href="http://tools.ietf.org/html/rfc1034">[6] RFC 1034: DOMAIN NAMES - CONCEPTS AND FACILITIES</a></li>					<li><a href="http://tools.ietf.org/html/bcp38">[7] BCP 38: Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing</a></li>					<li><a href="http://ftp.isc.org/isc/bind9/cur/9.9/doc/arm/Bv9ARM.ch03.html#id2567992">[8] Chapter 3. Name Server Configuration</a></li>					<li><a href="http://technet.microsoft.com/en-us/library/cc787602.aspx">[9] Disable recursion on the DNS server</a></li>					<li><a href="http://ftp.isc.org/isc/bind9/cur/9.9/doc/arm/Bv9ARM.ch07.html#Access_Control_Lists">[10] Chapter 7. BIND 9 Security Considerations</a></li>					<li><a href="http://ss.vix.su/~vixie/isc-tn-2012-1.txt">[11] DNS Response Rate Limiting (DNS RRL)</a></li>					<li><a href="http://www.redbarn.org/dns/ratelimits">[12] Response Rate Limiting in the Domain Name System (DNS RRL)</a></li>					<li><a href="http://dns.measurement-factory.com/surveys/openresolvers/ASN-reports/latest.html">[13] The Measurement Factory, "Open Resolvers for Each Autonomous System"</a></li>					<li><a href="http://technet.microsoft.com/en-us/library/cc754941.aspx">[14] Configure a DNS Server to Use Forwarders</a></li>				</ul>				<h3>Revision History</h3>		<ul>					<li>March 29, 2013: Initial release</li>						<li>April 18th, 2013: Minor updates to Description and Solution sections(Source IP Verification and BIND9)</li>						<li>July 5th, 2013: Added disclaimer for DNS request rate limiting</li>						<li>July 8th, 2013: Updates to Description, Detection, and Mitigation sections</li>					</ul>		<hr />		<p>This product is provided subject to this <a href="http://www.us-cert.gov/privacy/notification">Notification</a> and this <a href="http://www.us-cert.gov/privacy/">Privacy & Use</a> policy.</p>		<br />			 Fri, 29 Mar 2013 18:26:56 +0000 US-CERT 5566 at http://www.us-cert.gov