Yesterday, a new Internet worm known as "Sasser"
(http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html)
hit the campus network pretty hard causing operational problems. In
response, the Campus System and Network Security Office (SNS) was forced
to take action and disable network access for several hundred campus
computers. Unfortunately, the nature of these worms is changing and
we're now seeing more sophisticated worms taking advantage of
vulnerabilities used and/or created by Sasser. As a result, to limit
the threat posed by this, SNS is continuing to disable network access
for computers that are showing any number of different signs of
compromise or infection.
Sasser and related worms take advantage of vulnerabilities in
Microsoft Windows and patches that address these vulnerabilities
are available from Microsoft (http://www.microsoft.com/security/).
However, many computers across campus have remained unpatched and
vulnerable. While most of these worms do not appear to delete files or
cause irreparable damage, they do create considerable network traffic
and leave infected computers in a highly vulnerable state. Hackers can
take advantage of this to easily gain complete control over an infected
computer with the potential to cause very significant damage and disruption.
SNS recommends keeping computers patched and following the
requirements in the new Minimum Security Standards for Networked Devices
policy (http://security.berkeley.edu/MinStds/). Unfortunately,
computers that have already been infected will need to have windows
re-installed from secure media (CDROM). This is because merely running
the various "removal tools" for Sasser does not address the more
sophisticated follow-on worms that we're seeing. Nor do they address
the likelihood that an actual person may have installed numerous other
"back doors" to the computer.
Craig Lant
------- Campus Information Systems Security Officer -------
----- University of California, Berkeley -----
510-643-0596 craig@Berkeley.edu
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.
Received on Wed May 5 19:52:14 2004
This archive was generated by hypermail 2.1.8 : Wed May 05 2004 - 19:52:15 PDT