Those of you, who follow the Internet Storm Center’s Handler’s Diary or
the UNISOG mailing list, may have noticed the discussion of a botnet
exploiting SM06-010, the Symantec Client Security/Symantec Anti-Virus
vulnerability discovered in May
(http://www.symantec.com/avcenter/security/Content/2006.05.25.html). The
vulnerability affects systems that were installed in managed mode and
which have not been upgraded/patched. By exploiting this vulnerability,
attackers are able to take complete control of the system remotely and
are able to create users accounts, install rootkits, backdoors and/or
keyloggers and use these hosts as part of their own bot networks.
Over the last few days we have seen a significant increase in the number
of attackers (in many cases these were almost certainly compromised
systems) using this vulnerability (from one solo IP that was using it as
of Saturday to 146 unique IP addresses as of last night). So far the
campus has been fairly luck, because as of yesterday, only around 16
campus hosts had been compromised. However, because the scanning has
been fairly compartmentalized with few IP’s getting hit more than a once
or twice in a day, we are expecting more systems to be compromised in
the coming days and weeks as hosts using the more transient network
pools like DHCP, AirBears and modems get hit as well.
At this time we would again like to urge everyone, if they haven’t
already done so, to upgrade their Symantec installations to the newest
version found at http://software-central.berkeley.edu
<http://software-central.berkeley.edu/> or by using the information
found at
http://service1.symantec.com/SUPPORT/ent-security.nsf/pfdocs/2006052609181248.
Additionally, we would like to remind departments that use imaging
software (like Symantec Ghost) to make sure that their images have
patched Symantec installations so that systems are not re-compromised.
Thank you,
John Ives
-- ------------------------------------------------------------------------- John Ives Phone (510) 642-7773 GSEC, GCIH, GCWN Cell (510) 229-8676 System & Network Security University of California, Berkeley ------------------------------------------------------------------------- ------------------------------------------------------------------------ The following was automatically added to this message by the list server: For information about Micronet, including subscribing to or unsubscribing from its mailing list and finding out about upcoming meetings, please visit the Micronet Web site: <http://micronet.berkeley.edu/>.Received on Tue Nov 28 2006 - 14:36:37 PST
This archive was generated by hypermail 2.2.0 : Tue Nov 28 2006 - 14:36:41 PST