 There is no way to completely protect your computer against all security
vulnerabilities. The best approach is to keep up to date on virus scan engines,
virus definition files and any security patches available for your system and
applications. This applies to all computers, whether production or
non-production.
The following information details the history of viruses and vulnerabilities
that have affected the CCC networks. Each entry contains information about the
virus or vulnerability and the steps needed to be taken above and
beyond basic virus protection. Additional details and removal instructions can
be found by following the link provided for that particular virus or
vulnerability.
12/01/2004: Workstations without
8/2003 patch for RPC/DCOM
vulnerability infected with virus
05/04/2004: LSASS Vulnerability and Sasser Worm
02/25/2004: Netsky.c Virus
02/11/2004: MS ASN.1 Vulnerability
01/27/2004: MyDoom Viruses (MyDoom.a and MyDoom.b)
09/11/2003: MS RPCSS-DCOM
Vulnerabilities
08/18/2003: SoBig.F
Virus
08/13/2003: MSBlaster/LovSan
Virus
08/08/2003:
MS RPC-DCOM Vulnerability
08/01/2003: IRC/Flood.cd Virus
07/16/2003:
Downloader-DI Virus/Backdoor-AXJ
Trojan
10/20/2002: Klez Virus
12/01/2004:
Workstations without 8/2003 patch for RPC/DCOM vulnerability infected with virus
Windows XP and Win2K machines that were not
up to date with the Microsoft RPC/DCOM patch from August 2003 were infected with a new
variant of a virus. The latest cumulative update patch for Microsoft RPC/DCOM
(MS04-012)
released in April 2004, includes the patch that should have been on ALL
workstations and servers as of August 2003
as stated in the "virus history" entry
from 9/11/2003 . Over the last two weeks, unpatched machines at 5 of
our colleges were infected by this virus that
took advantage of this vulnerability. There
is no reason any machine should not have had this patch in place.
The virus spread by scanning the network for
other vulnerable machines on port 135. The virus also installed an anonymous
FTP server on the workstation and also sent an email containing the IP
address of the infected machine to an Internet user. Therefore, we can
identify infected
machines by 1) the email connection to the Internet
address; 2) the network scan for port 135 and 3) the open port for FTP.
Machines identified as infected were blocked at the college router until
they were determined to be clean of infection.
Please note: If a machine
is being blocked at the router - it should NOT be moved to another IP to
attain Internet access for any reason! The IP of the infected machines are
blocked for a reason and should only be allowed network access once the
machine is free of infection. This is to reduce further spreading of the
virus to the rest of the network.
The virus appeared to have 2 parts: scan.exe:
a scanning executable that scanned for other vulnerable machines on the
network and syshost.exe: the anonymous FTP server. The actual virus name is
still unclear - it appears to be a combination of possibly two known
viruses: Tumbi Worm
a.k.a. Francette and
Exploit-DcomRPC.
For infected machines, the machine
needs to be updated with the latest anti-virus DAT file and scanned. This
will remove the scanning executable scan.exe. To remove the FTP
server, all instances of the process syshost.exe need to be killed and
the file needs to be removed. After a reboot, using the "netstat -ano"
for Windows XP machines or "netstat -an" for Win2K machines, you need to verify
that port 21 is no longer listening. After the machine is cleaned and
unblocked at the router, all critical Microsoft updates need to be applied
via Windows Update.
All windows servers and workstations need to apply the patch listed in the
MS04-012
security bulletin ASAP to protect against any malicious program that takes
advantage of this vulnerability. NOTE: This patch is included in "Windows
Critical Updates" so if you are up to date with your machine's "Windows
Critical Updates" then your machine is patched against the vulnerability.
We have made the patch available from our
internal download site.
You can verify that this update is installed by going to "Add or
Remove Programs" in the Control Panel and looking for "Windows XP Hotfix -
KB828741".
NOTE: Security bulletin
MS04-012 supersedes
MS03-039.
05/04/2004:
MS LSASS
Vulnerability and
Sasser Worms
A new worm has hit the Internet that takes
advantage of a vulnerability in Microsoft's LSASS (Local Security Authority
Service Server) by exploiting a buffer overflow condition. Information on the
vulnerability was released last month. The vulnerability allows a remote
attacker to execute arbitrary code with system privileges. The
vulnerability exists in several operating systems including Windows XP, 2000,
2003 and NT 4.0.
All windows servers and workstations need to apply the patch listed in the
MS04-011 security bulletin ASAP to protect against any malicious program that
takes advantage of this vulnerability. NOTE: This patch is included in
"Windows Critical Updates" so if you are up to date with your machine's "Windows
Critical Updates" then your machine is patched against the vulnerability. If
your machine is not up to date, it is not recommended that all machines go
to Windows Update, instead download the patch from the link above to a single
machine on your college network, then copy the patch from that machine and
update the rest of your machines.
The Sasser worm (and it's variants) is not an email borne virus, it is a
worm that spreads without any user interaction by scanning randomly for
vulnerable machines on port 445 (MS SMB). When a vulnerable machine is found, it
exploits the buffer overflow and downloads the worm from the attacking machine.
Then the infected machine starts to scan randomly for other vulnerable machines.
The CCC network was hit yesterday with a couple of infected machines, but
ACLs on our routers and the firewall prevented the worm from spreading rapidly
past the local network. As of this morning, all
colleges appear to have at least some unpatched systems that are infected with
the worm. Since a single infection at a college could infect all
unpatched machines and possibly cause severe network slowdowns, it is imperative
to get ALL machines patched immediately. Also, all machines need to make sure
their anti-virus DAT files are up to date and any infected machines are scanned
and cleaned.
WARNING! There are also reports of a FAKE
email that appears to be from an anti-virus company and claims to have a cleanup
tool for the Sasser worm attached. It is NOT a cleanup tool for the worm, it is
in fact a copy of the
Netsky virus. All regular precautions should be adhered to with
respect to any unknown attachments.
02/25/2004:
Netsky.C Virus
The CCC network was hit with this virus shortly before the anti-virus
companies released the virus DAT file that would have protected us against the
virus. We are aware that the virus did make it into our network via email
and users did open the infected attachment. This is because the virus
appeared to come from legitimate, known email accounts and appeared to be
legitimate file names.
As with previous viruses, the netsky.c virus contains it's own email server
which propagates the virus to others in your address book. The virus used
attachments of type .pif and .scr (common with other recent viruses) to spread
the virus as well as .exe and .com file types. These attachments
often arrive in ZIP archives. Stated in the
08/18/2003 report of the SoBig.F virus, .pif and .scr files are already
being blocked at the Exchange Server. In addition to blocking all .pif and .scr
files, the virus is now blocked by anti-virus software located on the Exchange
Server as well as at the Internet Mail Gateways.
In addition to spreading via it's own SMTP server, it also spreads by copying
itself to mapped drives that have "shar" in the name.
With most recent viruses, the virus writers are using various techniques to
convince the end user to open the attachment. Such as forging "FROM" headers to
come from email addresses you may know, using convincing subjects, attachment
names or body text. This was a good example of one of them. Most times, the
anti-virus companies update their DAT files BEFORE the virus hits our network
and users don't usually see viruses in their mailboxes. It's always good
practice, for any email with an attachment - to never open any attachment that
you are not expecting.
Along the same lines, if you receive email stating that you received a virus
but it was cleaned or deleted,
do not notify the sender that they are infected with the virus. The
netsky.c virus
forges the "FROM" headers similar to the Klez virus and the infected person is
not the person who sent you the message. See the
10/20/2002 report of the Klez virus for more info on forging
"FROM" headers.
02/11/2004: MS ASN.1 Vulnerability
Microsoft just released information on a serious vulnerability in the ASN.1
library that, if exploited, an attacker would have complete control over an
affected system. The attacker could change, delete or view data, install
programs or create new accounts with full privileges. The vulnerability exists
in several operating systems including Windows XP, 2000, 2003 and NT 4.0.
As of right now, there are no known exploits for this vulnerability, but
since ASN.1 is a standard for many applications and devices, there are many
avenues for attack. Experts believe that this vulnerability could have as much
destructive potential as the Blaster worm.
All windows servers and workstations need to apply the patch listed in the
MS04-007 security bulletin ASAP to protect against any malicious program that
takes advantage of this vulnerability.
We have made the patch available from our
internal
download site if you are having difficulties getting to the Windows Update
site.
01/27/2004:
Mydoom Viruses (Mydoom.a
and Mydoom.b)
The original Mydoom virus was identified on Tuesday. A variant of
the virus, MyDoom.b,
was identified on Wednesday. MyDoom.a and MyDoom.b are very similar and are both
addressed in this article.
Both viruses contain their own mail server in order to propagate the virus, a
backdoor component that would allow an attacker to connect to the infected
machine and a denial of service (DoS) payload against specific well known
Internet companies intended to strike at the beginning of February. This DoS is
intended to bring down these companies web servers by overwhelming them with a
flood of requests.
As with several previous viruses, .pif and .scr files are used to attempt to
spread the virus as well as .exe, .bat and .cmd file types. These attachments
often are arriving in ZIP archives. Stated in the
08/18/2003 report of the SoBig.F virus, .pif and .scr files are already
being blocked at the Exchange Server. In addition to blocking all .pif and .scr
files, both viruses are blocked by anti-virus software located on the Exchange
Server as well as at the Internet Mail Gateways.
Both viruses attempt to trick the recipient into opening the infected
attachment by looking like a legitimate bounced email. The body of the
message contains a message similar to:
- The message cannot be represented in 7-bit ASCII encoding and has been
sent as a binary attachment.
- The message contains Unicode characters and has been sent as a binary
attachment.
- Mail transaction failed. Partial message is available.
This is just an attempt to have you open the infected attachment. There
is no "partial email" or "problem with mail delivery" in this case. Just delete
these messages if you have it. Even if you recognize the sender of the message,
do not notify the sender that they are infected with the virus. The
Mydoom viruses
forge the "from" headers similar to the Klez virus and the infected person is
not the person who sent you the message. See the
10/20/2002 report of the Klez virus for more info on forging from headers.
09/11/2003:
MS RPCSS-DCOM
Vulnerabilities
Three (3) vulnerabilities have been announced in all MS Windows operating
systems that could allow an attacker to either compromise and
gain control of the system or cause a DoS (Denial of Service) on the system.
All windows servers and workstations need to apply the patch listed in the
MS03-039 security bulletin ASAP to protect against any malicious program that
takes advantage of these vulnerabilities.
NOTE: Security bulletin
MS03-039 supersedes
MS03-026
08/18/2003:
SoBig.F
Virus
As with the Downloader-DI virus, .pif files are used to attempt to spread
this virus. Stated in the 07/16/2003 report of the
Downloader-DI virus, .pif files are being blocked at the Exchange Server. In
addition to blocking all .pif files, the SoBig.F virus is blocked by anti-virus
software located on the Exchange Server as well as from the Internet Mail
Gateways.
When either a .pif file is dropped or the SoBig.F virus is found in an email,
the email message continues onto the recipient of the email but instead of
containing the .pif file, it contains a message indicating the attachment has
been removed. This results in CCC users receiving tons of these messages and in
some cases filling up users mailboxes.
Even though the SoBig.F virus uses one of 9 specific subjects (i.e. "Your
application", "Thank you!", "Re: Details") we cannot filter these messages based
on those subjects due to the possibility of filtering out legitimate email with
those same subject lines.
It is recommended to just delete these harmless messages. Do not notify the sender that they are infected with the virus. The SoBig.F virus
forges from headers similar to the Klez virus. See the
10/20/2002 report of the Klez virus for more info on forging from headers.
NOTE: The SoBig.F virus infected the State DOIT (Department of Information
Technologies) computer systems and subsequently the CCC network was inundated
with a massive amount of emails notifying CCC users that messages sent from DOIT
users were infected with the SoBig.F virus but have been cleaned. Measures have
been put in place to reduce these messages from certain DOIT addresses, which
considerably reduced the number of SoBig.F viruses coming into our network.
08/13/2003:
MSBlaster/LovSan
Virus
The MSBlaster virus was a serious virus that hit the CCC network as well as
made news headlines across the world. The MSBlaster virus takes advantage of
Windows systems that were not patched against the MS RPC-DCOM vulnerability detailed
in the 08/08/2003 report.
In early afternoon on the 13th, the SDC began to see increased network
traffic coming into the SDC LAN. Upon investigation, symptoms of the MSBlaster
virus were seen (numerous attempts to access various IP addresses on ports 135,
4444) at the majority of our colleges. These infected machines were attempting
to access servers in the SDC. The good news is that all of the servers in the
SDC were patched and protected from this virus. The bad news is that due to the
MASSIVE number of attempts, the SDC LAN became unresponsive (i.e. we were DoS
attacked by our college LANs).
At 2pm, we shutdown the Internet and WAN connections in order to
restore operation to the SDC LAN. To prevent the same DoS attack from
resurfacing, we placed the following ACL (Access Control List) on all of
the college WAN routers:
- Deny all connections to port 135 (except the Exchange Servers)
- Deny all connections to port 4444
Once these measures were taken, we were able to re-enable the
Internet and WAN connections by 3pm and begin to monitor the ACL for
infected college machines.
08/08/2003:
MS RPC-DCOM Vulnerability
A serious vulnerability has been announced in all MS Windows servers
and workstations that could allow an attacker to compromise a machine
and gain control of it. All windows servers and workstations need to
apply the patches listed in the
MS03-026 security bulletin to protect against any malicious program
that takes advantage of this vulnerability.
08/01/2003:
IRC/Flood.cd
Virus
We had a case of a college "test" computer infected with this virus that
scanned the network looking for vulnerable machines. A few test machines were
found to be vulnerable but anti-virus stopped the virus from infecting the
machines. Apparently the non-production college computer was also vulnerable but
did not have anti-virus software installed to prevent the virus from spreading. It is IMPERATIVE to have all computers, whether production or non-production,
follow the same basic virus protection.
07/16/2003:
Downloader-DI Virus/Backdoor-AXJ
Trojan
The downloader-DI virus appeared in many CCC mailboxes as spam from various
banking institutions (i.e. Wells Fargo, Citibank, E-Loan). The email carried an
infected attachment of type .pif. When the user tried to execute the infected
attachment, the user's PC attempted to download the Backdoor-AXJ trojan from a
site on the Internet.
Based on information found about .pif files, the System Data Center blocked
all attachments that are .pif files and recommended to all colleges to do the
same. The System Data Center also blocked all outbound connections to the
Internet site that is used in the virus to download the Backdoor-AXJ trojan.
This gives us the ability to alert the college IT staff of possibly infected
machines based on computers attempting to go to this site.
10/20/2002:
Klez Virus
Did you know? Sometimes responding to someone who sent you a
virus will not actually notify the REAL person who sent you the virus. The
Klez
virus is becoming prevalent on the Internet. This virus masks the true
sender of the email message making it appear to come from an innocent
email address.
Here's how it works: Once a person is infected with the
Klez
virus, the virus compiles a list of email addresses found all over the
person's computer. It will then blast out email containing the
Klez
virus to various people found on this list making the email appear to come
FROM users found on the list as well. So if you are a recipient of the
Klez
virus, the person in the From: field did not send you the virus. If you
responded to these people, they may reply to you that they did not send
you a virus. And they would be correct...
|
