Those of you, who follow the Internet Storm Center’s
Handler’s Diary or
the UNISOG mailing list, may have noticed the discussion of
a botnet
exploiting SM06-010, the Symantec Client Security/Symantec
Anti-Virus
vulnerability discovered in May
(http://www.symantec.com/avcenter/security/Conte
nt/2006.05.25.html). The
vulnerability affects systems that were installed in managed
mode and
which have not been upgraded/patched. By exploiting this
vulnerability,
attackers are able to take complete control of the system
remotely and
are able to create users accounts, install rootkits,
backdoors and/or
keyloggers and use these hosts as part of their own bot
networks.
Over the last few days we have seen a significant increase
in the number
of attackers (in many cases these were almost certainly
compromised
systems) using this vulnerability (from one solo IP that was
using it as
of Saturday to 146 unique IP addresses as of last night). So
far the
campus has been fairly luck, because as of yesterday, only
around 16
campus hosts had been compromised. However, because the
scanning has
been fairly compartmentalized with few IP’s getting hit more
than a once
or twice in a day, we are expecting more systems to be
compromised in
the coming days and weeks as hosts using the more transient
network
pools like DHCP, AirBears and modems get hit as well.
At this time we would again like to urge everyone, if they
haven’t
already done so, to upgrade their Symantec installations to
the newest
version found at http://software-
central.berkeley.edu
<http://soft
ware-central.berkeley.edu/> or by using the
information
found at
http://service1.symantec.com/SUPPO
RT/ent-security.nsf/pfdocs/2006052609181248.
Additionally, we would like to remind departments that use
imaging
software (like Symantec Ghost) to make sure that their
images have
patched Symantec installations so that systems are not
re-compromised.
Thank you,
John Ives
--
------------------------------------------------------------
-------------
John Ives Phone
(510) 642-7773
GSEC, GCIH, GCWN Cell
(510) 229-8676
System & Network Security
University of California, Berkeley
------------------------------------------------------------
-------------
------------------------------------------------------------
------------
The following was automatically added to this message by the
list server:
For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.be
rkeley.edu/>.
|