[unisog] FWD: [SECURITY] bugbear variant
dugbrown at email.unc.edu
Thu Jun 5 21:58:31 GMT 2003
We've been running Nmap scan for systems with 1080 open, once we got a
list of systems we ran Amap against 1080 on the systems and the infected
ones returned garbage - similar to the following:
we've found this was this quickest way to find all the bad guys -
Hope this helps,
Douglas Brown, CISSP
Manager of Security Resources
UNC Chapel Hill
"what can Brown do for you?"
Phil.Rodrigues at uconn.edu wrote:
> (Apologies to anyone who already got this on the Educause list.)
> We got hit with this today before Norton Antivirus came out with the
> definitions. Hopefully the defs will get updated automatically in the
> next day or so, but we are prompting folks to manually update their defs
> ASAP. Our mail servers are protected with generic defs (looking for
> dangerous attachments, etc) but we had to update one of them manually with
> the exact def.
> Infected hosts have a backdoor on 1080 (and maybe the range around that)
> open. It leaves behind a password stealer that Norton was unable to
> remove with a scan, nor was it able to automatically quarantine the file.
> As of now it looks like infected hosts should be formatted completely.
> Good luck!
> Philip A. Rodrigues
> Network Analyst, UITS
> University of Connecticut
> email: phil.rodrigues at uconn.edu
> phone: 860.486.3743
> fax: 860.486.6580
> web: http://www.security.uconn.edu
> ----- Forwarded by Phil Rodrigues/ITS/InformationServices/UConn on
> 06/05/2003 05:25 PM -----
> "Bruhn, Mark S." <mbruhn at INDIANA.EDU>
> Sent by: The EDUCAUSE Security Discussion Group Listserv
> <SECURITY at LISTSERV.EDUCAUSE.EDU>
> 06/05/2003 03:43 PM
> Please respond to The EDUCAUSE Security Discussion Group Listserv
> To: SECURITY at LISTSERV.EDUCAUSE.EDU
> Subject: [SECURITY] bugbear variant
> I received a phone call a short while ago from DHS, indicating that a
> new variant of Bugbear was spreading, mostly among financial
> institutions. That's all they told me. We haven't received reports of
> infections here at IU yet.
> But, information about it can be found at
> http://firstname.lastname@example.org, or
> probably also at your favorite AV vendor site .
More information about the unisog