Temporary Block Policy on Symantec Anti-Virus Exploited Hosts from John Kim on 2006-12-21 (Micronet Mail Archive)

From: John Kim <jdk_at_berkeley.edu>
Date: Thu, 21 Dec 2006 13:48:08 -0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Due to the level of compromise and aggressiveness of some of the
recent attacks exploiting the older versions of Symantec
Anti-Virus/Client Security software running in managed mode,
System and Network Security Team will be enforcing temporary
block policy on all campus hosts detected as having been
compromised by this vulnerability. We will be placing immediate
blocks on affected hosts until they have been rebuilt.

You will continue to receive the normal compromised host notifications
from SNS. If a host is blocked, you will receive an email update with
the original ticket number. All the hosts found to be compromised as of
yesterday have already been blocked, and we will be checking about once
a day over the break to block any new infected hosts or release the
block on cleaned hosts.

A list of all blocked hosts can be accessed at any time on our website:
http://sec-info.berkeley.edu/cgi-bin/blockinfo-login.pl/

Currently Symantec Anti-Virus will not detect most versions of
malwares related to these attacks and we do not know the full
extent of the compromise. Therefore, the only recommended
solution at this time is to completely rebuild the host from
known secure media.

Please note that hosts running the latest versions of Symantec
Anti-Virus or Symantec Client Security are immune to this attack
as are hosts running their Symantec software in un-managed modes.

All of these attacks start by connecting to TCP port 2967, so
another helpful defense would be to block access to port 2967
from any host other than the manager server.

We also recommend that users turn off their desktop machine when
going on their holiday break if possible.

System and Network Security
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)

iD8DBQFFiwEYabYFMfj0iXwRAmnxAJ9ZvsvWqnwJUhpKUvi0Yx7ciDep4wCaA2Zs
5ymGFenm5pn9BE++1H11+U0=
=C1Oh
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
The following was automatically added to this message by the list server:

For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.
Received on Thu Dec 21 2006 - 14:01:36 PST

This archive was generated by hypermail 2.2.0 : Thu Dec 21 2006 - 14:01:38 PST