January « 2010 « JANET CSIRT

Archive for January, 2010

More on the University of Exeter outbreak

Friday, January 29th, 2010

We are now able to confirm that the malware infected systems through the vulnerability highlighted in our previous e-mail. Further details and an update for this Windows Vista vulnerability can be found at

http://support.microsoft.com/kb/975517

Microsoft and Symantec performed an analysis of the malware, and updated Symantec definitions now detect it as a generic ‘downloader’.

There is no reason to suspect that this malware poses a specific threat to other JANET connected sites, and we have not seen any infections elsewhere. It is worth mentioning a few best practices that limit your risk to this and similar infections:

- Ensure that operating systems are kept fully patched
- Ensure that anti-virus definitions are kept up to date
- By default, block Windows LAN service ports at your network border

Posted in Advisories, News | Comments Off

University of Exeter malware outbreak

Thursday, January 21st, 2010

As you may have heard the University of Exeter has been dealing with a malware outbreak. The virus appears to be unknown, certainly to Symantec and Trend, and was first detected by high levels of traffic on their network and onto JANET. Whilst the malware has not yet been analysed it appears to have aspects of both a Trojan and a “dropper”.

The malware appears to exploit Windows Vista systems and early indications are that installing Microsoft update KB975517 prevents infection. It is not yet certain if the update provides complete protection.

http://support.microsoft.com/kb/975517

The outbreak is currently being investigated by Symantec and Microsoft and we hope to have further information within a few days.

Posted in News | Comments Off

Vulnerability in Microsoft Internet Explorer

Wednesday, January 20th, 2010

There are reports that targeted attacks are exploiting a vulnerability in Internet Explorer. A specially crafted HTML document allows a remote attacker to execute arbitrary code. This vulnerability exists in Internet Explorer 6,7 and 8, but Data Execution Protection (DEP) appears to provide protection to users of versions 7 and 8. This leaves users of Internet Explorer 6 particularly exposed.

Whilst we are not aware of this vulnerability being widely used, the targeted nature of this attack may see it being used against particular sites. An update is not yet available, but Microsoft have released advice that may mitigate an attack. More details are available at:

http://www.kb.cert.org/vuls/id/492515
http://www.microsoft.com/technet/security/advisory/979352.mspx
http://support.microsoft.com/kb/979352

Microsoft yesterday announced that they plan to release an update for this issue outside of their normal patch scedule.

Posted in Advisories | Comments Off

Service Hours:
08:00 to 18:00 Mon-Fri
18:00 to 00:00 Mon-Fri*
09:00 to 17:00 Sat-Sun*
(*reduced service)

News:

Incident of the month: DOS Attacks? (18/4/12) more

JANET CSIRT Incident Statistics for March 2012 (1/4/12) more

Twitter:

@natural20 the network(ers) are watching you, but who watches the networkers? #tnc2012 7 hours ago

RT @Janet_LegReg Social Networking beyond the Marketing Department: BoF experiences at #tnc2012 http://t.co/SypKUMui @sicert 7 hours ago

RT @Janet_LegReg: Social Networking beyond the Marketing Department: BoF experiences at #tnc2012 http://t.co/vup2fJqj 7 hours ago