JANET CSIRT

JANET CSIRT is hiring

James Davis — Tue, 02 Mar 2010 13:48:16 +0000

A vacancy has arisen in the team. We are looking for someone with solid networking and security skills, with knowledge of Linux or Windows administration, and great communication skills to join our team.

Further information on the job and the application process are available.

More on the University of Exeter outbreak

James Davis — Fri, 29 Jan 2010 17:01:11 +0000

We are now able to confirm that the malware infected systems through the vulnerability highlighted in our previous e-mail. Further details and an update for this Windows Vista vulnerability can be found at

http://support.microsoft.com/kb/975517

Microsoft and Symantec performed an analysis of the malware, and updated Symantec definitions now detect it as a generic ‘downloader’.

There is no reason to suspect that this malware poses a specific threat to other JANET connected sites, and we have not seen any infections elsewhere. It is worth mentioning a few best practices that limit your risk to this and similar infections:

- Ensure that operating systems are kept fully patched
- Ensure that anti-virus definitions are kept up to date
- By default, block Windows LAN service ports at your network border

University of Exeter malware outbreak

James Davis — Thu, 21 Jan 2010 12:03:25 +0000

As you may have heard the University of Exeter has been dealing with a malware outbreak. The virus appears to be unknown, certainly to Symantec and Trend, and was first detected by high levels of traffic on their network and onto JANET. Whilst the malware has not yet been analysed it appears to have aspects of both a Trojan and a “dropper”.

The malware appears to exploit Windows Vista systems and early indications are that installing Microsoft update KB975517 prevents infection. It is not yet certain if the update provides complete protection.

http://support.microsoft.com/kb/975517

The outbreak is currently being investigated by Symantec and Microsoft and we hope to have further information within a few days.

Vulnerability in Microsoft Internet Explorer

James Davis — Wed, 20 Jan 2010 14:35:41 +0000

There are reports that targeted attacks are exploiting a vulnerability in Internet Explorer. A specially crafted HTML document allows a remote attacker to execute arbitrary code. This vulnerability exists in Internet Explorer 6,7 and 8, but Data Execution Protection (DEP) appears to provide protection to users of versions 7 and 8. This leaves users of Internet Explorer 6 particularly exposed.

Whilst we are not aware of this vulnerability being widely used, the targeted nature of this attack may see it being used against particular sites. An update is not yet available, but Microsoft have released advice that may mitigate an attack. More details are available at:

http://www.kb.cert.org/vuls/id/492515
http://www.microsoft.com/technet/security/advisory/979352.mspx
http://support.microsoft.com/kb/979352

Microsoft yesterday announced that they plan to release an update for this issue outside of their normal patch scedule.

Conficker statistics

James Davis — Wed, 16 Dec 2009 15:30:53 +0000

The Shadowserver Foundation have produced a set of statistics that detail the number of infections of the Conficker infections per ASN. The statistics for JANET (ASN 786) look promising. Bearing in mind that the large increase in infections coincides with the start of the academic year, and that numbers will start to naturally decrease towards the holiday period, the overall trend still appears to be downward. The numbers are very favorable compared to similarly sized commercial providers.

JANET CSIRT have more information on Conficker, how to detect and investigation infections and protect your network.

Image provided by Shadowserver.org

Continued Phishing Attacks

James Davis — Mon, 23 Nov 2009 16:38:38 +0000

We continue to see a number of suprisingly successful phishing attacks against academic e-mail addresses. The attackers send their targets customised e-mails redirecting them to a professional looking website asking for their e-mail account details.

The current trend is for the website to be hosted with a third party company that provides free web forms to web site authors. The page is usually convincing but the URL is usually questionable. Please make sure that your users know that you will never ask them for their password, and how they can spot the more obvious fraudulent e-mails and URLs.

Networkshop 2010 – Call for suggestions

James Davis — Thu, 29 Oct 2009 16:32:18 +0000

There was a good selection of security, and security related talks at this year’s Networkshop; here’s an opportunity to help shape next year’s conference.

JANET(UK) is currently seeking input from the community on topic areas they would like to see covered at Networkshop 2010. The topics areas could include challenging areas, common issues/problems, work around ideas etc for networking or in the provision of application services.

Please could you send your suggestions to Rina Samani. Closing date for suggestions is Thursday 5th November 2009.

Remote code execution affecting Microsoft Vista, Windows 7 and Server 2008

James Davis — Mon, 21 Sep 2009 09:49:28 +0000

If your not doing it already, there is yet another good reason why blocking TCP port 445 is a good idea. A new exploit ( http://seclists.org/fulldisclosure/2009/Sep/0039.html ) has been made public which has been reported as causing a crash on Windows Server 2008 but we have not verified this, but we have tested it as affecting both Vista and Windows 7. In most cases the system will restart after the crash causing a DOS attack.

Other reports ( http://www.reversemode.com/index.php?option=com_mamblog&Itemid=15&task=show&action=view&id=64&Itemid=15 ) suggest that this causes more than a crash and it results in remote code execution, which if true usually lead to new forms of malware spreading very rapidly.

TCP port 445 is commonly used for Windows shares which is generally not required over the Internet, and is frequently utilised for spreading malware. A recent notable case being Conficker which would scan for and infect vulnerable systems on this port. There is no patch for this latest vulnerability and the only way to prevent remote attackers causing this exploit is to prevent them from accessing your systems on TCP port 445, this is usually done on firewalls.