Threat Level: green Handler on Duty: Jim Clausing

SANS ISC: New MassMailing Virus - Sober.C; Limit Exposure During Breaks; Upcoming Repeat Virus Outbreaks - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
New MassMailing Virus - Sober.C; Limit Exposure During Breaks; Upcoming Repeat Virus Outbreaks
New Mass-Mailing Virus - Sober.C

A new variant of the mass-mailing virus, Sober, has started spreading on the Internet over the weekend. As it sends email in German and English based on domain name of the infected computer, this poses a bit smarter social engineering tactics that we may see in the future. The links below are references to the virus from the major Antivirus vendors. More details can be be gathered from these reports.

References:

http://www.sarc.com/avcenter/venc/data/w32.sober.c@mm.html

http://www3.ca.com/virusinfo/virus.aspx?ID=37823

http://www.datafellows.com/v-descs/sober_c.shtml

http://www.kaspersky.com/news.html?id=2861377

http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100912

http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?IdVirus=42896&sind=0

http://www.sophos.com/virusinfo/analyses/w32soberc.html

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SOBER.C

______________________________________________________________________________

Limiting Exposure During Holiday Breaks

As a last minute recommendation, please consider turning off non-critical computers during the holiday break. This limits the amount of exposure you may have while network and security personnel are away from the office.

Those in Academia are especially prone for having intrusions during this time of year due to their traditionally open environments. But corporate environments should also consider this as a prime time for internal threats.

Consider working on an appropriate policy concerning office computers (and other non critical systems) during extended breaks when you return from the holidays.

______________________________________________________________________________

Upcoming Repeat Virus Outbreaks

In the next week, many families will add a new computer to their households. These computers may be fairly up to date with patches from OEMs, or may be horribly outdated. In the next few weeks, expect more virus activity originating from broadband connections. In January, much of this virus activity will move into SOHO and corporate environments via mobile users. Academic environments will be close behind as students return to campus with their new computers as well. So expect that Welchia(Nachi), Blaster, Sobig, Mimail, and many of the virii from 2003 to return to the limelight in the next few weeks.

Computing staff in the academic world should spend the first few days after the holiday finding an appropriate plan to allow these computers access to the network securely. If you have a method of deploying patches to your users without violating EULA of the common products on your campus, then start preparing for the moment when the ResNet users return to school.

In the Microsoft Windows world, It is recommended that in addition to the major service patch release for the Operating System available from

http://www.microsoft.com/technet/security/bulletin/tpsrvpck.asp

that you push for the following patches be installed before allowing on the campus network.

http://www.microsoft.com/technet/security/Bulletin/MS03-039.asp

http://www.microsoft.com/technet/security/Bulletin/MS03-049.asp

This would also be a good opportunity for educational opportunities concerning strong passwords, anti-virus software, and automated patching.
--- Scott Fendley
ScottF

188 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!