Educause Security Discussion mailing list archives
Re: Infected Bot machines
From: "Lutzen, Karl F." <kfl () UMR EDU>
Date: Mon, 30 Aug 2004 11:34:16 -0500
We've had a nice outbreak of Sdbot which came in with the returning students. We had a couple of different versions and similarly, we had difficulties with AV software removing it. We had to first locate a sample and then submit it to the AV vendor to get a special definition data file. Once we had that, the original infection files could be removed. If the cleaning files would not work for a particular case, we'd submit a new sample and get a new data file. Quite time consuming! The suggestion to flatten and rebuild is the best as the AV software will only remove the initial infection, but cannot be relied on to restore the system to a 100% clean state. The bots have a wonderful habit of downloading additional software to the system, providing additional backdoors or servers. If compromised by a bot of any flavor, the best action is to rebuild the system. Karl Lutzen Systems Security Analyst UMR IT Information Systems Security kfl () umr edu ________________________________ From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Crawford, Charles D Sent: Monday, August 30, 2004 9:57 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Infected Bot machines Good Monday Morning, Are any other schools having problems with the many variants of the Rbot, Sdbot infections? We are seeing an increase over the weekend of these infected hosts targeting selected systems in what appears to be a DDOS attack.. I know imagine that...IRC doing malicious activity :) Anyway I am curious as to what other Universities are doing in regards to recommended procedures for cleaning these systems up, as I have found that AV utilities only work about half the time, if that. I have been suggesting to do full system reimages, changing passwords, etc but am having a hard time convincing management that is the best route. Thank you, Charles Crawford IT Security Officer University of Kansas (785)864-0491 ccrawf () ku edu www.security.ku.edu <file:///\\www.security.ku.edu> Any revelation of a secret happens by the mistake of [someone] who shared it in confidence. -- La Bruyere, 1645-1694 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Infected Bot machines Crawford, Charles D (Aug 30)
- <Possible follow-ups>
- Re: Infected Bot machines Lutzen, Karl F. (Aug 30)