Educause Security Discussion mailing list archives
Increased activity targeting MS03-032
From: Phil Rodrigues <Phil.Rodrigues () UCONN EDU>
Date: Thu, 2 Oct 2003 15:02:08 -0400
(I am never sure of the cross-talk between here and UNISOG, but I get the sense some people only read this, so...) Hi all, We are seeing an increasing number of hosts infected through the IE flaw discussed in MS03-032. The current MS patch does *not* protect versus this, or as the CERT says "The CERT/CC is unaware of a complete solution for this vulnerability". Symantec and NAI have classified the current activity as a Trojan, but Symantec does not currently automatically protect against this (and does not plan to until 10-08 as of this writing). http://vil.nai.com/vil/content/v_100719.htm http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.html The CERT put out an update about this activity yesterday: http://www.cert.org/incident_notes/IN-2003-04.html This is a simple table of the # of unique hosts at UConn that have sent port 53 traffic to the 3 "bad DNS" servers (referenced in Full-Disclosure) per day: 09-25 000 09-26 006 09-27 015 09-28 050 09-29 097 09-30 136 10-01 177 10-02 136 (so far) Look for outbound 53/udp traffic to these servers to see how many hosts are infected in your network: 216.127.92.38 69.57.146.14 69.57.147.175 Maybe these as well: 207.44.194.56 64.191.59.85 64.191.95.139 To be clear: the MS03-032 patch does *not* protect against this vulnerability. MS has stated they will patch vs this (on cnn) but did not give a date. Good luck! Phil ======================================= Philip A. Rodrigues Network Analyst, UITS University of Connecticut email: phil.rodrigues () uconn edu phone: 860.486.3743 fax: 860.486.6580 web: http://www.security.uconn.edu ======================================= ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Increased activity targeting MS03-032 Phil Rodrigues (Oct 02)