Educause Security Discussion mailing list archives

Re: Bagle.j out

From: Matthew Dalton <Matthew.Dalton () ROCHESTER EDU>
Date: Wed, 3 Mar 2004 16:55:02 -0500

For that matter, what is to keep the message from stating:

A third party service employed by companyX has determined that your system is infected.  Click (hyperlink) to install 
the patch.  Since this works by social engineering, the payload doesn't necessarily have to come with the message.  
Blocking attachments would do nothing for that.  The sender could just open an arbirary port for the connections.  This 
wouldn't be that much of a leap from the back doors already installed.

--
**************************************************************************
|Matthew Dalton                     |Phone: (585)273-1721                |
|ITS Security Group                 |Email: Matthew.Dalton () rochester edu |
|University of Rochester            |                                    |
|Rochester, NY 14620                |                                    |
**************************************************************************

On Wed, 3 Mar 2004, Marty Hoag wrote:

Gordon D. Wishon wrote:

I wish this was the case.  Unfortunately, we're seeing clear evidence that
despite already renaming attachments and inserting a warning, a non-trivial
number of people on our campus are (1) renaming, (2) unzipping, (3)
executing, and (4) entering the 'password'.  Step (5) is typically to call
the helpdesk to report a virus.

As a result, we're going to (at least temporarily) suspend delivery of
attachments with the .zip extension.

Gordon


    That is interesting. Since yesterday when I saw the
first Bagle.j message I've worried that the next ones
will say "Please note that we have renamed the attachment
to ensure this important information gets to only you.
Please just rename it to dippy.zip then extract and
run the new salary.exe update."  ;-)
    I know there are still lots more technological
approaches (block all attachments including HTML
versions of messages, etc.) but it does come
down to the person at the end.

    marty

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.


**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

Re: Bagle.j out, (continued)
- Re: Bagle.j out Gary Flynn (Mar 02)
- Re: Bagle.j out Tim Lane (Mar 02)
- Re: Bagle.j out Bradley D. Thornton (Mar 03)
- Re: Bagle.j out Jack Suess (Mar 03)
- Re: Bagle.j out Michael_Maloney (Mar 03)
- Re: Bagle.j out Iljun Kim (Mar 03)
- Re: Bagle.j out Joe St Sauver (Mar 03)
- Re: Bagle.j out Cal Frye (Mar 03)
- Re: Bagle.j out Gordon D. Wishon (Mar 03)
- Re: Bagle.j out Marty Hoag (Mar 03)
- Re: Bagle.j out Matthew Dalton (Mar 03)
- Re: Bagle.j out Scott Weeks (Mar 03)
- Re: Bagle.j out Kevin Shalla (Mar 03)