Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Infected Bot machines

From: "Lutzen, Karl F." <kfl () UMR EDU>
Date: Mon, 30 Aug 2004 11:34:16 -0500
We've had a nice outbreak of Sdbot which came in with the returning
students. We had a couple of different versions and similarly, we had
difficulties with AV software removing it. We had to first locate a
sample and then submit it to the AV vendor to get a special definition
data file. Once we had that, the original infection files could be
removed. If the cleaning files would not work for a particular case,
we'd submit a new sample and get a new data file. Quite time consuming!
 
The suggestion to flatten and rebuild is the best as the AV software
will only remove the initial infection, but cannot be relied on to
restore the system to a 100% clean state. The bots have a wonderful
habit of downloading additional software to the system, providing
additional backdoors or servers. If compromised by a bot of any flavor,
the best action is to rebuild the system. 
 
Karl Lutzen
Systems Security Analyst
UMR IT Information Systems Security
kfl () umr edu
 
________________________________

From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Crawford, Charles D
Sent: Monday, August 30, 2004 9:57 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Infected Bot machines
 
Good Monday Morning, 
Are any other schools having problems with the many variants of the
Rbot, Sdbot infections?  We are seeing an increase over the weekend of
these infected hosts targeting selected systems in what appears to be a
DDOS attack.. I know imagine that...IRC doing malicious activity :)
Anyway I am curious as to what other Universities are doing in regards
to  recommended procedures for cleaning these systems up, as I have
found that AV utilities only work about half the time, if that.
I have been suggesting to do full system reimages, changing passwords,
etc but am having a hard time convincing management that is the best
route.
Thank you, 
Charles Crawford 
IT Security Officer 
University of Kansas 
(785)864-0491 
ccrawf () ku edu 
www.security.ku.edu <file:///\\www.security.ku.edu>  
Any revelation of a secret happens by the mistake of [someone] who
shared it in confidence.  
-- La Bruyere, 1645-1694 
     
            



********** Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at
http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.
Previous By Date Next
Previous By Thread Next

Current thread: