Re: Fwd: [da] PR for the MSN worm

[Gary Flynn <flynngn () JMU EDU>]

We've been seeing increased instant message based
maliciousness here for over a month. It has been
responsible for three separate IRCBOT outbreaks.
I have forwarded two different undetected sdbot
variants associated with this activity to AV
vendors.

Its probably not going to go away because its having
so much success. There will be a learning curve as
computer operators learn that instant messeges can
no more be trused than e-mail messages.

I have not seen any evidence of any auto-executing
payload via defect exploitation but it would
not surprise me given the number of defects out
there.

We have attempted to block some message and web
content using our IPS as a result of these
incidents until the computer operator learning
curve ramps up. ;)

Some idea of the level of activity we've seen can be
viewed here:
http://www.jmu.edu/computing/security/#imsg

We probably didn't see a spike this past weekend primarily
because of spring break but we've also been quickly
blocking web sites carrying malicious content and hopefully
word is getting out about the threat.

This appears to have been timely:
http://www.internetweek.com/breakingNews/showArticle.jhtml%3Bjsessionid=YKE02ZGNN21GKQSNDBCSKHY?articleID=22101033


--
Gary Flynn
Security Engineer
James Madison University

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.