Educause Security Discussion mailing list archives
Re: Fwd: [da] PR for the MSN worm
From: Gary Flynn <flynngn () JMU EDU>
Date: Mon, 7 Mar 2005 15:52:55 -0500
We've been seeing increased instant message based maliciousness here for over a month. It has been responsible for three separate IRCBOT outbreaks. I have forwarded two different undetected sdbot variants associated with this activity to AV vendors. Its probably not going to go away because its having so much success. There will be a learning curve as computer operators learn that instant messeges can no more be trused than e-mail messages. I have not seen any evidence of any auto-executing payload via defect exploitation but it would not surprise me given the number of defects out there. We have attempted to block some message and web content using our IPS as a result of these incidents until the computer operator learning curve ramps up. ;) Some idea of the level of activity we've seen can be viewed here: http://www.jmu.edu/computing/security/#imsg We probably didn't see a spike this past weekend primarily because of spring break but we've also been quickly blocking web sites carrying malicious content and hopefully word is getting out about the threat. This appears to have been timely: http://www.internetweek.com/breakingNews/showArticle.jhtml%3Bjsessionid=YKE02ZGNN21GKQSNDBCSKHY?articleID=22101033 -- Gary Flynn Security Engineer James Madison University ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Fwd: [da] PR for the MSN worm RLVaughn (Mar 07)
- <Possible follow-ups>
- Re: Fwd: [da] PR for the MSN worm Justin Azoff (Mar 07)
- Re: Fwd: [da] PR for the MSN worm Gary Flynn (Mar 07)