August 2006 Summary & Trends
Overall the number of events reported to the STEAM-CIRT increased by 16% from last month, while the total number of actual IT Incidents more than doubled. The increase in IT Incidents was expected and coincided with the beginning of the Fall academic semester. While the volume of IT Incidents increased significantly, it is worthwhile to note that all of these incidents had little to no impact on University operations.
The majority of IT Incidents were related to compromises of unmanaged systems that were turned into IRC Bots. Users of the infected systems indicated they had recently clicked on a link received in an instant message. These links contained browser exploits which is believed to have been the source of the compromises. While not a new occurrence, STEAM-CIRT believes that the corresponding lack of an increase in virus reports for the month indicates a shift in tactics by malicious code writers. Existing anti-virus solutions so far have been less effective at detecting and removing this type of malicious software than typical virus infections.
Another new occurrence this month was the report of several stolen laptops to the STEAM-CIRT. Because this coincides closely with a memo to departments about reporting these laptops to STEAM-CIRT, it probably simply indicates a change in reporting rather than an uptick in actual thefts.
Microsoft released patches for nine critical updates for the month of August which was followed by a number of exploits being released for the Server Service vulnerability fixed in MS06-040. Despite the criticality, no IT Incidents reported to the STEAM-CIRT appeared to be the result of an MS06-040 exploit. The lack of intrusions can be credited to quick patching by administrators along with increased use of personal firewalls and the campus border filtering in place.
Symantec also announced another remotely exploitable vulnerability within their Veritas BackExec products that could allow remote access. Beyond patching, the STEAM-CIRT recommends that traffic to the backup agent ports be restricted to those machines that need to communicate with one another to complete the backup process if possible.
The STEAM-CIRT expects the number of IT Incidents to increase slightly again and remain higher throughout September and then remain mostly level until December.
Posted by Addam Schroll on September 22, 2006, in Handlers Log.