CNN was kind enough to post an amazingly oddly placed article about the latest RINBOT/DELBOT/SDBOT variant
This is awesome because now what is otherwise a non-event is becoming something mgmt and normal users are asking me (us) about. Yay! So here’s some information to help point you in the right direction in case you get questioned.
As far as I know, only Symantec has this malware variant on their radar. Everyone else seems to be considering this one a minor blip on the radar.
In short, this malware strain is simply an infector for your run-of-the-mill botnet and is not a new threat. Variants of this bot have been around over a year, and this is the 9th (I believe) variant. The vulnerabilities this malware attacks have had available patches for months or longer.
RINBOT – Symantec/Trend name
DELBOT – Sophos name
SDBOT – McAfee name
This new variant spreads in three major fashions:
– Windows Server Service vulnerability (patched in August 2006)
– Symantec AV Client Vulnerability patched late last year
– IPC$ shares with common or no security
– some variants use email attachments
This is not a really new threat. You don’t have much to worry about if you do not use Symantec applications and you have patched your servers. Obviously, you also want inbound ports stopped on your perimeter. I won’t spam more links. The ones above should be sufficient.
It is always great when mainstream media helps raise the awareness of security related topics. Of course, as I say that, I also think that they need to report on security/privacy topics in a responsible manner.
Properly done, CNN and other outlets can help us open up a dialog with key members of our companies and communities related to the overall improvement of our security posture.
I’m glad that the story you mentioned was able to foster positive dialog and awareness.
— Perry