UF/Chemistry IT Shop

IT Shop Home \| Chemistry Home \| CLAS Home \| UF Home

IT Shop Quick Links

Recent Security News, Alerts, & Events...

This page contains a chronological list of security bulletins that are of significance to our Department IT operations.

01/15/2008 -- New UFL Email Scam

We've received reports of a new e-mail scam which claims a need to verify your UFL e-mail account and asks users to provide their UFL e-mail address and password.

This is a phishing attempt (a poor one at that) and users should _not_ respond to the message.

Please note that UF nor Chemistry IT staff will ever ask you for your password nor should passwords be shared, especially over e-mail.

If you have any questions about this phishing scam please contact us at support@chem.ufl.edu

--------- New Scam Message --------
From: UFLTEAM [mailto:uflteam@bellsouth.net]
Sent: Monday, January 14, 2008 11:46 PM
Subject: VERIFY YOUR UFL EMAIL ACCOUNT NOW

VERIFY YOUR UFL EMAIL ACCOUNT NOW

Dear Ufl Email Account Owner,This message is from Ufl messaging
center to all Ufl email account owners. We are currently upgrading
our data base and e-mail account center. We are deleting all Ufl
email account to create morespace for new accounts.

To prevent your account from closing you will have to update it
below so that we will know that it's a present used account.

CONFIRM YOUR EMAIL IDENTITY BELOW

Email Username : .......... .....
EMAIL Password : ................
Date of Birth : .................
Country or Territory : ..........

Warning!!! Account owner that refuses to update his or her account
within Seven days of receiving this warning will lose his or her
account permanently.

Thank you for using Ufl.edu!
Warning Code:VX2G99AAJ
Thanks,
Ufl.edu Team
UFL.EDU BETA
------- End of New Scam Message

02/01/2006 -- Blackworm Virus

Last week, an e-mail worm known as the Blackworm virus (aka CME-24 Blackmal, Nyxem, MyWife, Tearec) infected hundreds of thousands of internet users. On Feb 3rd (this Friday), that virus will activate and destroy certain document types such as Word, Excel, PowerPoint files and others, on those infected hosts.

Because we block most executable file types at our e-mail gateway, most of our users have been shielded from this infection although, it should be noted that once a machine is infect the worm has the ability to spread itself over the network. According to UF's IT Security Team, only a few hosts on campus have actually been infected. Users who maintain up-to-date desktop antivirus (AV) protection, as recommended, should experience no problems.

For more information, please see:

Blackworm FAQ
http://isc.sans.org/blackworm

McAfee Virus Information
http://vil.nai.com/vil/content/v_138027.htm

11/18/2005 -- False Chemistry Security messages

Many users have reported receiving an e-mail purporting to be from the Chemistry Security Department (admin@chem.ufl.edu) and directing users to a web address to use to verify their e-mail accounts.

This message is false and should be ignored. It is a "phishing" scam meant to lure users in providing personal information and has nothing to do with our Department or our IT support group.

10/31/2005 -- Campus Credit Union phishing scam

An email scam is being targeted at University of Florida faculty, staff, and students. The email appears to be from the Campus Credit Union. It references a problem with your account due to an unauthorized ATM transfer. The email lures you to a web site to correct the account problem, but the link in the email takes you to a malicious website intended to steal your Campus Credit Union account and password.

If you received one of these emails, do NOT follow the link. Please forward the email showing full headers to abuse@ufl.edu.

For more information please see: http://infosec.ufl.edu/scam

08/22/2005 -- Recent Windows PnP Vulnerability

There is a known vulnerability to Microsoft Windows operating system's Plug and Play (PnP) code that is being actively targeted and exploited by the hacker community. Multiple exploits of this vulnerability have already been seen here on our own network. If an exploit is successful, the remote attacker could take complete control of the affected system.

This vulnerability mostly affects "unpatched" Windows 2000 PCs. Any computer used on the Chemistry network should have the latest operating system patches installed. Patching the Microsoft Windows operating system is easily accomplished by running through the Windows Update procedure. For details on this procedure please see:

Updating Microsoft Windows
http://www.chem.ufl.edu/itshop/helpdesk/windows-update

Security updates help shield your computer from vulnerabilities, viruses, worms, and other threats as they are discovered. The IT Shop recommends that all Windows 2000/XP users enable the Automatic Update feature of their PC and configure the product to download and install any updates on a daily basis.

08/18/2004 -- Windows XP Service Pack 2 Delayed

Microsoft has delayed the automatic distribution of Service Pack 2 for Windows XP Professional until at least August 25th instead of August 16th as earlier reported. This was done to give some organizations more time to test SP2.

Although we don't expect any major problems with the upgrade for our users, anyone that is concerned should consult the information published by Microsoft that detail how Service Pack 2 can affect your system and lists specific software products that have known issues.

For details see:

http://support.microsoft.com/default.aspx?kbid=842242
http://support.microsoft.com/default.aspx?kbid=884130

08/12/2004 -- Windows XP Service Pack 2 Released

Microsoft has released a major update to Windows XP called Service Pack 2 (SP2). With Windows XP SP2, Microsoft is introducing a set of security enhancements that is supposed to help improve Windows XP-based computers' ability to withstand malicious attacks from viruses and worms. These security enhancement include:

Improved Network protection
Improved Memory protection
Improved email security
Safer Web browsing

Because of the security benefit that this update provides, the IT Shop highly encourages all Windows XP users to apply the XP SP2 update.

Microsoft will begin delivery of the SP2 update to PCs running Windows XP via the Automatic Update process beginning Monday, August 16th. Users who have Automatic Updates enabled will get the update automatically. Users who have not enabled Automatic Updates will need to manually initiate the Windows Update procedure on or after August 16th.

For details on how to update Windows on demand or to configure your system for automatic updates, please see:

http://www.chem.ufl.edu/itshop/helpdesk/windows-update

IT Shop staff have installed and tested this update on several XP computers and have found no obvious problems with the update or the upgrade process. It appears to take about 30 min to install SP2 after downloading the software.

05/03/2004 -- Increased Virus Activity

We are seeing a lot of activity associated with two different computer worms that are probing campus networks and infecting many systems. These worms spread over the network (not as e-mail) and take advantage of known vulnerabilities in certain versions of Microsoft Windows. These vulnerabilities have been fixed in the most recent patches released by Microsoft, and most updated anti-virus software products recognize these worms and can stop them.

At least 16 Chemistry PCs have already been identified as being infected today. IT Shop staff have been working to remove these systems from the network, clean the virus from infected PCs, patch systems, and return them to the network as quickly as we can.

All users are strongly encouraged to follow these five "best practices" in order to ensure the security of their Microsoft Windows based PCs:

Use Passwords - Sounds simple enough but we've come across five different Chemistry PCs this week with Administrator level accounts and no passwords assigned to them.
Use Virus Protection Software - The University has licensed McAfee VirusScan and made it available for all users. There's no excuse for not running virus scanning software on your PC.
AutoUpdate your Virus Protection Software - Your virus scanning software should be configured to auto-update itself on a daily basis so that it can keep up with the latest published exploits.
Apply Windows Patches - Microsoft makes "Critical Updates and Service Packs" available for their Windows Operating System. These patches can be applied to your system using the Windows Update procedure.
Turn on the Windows Automatic Update Feature - To insure that your system stays current with the frequent security patches that Microsoft makes available, you should enable the Windows Automatic Update feature. Updates can be fully installed overnight or simply downloaded to your PC so that you can install them at a time that is convenient for you.

If you are unsure how to apply these best practices to your PC, please contact the IT Shop by sending e-mail to support@chem.ufl.edu and we'll be glad to review your system settings for you. Doing nothing or pleading ignorance is not recommended.

04/19/2004 -- Updating and Patching Microsoft Windows

IT Shop staff have updated the "Updating Microsoft Windows" web page that we host on our website and which can be found at:

http://www.chem.ufl.edu/itshop/helpdesk/windows-update

This page provides step-by-step instructions on how to run the Windows Update procedure on demand and now includes instructions for how to configure your PC to automatically download and install updates from Microsoft.

04/14/2004 -- W32.Gaobot.ZX worm

Security Notice:

Many campus computers were infected with the W32.Gaobot.ZX worm yesterday and today. This is not an e-mail worm but rather is a worm that spreads over the network using one of eight different well known Microsoft Windows vulnerabilities. The successful spread of this worm can be most likely attributed to exploits of weak passwords on NetBIOS shares. Details of this worm can be found at:

http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.zx.html

Current McAfee VirusScan definitions appear to detect this new variant. Users are encouraged to run McAfee VirusScan on their PCs with the product configured to auto-update the virus definition file on a daily basis. McAfee VirusScan can be downloaded from:

http://software.ufl.edu/mcafee/

Microsoft released several critical patches yesterday that need to be installed on most systems. As a reminder, all Windows NT/2000/XP computers need to be updated and patched on a regular basis. Also, please note that almost all new computers will ship from the vendor as vulnerable to various network exploits.

Patching the Microsoft Windows operating system is easily accomplished by running through the Windows Update procedure. For details on this procedure please see:

http://www.chem.ufl.edu/itshop/helpdesk/windows-update

Users who have configured their computers to automatically download and install new updates may need to reboot their computers to ensure that the new patches have been applied.

03/03/2004 -- W32/Bagle.j E-mail Worm

Security Notice:

Although we had hoped to remove the e-mail filter for ZIP file attachemnts that was enabled last month, it has become necessary to continue to quarantine such messages because of a new e-mail worm that is now making the rounds.

A new variant of the Bagle e-mail virus, known as the W32/Bagle.j worm is now spreading across the Internet and has found its way on campus within the past few days. This virus is especially annoying as it employs some social engineering tatics by pretending to be from IT staff regarding the receipient's account, and instructs the recipient to run the attached executable. In most cases, the harmful exectable is stored in an attached ZIP file. Since March 1st, we've quaratined over 450 messages with potentially harmful .zip attachments.

For more information about this particular e-mail worm please see:

http://www.symantec.com/avcenter/venc/data/w32.beagle.j@mm.html

The IT Shop highly encourages all users to run virus scanning software on their systems. McAfee VirusScan is freely available for download from the UF Software Licensing Service's website at:

http://software.ufl.edu/mcafee

02/17/2004 -- W32/Bagle.b E-mail Worm

Security Notice:

A new variant of the Bagle e-mail worm, known as the Bagle.b or W32.Alua@mm worm, is now rapidly spreading across the Internet and has found its way on campus. This worm is yet another e-mail virus that is a mass-mailing worm with the following characteristics:

contains its own SMTP engine to construct outgoing messages
harvests e-mail addresses from the victim machine
the From: address of messages sent is spoofed
contains a remote access (backdoor) component

This particular worm spreads itself in e-mail attachments with randomly named .exe files. For more detailed information about this worm, please see:

http://www.symantec.com/avcenter/venc/data/w32.alua@mm.html

Our e-mail sanitizer is currently configured to quarantine all e-mail with .exe extensions so most of our users will only see the security warning message. Users who receive e-mail from sources other than chem.ufl.edu will need to take extra precautions.

McAfee has just released an updated virus signature file for its VirusScan product. If you do not have your McAfee VirusScan configured to auto-upgrade you will want to be sure to install the latest SDAT file. For more information about the McAfee VirusScan product, which is freely available to all UF users, please see:

http://www.software.ufl.edu/mcafee

01/27/2004 -- MyDoom e-mail worm

Security Notice:

A new mass-mailing email worm called "Mydoom" (aka "NoVarg") is now making the rounds. This is yet again another self-propagating worm that arrives as an email attachment with a file extension of .bat, .cmd, .exe, .pif, .scr, or .zip.

When a computer becomes infected, this worm will setup a backdoor into the system that can potentially allow an attacker to connect the computer and use it as a proxy to gain access to its network resources.

For details about this worm please see:

http://www.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html

Please note, because this worm spoofs the "From" address, you may see bounced e-mail messages that claim that you sent an infected e-mail. Chances are that this is the result of someone else's PC being infected.

As a reminder, the IT Shop highly encourages all users to run virus scanning software on their systems. McAfee VirusScan is freely available for download from the UF Software Licensing Service's website at:

http://software.ufl.edu/mcafee

01/21/2004 -- Windows RPC Vulnerability Update

Security Notice:

The IT Shop is seeing an increase in the number of PCs that are vulnerable to the same Windows RPC security vulnerabilities we battled several months ago. This increase may be a result of some of the newer students using laptops on the network, and other new computers being added to the network, that have not been patched against this vulnerability.

As a reminder, all Windows NT/2000/XP computers need to be updated and patched against the Microsoft RPC vulnerability. Also, please note that almost all new computers will ship from the vendor as vulnerable to the the Microsoft Windows RPC exploit and will need to be patched and upgraded before being put to use.

Patching the Microsoft Windows operating system is easily accomplished by running through the Windows Update procedure. For details on this procedure please see:

Updating Microsoft Windows http://www.chem.ufl.edu/itshop/helpdesk/windows-update

and

Net-Services RPC/DCOM Patching HOWTO: http://net-services.ufl.edu/security/public/mspatch.shtml

As we become aware of unpatched systems, we will attempt to notify those users of the need to update. Failing that, we will begin rejecting their network connections and disallowing their use of the network.

For more details about this security vulnerability in the Windows Operating system please see:

Microsoft Security Bulletin MS03-039 (User Info): http://www.microsoft.com/security/security_bulletins/ms03-039.asp

Microsoft Security Bulletin MS03-039 (Technical Info): http://www.microsoft.com/technet/security/bulletin/MS03-039.asp

01/20/2004 -- W32/Bagle e-mail worm

Security Notice:

Over the weekend, a new e-mail virus called the W32/Bagle@MM worm has recently started making the rounds. This worm spreads in e-mail as an attached .exe file with random filenames. The From: address is usually forged.

Because the Chemistry mail server does not deliver e-mail with .exe attachments, most of our users will only see the "Security Warning" message sent by our e-mail sanitizer. If you retrieve your e-mail from another server you should take note NOT to open any executable file attachments.

For details about the W32/Bagle@MM worm please see:

http://vil.nai.com/vil/content/v_100965.htm

http://software.ufl.edu/mcafee/

If you have any questions about this particular virus, please address them to support@chem.ufl.edu.

11/12/2003 -- Microsoft Windows buffer overflow

Security Notice:

The security vulnerability described in this notice only applies to Microsoft Windows 2000 and Windows XP users.

A buffer overflow vulnerability exists in Microsoft's Windows Workstation Service that if exploited could allow a remote attacker the ability to execute arbitrary code with system-level privileges or to cause a denial of service. This vulnerability could easily be exploited through automated attacks such as worms.

All Microsoft Windows 2000 and Windows XP users are encouraged to updated their systems by applying patches provided by Microsoft by using the Windows Update procedure or following the installation/reboot procedures if you have your system set to automatically download and install updates for you.

For more information please see:

Microsoft Security Bulletin MS03-049
http://www.microsoft.com/security/security_bulletins/20031111_windows.asp

CERT Advisory CA-2003-28 Buffer Overflow in Windows
http://www.cert.org/advisories/CA-2003-28.html

IT Shop - Updating Microsoft Windows
http://www.chem.ufl.edu/itshop/helpdesk/windows-update

Please address any questions about this notice to support@chem.ufl.edu.

11/03/2003 -- Mimail.C e-mail worm

A new e-mail virus called the Mimail.C worm started spreading on October 31st. The worm spreads in e-mail as a ZIP archive which contains the executable program named PHOTOS.JPG.EXE. This worm tries to perform a denial of service (DOS) attack on certain sites and to steal information from infected computer users.

The e-mail worm appears to come from james@chem.ufl.edu and the body of the virus message looks something like this:

Hello Dear!,
Finally i've found possibility to right u, my lovely girl :) All our photos which i've made at the beach (even when u're without ur bh:)) photos are great! This evening i'll come and we'll make the best SEX :)

We have not been filtering e-mail with .zip extensions so many of you have received the virus as an attachment named photos.zip. This particular virus is not triggered unless the photos.zip attachment is unarchived and the photos.jpg.exe executable is run. The IT Shop staff is now filtering all e-mail with an attachment named photos.zip.

For details about this particular virus please see:

http://www.symantec.com/avcenter/venc/data/w32.mimail.c@mm.html

As a reminder, the IT Shop highly encourages all users to virus scanning software on their systems. McAfee VirusScan is available for all users from the UF Software Licensing Service's website at:

http://software.ufl.edu/mcafee/

If you have any questions about this particular virus please address them to support@chem.ufl.edu.

10/13/2003 -- Windows RPC Vulnerability Update

The IT Shop continues to conduct daily scans of our network for PCs still vulnerable to the latest Microsoft Windows RPC vulnerability. For the most part, all departmental user desktops and lab PCs have been patched against the latest Microsoft RPC vulnerability.

Nevertheless, we're still finding machines that pop-up, every now and then, as vulnerable to this exploit. If we can not easily identify nor locate these vulnerable computers we will apply filters to block them from using the network.

If you have problems establishing network connections with your computer it may be because we've found it to be unpatched and are now blocking it. Please report such problems to the IT Shop staff so that we can followup to be sure your system is patched and returned to the network.

Also, please note that almost all new computers will ship from the vendor as vulnerable to the Microsoft Windows RPC vulnerability and will need to be patched and upgraded before being used. If you've received a new computer and need help in getting it setup and properly patched please contact the IT Shop by sending e-mail to support@chem.ufl.edu.

Microsoft Security Bulletin MS03-039 (User Info):
http://www.microsoft.com/security/security_bulletins/ms03-039.asp

Microsoft Security Bulletin MS03-039 (Technical Info):
http://www.microsoft.com/technet/security/bulletin/MS03-039.asp

Net-Services RPC/DCOM Patching HOWTO:
http://net-services.ufl.edu/security/public/mspatch.shtml

09/30/2003 -- Microsoft patch.exe E-mail

Many of you have asked about an e-mail, that most everyone has now recently received, that proposes to be a warning message from Microsoft with instructions to install an attached patch. This messages is a virus generated e-mail and the patch.exe attachment contains the W32/Dumaru.a@MM worm.

There are a couple of things to note about these messages.

1. Microsoft will never send you a patch, nor any other type of file as an e-mail attachment. The Microsoft Windows Update procedure is the recommended method to keep your system updated.

2. Our e-mail server will not allow executable programs to pass through without either stripping it or defanging it. The e-mail that was received didn't include the patch.exe but rather included a VirusWarning.txt file in its place.

The e-mail that was received by most our users was altered in a way to make it harmless and should simply be deleted.

09/25/2003 -- E-mail Scams and Fraud

We've recently seen an increase in the amount of e-mail that we receive that can be considered a scam or e-mail fraud. Most of these messages seek the recipient's assistance in moving large sums of money from another country. Many of these e-mails have similar traits, such as:

- a Subject line that reads, "URGENT ASSISTANCE NEEDED"
- a Body text that:
   - Describes frozen monetary assets, eg 30 million US dollars,
     that the foreign author is requesting assistance in claiming
   - Requests that email recipient provide their banking information,
     eg account numbers, etc

Most of you are aware that these type messages, commonly known as the "Nigerian fraud email", are a scam and you should in no way act upon the offer provided.

We generally recommend simply deleting these e-mails upon receipt, however, several of you have asked about how, and to whom, to report these messages. There are several government agencies that address this type of fraud. For details, please see the websites referenced below:

FBI, Internet Fraud Complaint Center
http://www1.ifccfbi.gov/index.asp
Federal Trade Commission, Nigerian Scam Consumer Alert
http://www.ftc.gov/bcp/conline/pubs/alerts/nigeralrt.htm
US Postal Service, Crackdown on Nigerian Scam
http://www.usps.com/websites/depart/inspect/pressrel.htm
US Secret Service, Nigerian Advance Fee Fraud
http://www.ustreas.gov/usss/alert419.shtml

09/24/2003 -- New RPC Windows Vulnerability (4th notice)

UF Network Services scanned our network earlier today and found that the computers listed below are still vulnerable to the latest Microsoft Windows RPC bug. Please take the time to review this list.

If you recognize any of the computer names or user's names associated with these computers please contact the IT Shop by sending e-mail to support@chem.ufl.edu and let us know where that computer can be found. All computers, running Windows NT, 2000, or XP need to be patched against this vulnerability.

Starting tomorrow (09/25) the IT Shop staff will begin actively removing computers from the network that are still found to be vulnerable to the Microsoft RPC bug.

For more information about this security alert and what you should do about it, please see:

http://www.microsoft.com/security/security_bulletins/ms03-039.asp

[list not published to the web]

09/17/2003 -- OpenSSH vulnerabilities

All Unix or Linux workstations running OpenSSH will need to be updated to the current release. The latest version is OpenSSH 3.7.1. This notice does not apply to users running Microsoft Windows.

Versions of the OpenSSH server prior to 3.7.1 contain buffer management errors. While the full impact of this vulnerability is unclear, it may lead to memory corruption and a denial-of-service situation. It may also be possible for an attacker to execute arbitrary code.

For more information about this vulnerability please see:

http://www.kb.cert.org/vuls/id/333628

If you have any questions about this notice please contact the IT Shop by sending e-mail to support@chem.ufl.edu.

09/17/2003 -- New RPC Windows Vulnerability (3rd notice)

The latest scan of our networks reveals that we still have about 51 PCs on the network that continue to be vulnerable to the latest Microsoft Windows RPC bug. That's down from 195 last week. We appreciate the many of you that have already patched your system.

As far as we know, an exploit to this vulnerability has not yet been published but it is only a matter of time, probably a short time, before a new worm is written and spread across the Internet.

The results of our scans are published on a web page that can only be accessed from our local network. Please take the time to review these scan results to see if your own PC is listed. The scan results can be found at:

http://www.chem.ufl.edu/itshop/security/scan-results/rpc-091703.html

If you computer is listed, or if you are not sure, then please take the time to run the Windows Update procedure and install any and all Critical Updates that are found.

For more information about this latest vulnerability and what you should do about it, please see:

http://www.microsoft.com/security/security_bulletins/ms03-039.asp

09/11/2003 -- New RPC Windows Vulnerability (2nd notice)

The IT Shop staff have completed a scan of our networks and found that we currently (as of 10am this morning) have about 195 PCs on the network that are vulnerable to this new Microsoft Windows RPC bug.

An exploit to this vulnerability has not yet been published but it is only a matter of time, probably a short time, before a new worm is written and spread across the Internet.

http://www.chem.ufl.edu/itshop/security/scan-results/rpc-091103.html

If you computer is listed, or if you are not sure, then please take the time to run the Windows Update procedure and install any and all Critical Updates that are found.

For more information about this latest vulnerability and what you should do about it, please see:

http://www.microsoft.com/security/security_bulletins/ms03-039.asp

09/10/2003 -- New RPC Windows Vulnerability

Microsoft has released a new security bulletin and patches for a number of RPC vulnerabilities. For several reasons, we expect rapid development of exploits and worms for these vulnerabilities.

NOTE: This vulnerability differs from the vulnerability publicized in in the past few weeks. This is a NEW vulnerability, and a different patch that must be installed.

Computers running the following software are vulnerable:

  - Microsoft Windows NT 4.0
  - Microsoft Windows 2000
  - Microsoft Windows XP
  - Microsoft Windows Server 2003

Computer NOT affected:

- Microsoft Windows 9x
- Microsoft Windows Millennium Edition

Please take the time to update your system as soon as possible. All users should run the Windows Update procedure and apply any Critical Updates and/or Service Packs that are found. If you need assistance with the Windows Update procedure please reference the how-to web page we've put together located at:

http://www.chem.ufl.edu/itshop/helpdesk/windows-update

For more detailed information about this new vulnerability please see:

http://www.microsoft.com/technet/security/bulletin/MS03-039.asp http://www.eeye.com/html/Research/Advisories/AD20030910.html

If you have any questions or concerns please address them to us at support@chem.ufl.edu.

08/29/2003 -- Multiple Vulnerabilities in Microsoft Internet Explorer

Microsoft's Internet Explorer (IE) contains multiple vulnerabilities, the most serious of which could allow a remote attacker to execute arbitrary code with the privileges of the user running IE. The systems affected by these vulnerabilities include Microsoft Windows systems running

    * Internet Explorer 5.01
    * Internet Explorer 5.50
    * Internet Explorer 6.01

These vulnerabilities have different impacts, ranging from denial of service to execution of arbitrary commands or code. The most serious of these vulnerabilities could allow a remote attacker to execute arbitrary code with the privileges of the user running IE. The attacker could exploit this vulnerability by convincing the user to access a specially crafted HTML document, such as a web page or HTML email message. No user intervention is required beyond viewing the attacker's HTML document with IE.

To protect your computer against these vulnerabilities, apply the appropriate patch as specified by Microsoft Security Bulletin MS03-032.

* Microsoft Security Bulletin MS03-032 -
http://microsoft.com/technet/security/bulletin/MS03-032.asp

Or use the Windows Update process to install Critical Update 822925.

For more details about this vulnerability, please see:

http://www.cert.org/advisories/CA-2003-22.html
http://support.microsoft.com/default.aspx?scid=kb;en-us;822925

08/23/2003 -- Critical vulnerability in Windows, 7th notice

At this moment, all PCs on our departmental network are currently patched against the Microsoft RPC/DCOM vulnerability or have been removed from the network because they're not.

If you found a note attached to your computer that suggests that it had been removed from the network by the IT Shop staff because of the RPC vulnerability, then you should contact the IT Shop to schedule a time when we can come by to patch your system and return it to service. No computer removed from the network should be returned to the network without prior authorization from the IT Shop.

To schedule a time for us to come out and patch and restore your system, please send e-mail to support@chem.ufl.edu or call 392-7885.

08/22/2003 -- Critical vulnerability in Windows, 6th notice

UF Network Services has informed us that the following computers are still vulnerable to the MS RPC/DCOM exploit as of noon today.

       10.227.32.106   dhcp-32-106.chem.ufl.edu
       10.227.16.80    dhcp-16-80.chem.ufl.edu
       10.227.32.177   dhcp-32-177.chem.ufl.edu
       128.227.76.124  vala.chem.ufl.edu
       128.227.16.102  biochem13.chem.ufl.edu
       10.227.76.246   dhcp-76-246.chem.ufl.edu
       10.227.16.174   dhcp-16-174.chem.ufl.edu
       10.227.32.38    dhcp-32-38.chem.ufl.edu
       10.227.76.27    dhcp-76-27.chem.ufl.edu
       128.227.76.33   WIMPY.chem.ufl.edu
       128.227.16.16   polymer8.chem.ufl.edu
       128.227.32.68   nmr13.chem.ufl.edu

These systems need to be patched as soon as possible. UF has already been hit by two major worms during the past two weeks which spread using this vulnerability; those worms are not yet eradicated, and more variants are expected. The only effective way to protect UF is to eliminate the vulnerable hosts that the worms feed upon.

The IT Shop staff have made the patches available for download from our website which can be found at:

http://www.chem.ufl.edu/itshop/software/

If you are unsure if your system has been updated or, if you are unsure how to apply the patches and update your Windows operating system or, if you are not sure if your computer is one of the ones listed above then, please turn off your computer or disconnect if from the network and contact the IT Shop for support. Please DO NOT ignore this request and do nothing.

The IT Shop staff will be working over the weekend to locate the PCs that are still vulnerable to this exploit.

08/22/2003 -- Sobig.f e-mail virus, Please Read!

Please Note,

The latest variant in the “Sobig” family, Sobig.F is propagating aggressively across the Internet. Sobig.F is propagating via email only, and it is not related to the recent spate of Internet worms. Sobig.F employs some new techniques to attempt to evade anti-virus software, and infected computers may be controlled by external third-parties. It contains hidden functionality that attempts to download and execute a file at a specific time.

The worm has a second phase that will activate at 3:00pm EDT on Friday August 22, 2003. At that point it will attempt to connect to one of 20 servers stored as encrypted strings within the binary. Upon successful communication with one of these servers, it will receive a URL for a file to download and execute. The new file payload is currently unknown as the virus receives a URL to the new file at a certain time. (3:00pm EDT)

Aggressive propagation of mass-email worms have been known to cause localized email outages due to the load placed on email servers. Sobig.F contains backdoor code which may allow the author or originator of the worm to control infected computers. This may allow the author to steal information, run specific Trojan horse programs, or install unsolicited email (Spam) relays.

If you have not updated your virus scanning software in the last few days then you are probably vulnerable to being infected with this virus. If you do not have virus scanning software installed on your system or cannot manage the update of the virus definition database, either turn off your computer or unplug it from the network and then contact the IT Shop for support.

08/20/2003 -- E-mail Virus warning (admin@chem messages)

Some users are reporting this morning that they are continuing to receive notices from admin@chem.ufl.edu concerning their account expiring. That e-mail contains the W32/Mimail@MM virus in the message.zip attachment and does not come from the IT Shop staff. The message should be deleted without opening the message.zip attachment.

We applied a filter for this virus a couple of weeks ago but some messages have appeared to slip through the filter. A new filter has been applied and we will monitor the system for any new messages.

For details please see our earlier notice which can be found at:

http://www.chem.ufl.edu/itshop/security-news.html#sec10

If you have any questions please direct them to support@chem.ufl.edu.

08/19/2003 -- new Sobig.f e-mail virus hits campus

The department's mail server was flooded with a new e-mail virus called W32/Sobig.f this morning. The mail flood caused the server to choke on the sanitation process using up all available system memory until the server could no longer deliver mail. At the height of the flood the mail server had over 1000 messages in queue to be delivered.

The e-mail server was shut down at 10:20am in order to to reject any new mail connections so that the messages in queue could be dealt with. The IT Shop staff removed over 550 messages from the mail queue that contained the virus. Many other message were delivered that appeared to be virus e-mail but contained no attachment and are thus harmless.

Before returning the mail server to normal operation, the IT Shop have applied a filter in an effort to block receipt of this new e-mail virus. No e-mail should have been lost because of this mail server outage but you will likely see a delay in mail delivery.

The W32/Sobig.f virus cannot be detected by most existing antivirus tools. All users are highly encouraged to update their virus scanning tools _today_. The latest McAfee Virus SuperExtraDAT file can be downloaded from the IT Shop website under Software Downloads which can be found at:

http://www.chem.ufl.edu/itshop/software

The e-mail virus is spreading rapidly throughout campus. Many our users have received reports from other mail servers indicating that an e-mail carrying a virus was sent from their account. In most cases that is not true. The W32/Sobig.f virus can spoof the From: address of the outgoing message to make it appear that it came from a user that isn't infected. A lot of times the infected user's address book is used as the source of e-mail addresses in which to send from.

08/18/2003 -- Critical vulnerability in Windows, 5th notice

UF Network Services will be scanning our networks again tomorrow morning looking for Windows based PCs that are still vulnerable to the Microsoft RPC exploit. See their e-mail below. Following their scans they will be sending each vulnerable computer a pop-up message.

If you receive a pop-message indicating that your computer is still vulnerable to this exploit please contact the IT Shop as soon as possible. Our own scans indicate that we still have about 10-15 systems out there that have not been patched.

      ------- Forwarded Message
      Date:         Mon, 18 Aug 2003 15:24:49 -0400
      Reply-To: net-services@LISTS.UFL.EDU
      From: Network Services 
      Subject:      [NETMGRS] rpc vulnerability scanning
      To: NET-MANAGERS-L@LISTS.UFL.EDU

      Another round of rpc vulnerability scanning will begin early tomorrow
      morning.  This scan, however, will be followed up by a netpopup message
      to vulnerable machines.  This popup will ~not~ use any rights or
      privileges available from the vulnerability, but will use only normal
      anonymous popup methods.  The popup will direct users to a webpage that
      will give them more information about the worm, the patches, and instruct
      them to contact their local network administrator or the netirt team for
      more information.

      If you have questions or concerns regarding this matter,
      please reply to this email as soon as possible.
      Thank you,

      Network Services
      ------- End of Forwarded Message

08/13/2003 -- Critical vulnerability in Windows, 4th notice

The IT Shop has completed another round of network scans in an effort to continue to identify PCs that are still vulnerable to the Microsoft RPC/DCOM bug and the W32/Blaster (lovesan) exploit. We still have 57 PCs in our department that are vulnerable to these exploits. Although we appreciate the many of you that have taken the time to update your PC it is critically important that these 57 systems are patched or removed from the network.

The IT Shop staff will soon begin removing PCs from the network that are not patched and are still vulnerable to the RPC/DCOM exploit. Any PC removed from the network for this reason will not be allowed to return to the network until the IT Shop staff can oversee the patching process.

Microsoft's Windows Update service has become extremely slow due to all the extra traffic. We will soon be posting the latest service packs and security updates on our website to simplify the process and will send out another e-mail when it is ready.

Please address any questions to support@chem.ufl.edu.

08/11/2003 -- Critical vulnerability in Windows, 3rd notice

The Windows RPC vulnerability that was reported over the last two weeks is now being actively exploited through the UF dialup pool. See the e-mail below.

If you still haven't taken the opportunity to update your PC using the Windows Update process, now would be a good time to do so. For details, please refer to the e-mail sent last week on this subject which can be found at:

http://www.chem.ufl.edu/itshop/security-news.html#sec11

If you have any questions, please direct them to support@chem.ufl.edu.

------- Forwarded Message
Date: Mon, 11 Aug 2003 16:08:10 -0400
From: Network Services
Subject: Subject: Emergency Netbios/DCOM filters on campus dialups
To: NET-MANAGERS-L@LISTS.UFL.EDU

In order to curtail what appears to be an MS RPC/DCOM worm spreading through the UF dialup pool, emergency Netbios filters are being applied to the UF/Gatorlink dialup pool.

This may result in some loss of service to dialup users temporarily.

It is not yet known whether Netbios filters in other parts of campus will be necessary. Net Services will issue further update messages as needed.

If you have questions or concerns regarding this matter,
please reply to this email as soon as possible.
Thank you,

Network Services
Net-Services@lists.ufl.edu
(352) 392-2061 suncom 622-2061
------- End of Forwarded Message

08/07/2003 -- Critical vulnerability in Windows, 2nd notice

If you run Microsoft Windows NT, 2000, or XP and have yet to update your PC by applying the critical operation system patches as directed in our e-mail last week, we would highly encourage you to do so. This action is necessary to guard against active exploits to the Windows RPC vulnerability documented in last week's message. The original e-mail can be found at:

http://www.chem.ufl.edu/itshop/security-news.html#sec9

The IT Shop staff have conducted a network scan for this vulnerability earlier this afternoon and have found that a large number of PCs, 126 to be exact, are still running unpatched on our networks and are still vulnerable to the RPC exploit described earlier. It is critically important that the vulnerability of these machines be remediated.

If you are unfamiliar with the Windows Update procedure, please reference the 'Updating Microsoft Windows' webpage that we have put together to step you through the process. That webpage can be found at:

http://www.chem.ufl.edu/itshop/helpdesk/windows-update/

For more information about the Microsoft DCOM RPC vulnerability please see:

http://microsoft.com/technet/security/bulletin/MS03-026.asp

If you have any questions about this notice, please direct them to support@chem.ufl.edu.

08/04/2003 -- E-mail Virus warning (admin@chem messages)

We have received reports of e-mail messages being delivered to some of our users purporting to be from admin@chem.ufl.edu and reporting that your e-mail address will be expiring. The messages contain an attachment named "messages.zip" which contains a file "messages.htm" that includes code in it to exploit some bugs in the Microsoft Windows operating system. This is the result of an email worm called "Mimail".

The body of the email will look like this:

---------------------
Hello there,

I would like to inform you about important information regarding your
email address. This email address will be expiring.
Please read attachment for details.

----
Best regards, Administrator
--------------------

If you have received this messages, and our records indicate that many of you did, then please delete the message without opening the attached .zip file.

Although our e-mail virus sanitizer still accepts .zip file attachments, we have modified the software to now filter and quarantine this particular attachment so that we should not receive any new copies of this worm.

For more information about this particular virus, please see:

http://vil.nai.com/vil/content/v_100523.htm

All users are encourage to run virus protection software on their system and keep their software up to date. If you already have McAfee's VirusScan software installed you can use that product's autoupdate feature to ensure you have the latest virus definition file. If you don't have virus protection installed you can download VirusScan from the IT Shop Software Download page at:

http://www.chem.ufl.edu/itshop

If you have any questions about this announcement please address them to support@chem.ufl.edu.

08/01/2003 -- Critical vulnerability in Windows

There is a known vulnerability to Microsoft Windows operating system's Remote Procedure Call (RPC) interface that is being actively targeted and exploited by the hacker community. Multiple exploits for this vulnerability have been publicly released, and there is active development of improved and automated exploit tools for this vulnerability. If an exploit is successful, the remote attacker could execute arbitrary code on the compromised system or cause a denial of service attack.

The following systems are vulnerable to this type of attack:

The current campus SMB filter will protect our systems from attacks external to UF however, in the event of a pervasive e-mail worm or other wide-spread activity, it is likely that hosts inside of cmapus will be infected.

Given the ease of exploitation, the high number of vulnerable machines, and the prevalence of exploit code, it is critically important that all vulnerable machines be patched against this vulnerability as soon as possible. All users are encouraged to apply the available patches to their operating system which are available via the Microsoft Update Service.

The Microsoft Update Service is available by choosing the Windows Update option off the Start menu or by using Internet Explorer and going to http://windowsupdate.microsoft.com.

For more technical information about this vulnerability plese see:

http://microsoft.com/technet/security/bulletin/MS03-026.asp http://www.kb.cert.org/vuls/id/326746

If you have any questions about this notice please direct them to support@chem.ufl.edu.

07/10/2003 -- SciFinder Scholar license restrictions

We've recently been notified of a SciFinder Scholar license violation that originated in our department. That violation is being addressed now but I wanted to take this opportunity to remind all SciFinder users of the restrictions defined in the license agreement.

You can find the license agreement for the current version (2002) on the SciFinder Scholar info page we maintain on our IT Shop Software webpage which is located at:

http://www.chem.ufl.edu/itshop/software/scifinder/SciFinder_Scholar.html

All SciFinder users should specifically be aware of, but not limited to, these restrictions:

I will use my search results in the ordinary course of academic research and acknowledge that I may store search results in electronic form for the duration of research projects, provided that at any one time, I store no more than 5,000 records.

and

I acknowledge that the University has entered into a license agreement with CAS to provide me with access to SciFinder Scholar, and that violation of the license by any user could result in a termination of the license for all users.

If you have any questions in regard to use of this software, please address them to support@chem.ufl.edu.

03/05/2003 -- E-mail Virus Warning

Please Note:

We're seeing an increased distribution of an e-mail virus known as the W32/Sobig.e@MM worm. This virus will usually come to you with an attachment named "your_details.zip" and the subject may be defined as "RE: Movie" or "RE: Application".

If you receive this e-mail DO NOT attempt to open the compressed ZIP file that is attached. Simply delete the message from your inbox.

The e-mail virus sanitizer software we have running on our server will currently NOT trap nor quarantine these virus messages because the attachment is a ZIP file and not any type of self-executable. We are working now to add a filter for this virus.

All users are also encouraged to run the McAfee VirusScan software on their system and to keep the virus definition file updated. That software, and the lastest virus definition file can be found off the IT Shop Software web page located at:

http://www.chem.ufl.edu/itshop

For more information about this particular e-mail worm please see:

http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.e@mm.html

If you have any questions about this issue, please address them by e-mail to support@chem.ufl.edu.

03/05/2003 -- Sendmail security vulnerability

For our users who maintain a Unix/Linux workstation or server, a serious security vulnerability in Sendmail versions prior to 8.12.8 was announced Monday. This vulnerability can be used to gain remote root access. An exploit specific to RedHat and Slackware Linux was released yesterday.

Sendmail is used to process incoming e-mail. If this is a service you don't need (and most shouldn't) then you should disable the Sendmail SMTP service from your machine.

We will be conducting network scans overnight to check for vulnerable Sendmail servers on our network and will contact those that appear to be running this service tomorrow.

More information about the vulnerability can be found at ISS and CERT:

https://gtoc.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21950
http://www.cert.org/advisories/CA-2003-07.html

The IT Shop staff will be working to update the Sendmail server software running on our Departmental e-mail server in the very near future. Any necessary interruption in mail service will be announced ahead of time if possible.

If you have questions or concerns regarding this matter, please address them to support@chem.ufl.edu.

01/29/2003 -- UF conducts a campus-wide security & risk assessment

In response to a recent IT security audit performed by the Office of the Inspector General, the University of Florida contracted with Predictive Systems to perform a comprehensive risk assessment of UF IT resources to gauge the overall effectiveness of UF's security posture.

The risk assessment is expected to take two months beginning with this kickoff. Much of the on-site work will be conducted during February and will include a high-level review of existing security controls, technical testing, and interviews of key personnel.

For a preview of the risk assessment objectives, visit our web page at http://net-services.ufl.edu/security/public/ra.shtml.

01/24/2003 -- campus hit with "slammer" MS-SQL worm

The recent outages and network difficulties were caused by an MS-SQL worm that attacks at an extremely high volume of traffic and infected a large number of hosts on campus.

Due to the emergency nature of the situation, hosts infected with the worm were filtered at the closest router to prevent further spread. Additionally, the filters originally scheduled to be placed at the internet boundary tomorrow to filter MS-SQL have been added today for both inbound and outbound traffic.

According to the best information currently out, sql servers patched to the following service levels [1,2] are not vulnerable to the attack as it is merely a newer exploit of an old vulnerability [3].

Once a machine has been patched to the levels mentioned above, reboot the machine to remove the worm process running in memory and the machine should be secure. Email net-services@ufl.edu if you have a filtered host that you have since patched and cleaned and wish the filter lifted.

Additionally, see the following links [4] for more details.

LINKS: [1] Microsoft SQL Server 2000 Service Pack 3 http://www.microsoft.com/downloads/details.aspx?FamilyID=9032f 608-160a-4537-a2b6-4cb265b80766&DisplayLang=en

[2] SQL Server 7.0 Security Update for Service Pack 4 http://support.microsoft.com/default.aspx?scid=kb;en-us;327068

[3] MS Security Bulletin MS02-039 http://www.microsoft.com/technet/security/bulletin/MS02-039.asp

[4] Additional details https://gtoc.iss.net/issEn/delivery/gtoc/index.jsp http://www.boredom.org/~cstone/worm-annotated.txt

01/23/2003 -- McAffe VirusScan updated and available for download

The IT Shop staff have downloaded the latest McAfee VirusScan virus definition file and have made it available for download. McAfee VirusScan, and the latest virus definition file, is available for download from our software web page at:

http://www.chem.ufl.edu/chemnet/software

01/23/2003 -- change in e-mail sanitizer operation (MS attachments)

The e-mail virus scanning software installed last week has been reconfigured to now allow MS-Word, Excel, Powerpoint, and RTF documents to pass through the filter unaltered. Attachments of these types will NOT be "defanged" and their filenames will NOT be mangled. Other types of files will still be subject to scanning and processing by our e-mail sanitizer.

We continue to fine-tune the e-mail sanitizer's configuration in order to provide a balance between usability and protection. This announced change an effort to make it more convenient for those of you that transfer these type of files on a regular basis.

Please note, the file types identified above can contain macro viruses which can infect your PC if not protected. Because these files will now will pass through our sanitizer unaltered it is important to be sure that you have the latest virus scanner installed on your PC. McAfee VirusScan, and the latest virus definition file, is available for download from our software web page at:

http://www.chem.ufl.edu/chemnet/software

We welcome your comments, suggestions, or questions about the e-mail sanitizer we have installed and how we might improve it. Please direct them to support@chem.ufl.edu.

01/15/2003 -- e-mail security at chem.ufl.edu upgraded & explained

The IT Shop staff have recently installed an upgrade to the e-mail virus scanning software we were using in response to an immediate threat we had over the weekend. We began the upgrade on Monday and have been tweaking its configuration since.

We've had questions about the change so I wanted to take this opportunity to explain how it works and what it is doing.

Many of you are seeing that e-mail delivered to you is coming in with attachments that have mangled ("defanged") filenames. This is done to protect you from attachments that can contain executable code. Because Microsoft Word documents and Excel spreadsheets can carry complex scripting and macros they too are considered executable and their filenames are mangled by the e-mail sanitizer.

The process of mangling the attachment only renames the attachment's filename in a way that requires you to save it to disk and rename it. Other than renaming the file, the file is not altered in any way. To unmangle a defanged attachment simply rename the file. For example, an attachment whose filename has been mangled into...

MYFILE.DEFANGED12345-DOC is saved with the name MYFILE.DOC by simply deleting the "DEFANGED12345-".

Most e-mail client will allow you to rename the file when you save it to disk. The act of writing the attachment to disk gives your virus scanner (McAfee) the opportunity to scan it for viruses before you open it. Some e-mail clients, such as MS-Outlook, can execute attachments automatically without the user's prompting. Mangling attachments will prevent that. Mangling an attachment also prevents users from reflexively double-clicking on it to open it.

For more information about e-mail security in the department please refer to:

http://www.chem.ufl.edu/chemnet/email-security.html

The document at that link will be continually updated as we make changes and fine tune our e-mail virus scanning efforts.

If you have any questions about e-mail security and the e-mail sanitizer we have installed please address them to support@chem.ufl.edu.

| | |