CNN was kind enough to post an amazingly oddly placed article about the latest RINBOT/DELBOT/SDBOT variant
This is awesome because now what is otherwise a non-event is becoming something mgmt and normal users are asking me (us) about. Yay! So here’s some information to help point you in the right direction in case you get questioned.
As far as I know, only Symantec has this malware variant on their radar. Everyone else seems to be considering this one a minor blip on the radar.
In short, this malware strain is simply an infector for your run-of-the-mill botnet and is not a new threat. Variants of this bot have been around over a year, and this is the 9th (I believe) variant. The vulnerabilities this malware attacks have had available patches for months or longer.
RINBOT – Symantec/Trend name
DELBOT – Sophos name
SDBOT – McAfee name
This new variant spreads in three major fashions:
– Windows Server Service vulnerability (patched in August 2006)
– Symantec AV Client Vulnerability patched late last year
– IPC$ shares with common or no security
– some variants use email attachments
This is not a really new threat. You don’t have much to worry about if you do not use Symantec applications and you have patched your servers. Obviously, you also want inbound ports stopped on your perimeter. I won’t spam more links. The ones above should be sufficient.