Information Technology Services

HELPDESK

COMMON CONCERNS

Email Account Support
Security
Security Alerts
SPAM
Buying Hardware/Software
Websites and Visual Identity

STUDENT SUPPORT

FACULTY / PTL SUPPORT

STAFF SUPPORT

CENTER / INST. SUPPORT

ITS HOME

Alerts

Technology Related Alerts Page

This page will be a location where information pertinent to technology related issues will be posted. Such postings may include information on viruses or security threats or problems being experienced within the EJB environment. If you're having a problem this is a good place to check to see if it is a universal issue.

11/10/09: 2:45 pm RCI Problem

The problem with RCI has been resolved.

11/10/09: 2:25 pm RCI Problem

There is currently a problem with RCI. They are aware of this and are working to resolve it.

11/2/09: Internet Degradation

The problem that arose on 10/30 has reportedly been resolved by the Telecommunications Department.

10/30/09: Internet Degradation

Please be aware that the primary Internet link for the University is currently down and the University is running on the backup link. The department that supports this equipment is currently working on the problem, but there isn't any timeframe on resolution. Due to this failure, you may notice slower access to sites outside of Rutgers.

9/30/09: RCI Email Problems

As of 11 am these problems have been resolved as per a note from the RCI support team.

9/30/09: RCI Email Problems

There have been intermittent problems with RCI this morning in regards to sending and receiving mail, as well as with logging into accounts. The RCI team is aware of the problem and they are working on it. The problem started at approximately 10 am.

9/23/09: Slow Internet

There have been repeated reports of degraded Internet service campus wide this afternoon. The Telecommunications Department is aware of this and looking into the problem. This problem was resolved later in the day on the 23rd.

9/22/09: RCI Problems

The problems on RCI were resolved at approximately 5:45 pm.

9/22/09: RCI Problems

There is currently an email problem with RCI. Webmail is working, but connections with programs like Outlook or Thunderbird are not. This has been reported to the RCI team - approximate time 5:10 pm.

9/14/09: RCI Problems

The email problem has been fixed as of approximately 2:35 pm.

9/14/09: RCI Problems

A problem using RCI with clients like Outlook and Thunderbird arose approximately fifteen minutes ago (2:15pm). RCI is aware of this problem and is working to fix the problem.

8/26/09: RCI and Rutgers Sites Down

Due to a thermal failure, RCI email and many Rutgers websites are down. The formal announcement is as follows: Due to a cooling problem, the Hill Center machine room has been shut down. As a result, most University central services are affected and are not working. Both OIT and Facilities staff are working on the problem. Anticipated time of return of services is currently unknown. We apologize for any inconvenience you may incur and thank you for your understanding and patience.

3/31/09: Conficker Update

As you may be aware, the widely publicized conficker worm is scheduled to receive updated instructions tomorrow. This worm only affects MS Windows based systems and takes advantage of a vulnerability that was patched back in October of 2008. When this virus emerged in January of 2009, we scanned our networks to ensure that all of the machines were patched and sent out announcements about the seriousness of the vulnerability. We also asked that you update your home computers appropriately. Unfortunately there are still millions of machines in the world infected with this virus and it is unclear as to whether there will be a major cyber incident tomorrow, or whether this will be an April Fool's joke. The University is currently scanning networks for any traces of this virus and we recommend that you ensure that your personal computers are up to date in terms of patches and anti virus updates. There was also a segment about this worm on 60 Minutes this past Sunday and here is a link that you may find interesting:

http://www.cbsnews.com/stories/2009/03/27/60minutes/main4897053.shtml

An updated official announcement from the National Cyber Alert System follows and if you have any questions or concerns, please let us know.

Thank you,

Martin O'Reilly

EJB Information Technology Services

National Cyber Alert System

              Technical Cyber Security Alert TA09-088A

Conficker Worm Targets Microsoft Windows Systems

   Original release date: March 29, 2009
   Last revised: March 30, 2009
   Source: US-CERT

Systems Affected

     * Microsoft Windows

Overview

   US-CERT is aware of public reports indicating a widespread
   infection of the Conficker/Downadup worm, which can infect a
   Microsoft Windows system from a thumb drive, a network share, or
   directly across a corporate network, if the network servers are not
   patched with the MS08-067 patch from Microsoft.

I. Description

   Home users can apply a simple test for the presence of a
   Conficker/Downadup infection on their home computers. The presence
   of a Conficker/Downadup infection may be detected if a user is
   unable to surf to their security solution website or if they are
   unable to connect to the websites, by downloading detection/removal
   tools available free from those sites:

http://www.symantec.com/norton/theme.jsp?themeid=conficker_worm&inid
=us_ghp_link_conficker_worm

http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx

   If a user is unable to reach any of these websites, it may indicate
   a Conficker/Downadup infection. The most recent variant of
   Conficker/Downadup interferes with queries for these sites,
   preventing a user from visiting them. If a Conficker/Downadup
   infection is suspected, the system or computer should be removed
   from the network or unplugged from the Internet - in the case for
   home users.

II. Impact

   A remote, unauthenticated attacker could execute arbitrary code on
   a vulnerable system.

III. Solution

   Instructions, support and more information on how to manually
   remove a Conficker/Downadup infection from a system have been
   published by major security vendors. Please see below for a few of
   those sites. Each of these vendors offers free tools that can
   verify the presence of a Conficker/Downadup infection and remove
   the worm:

Symantec:

http://www.symantec.com/business/security_response/writeup.jsp?
docid=2009-011316-0247-99

Microsoft:

http://support.microsoft.com/kb/962007

http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx

   Microsoft PC Safety hotline at 1-866-PCSAFETY, for assistance.

   US-CERT encourages users to prevent a Conficker/Downadup infection by
   ensuring all systems have the MS08-067 patch (see

http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx ),

disabling AutoRun functionality (see http://www.us-cert.gov/cas/techalerts/TA09-020A.html ), and
   maintaining up-to-date anti-virus software.

IV. References

* Microsoft Windows Does Not Disable AutoRun Properly -
   <http://www.us-cert.gov/cas/techalerts/TA09-020A.html >

* Virus alert about the Win32/Conficker.B worm -
   <http://support.microsoft.com/kb/962007 >

* Microsoft Security Bulletin MS08-067 - Critical -
   <http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx >

* MS08-067: Vulnerability in Server service could allow remote code
   execution -
   <http://support.microsoft.com/kb/958644 >

* The Conficker Worm -
   <http://www.symantec.com/norton/theme.jsp?themeid=conficker_worm >

* W32/Conficker.worm -
   <http://us.mcafee.com/root/campaign.asp?cid=54857 >

* W32.Downadup Removal Tool -
   <http://www.symantec.com/business/security_response/writeup.jsp?
docid=2009-011316-0247-99 >

2/20/09: Acrobat Vulnerability Being Exploited

There is a new security threat targeted at Adobe Acrobat that is currently being exploited. It is important that you are aware of this and that you are careful in regards to opening attachments, opening links in emails, or browsing unfamiliar web sites. Adobe has yet to release a patch for this, but it will be coming out within the next few weeks. I know that the Adobe updates can be quite tedious, but this is a good illustration as to why they are necessary. The full security advisory follows and if you have any questions, please let us know.

MULTI-STATE INFORMATION SHARING AND ANALYSIS CENTER CYBER SECURITY ADVISORY
*
*MS-ISAC** ADVISORY NUMBER:*
2009-008

*DATE(S) ISSUED:*
2/20/2009

*SUBJECT:*
Vulnerability in Adobe Reader and Adobe Acrobat Could Allow Remote Code
Execution

*OVERVIEW:*
A new vulnerability has been discovered in the Adobe Acrobat and Adobe
Reader applications that allows attackers to execute arbitrary code on
the affected systems. Adobe Reader allows users to view Portable
Document Format (PDF) files. Adobe Acrobat offers users additional
features such as the ability to create PDF files.

Depending on the privileges associated with the user, an attacker could
then install programs; view, change, or delete data; or create new
accounts with full user rights. Unsuccessful exploitation attempts may
cause these programs to crash.

*It should be noted that this vulnerability is being actively exploited
on the Internet.*

*SYSTEMS AFFECTED:*

          o Adobe Reader 9 and earlier versions
          o Adobe Acrobat Standard, Pro, and Pro Extended 9 and earlier
            versions

*RISK:*

*Government:*

          o Large and medium government entities:* High*
          o Small government entities:* High*

*Businesses:*

          o Large and medium business entities:* High*
          o Small business entities:* High*

*Home users: High*

*DESCRIPTION:*
Adobe Reader and Acrobat are prone to a remote code execution
vulnerability. The exploit is a two-stage attack. The malware exploits
an integer overflow and then uses JavaScript to execute a heap spray to
inject shellcode. A heap spray attempts to inject code into the memory
of a target process. Testing by Shadowsever has shown that disabling
JavaScript in Adobe will defeat the remote code execution but still
result in denial of service.

The exploit is being seen in targeted attacks but is expected to become
more widespread. Some anti-virus vendors currently detect this
exploit. Trend Micro detects it as TROJ_PIDIEF.IN. Symantec detects it
as Trojan.Pidief.E.

Adobe expects to make available an update for Adobe Reader 9 and Acrobat
9 by March 11th, 2009. Patches for other versions with be available later.

*RECOMMENDATIONS:*
We recommend the following actions be taken:

          o Ensure antivirus software signatures are current.
          o Do not open email attachments from unknown or un-trusted
            sources.
          o Provide user awareness notification about this vulnerability
            and exploit.
          o Do not visit un-trusted websites or follow links provided by
            unknown or un-trusted sources.
          o Consider disabling JavaScript in Adobe by navigating to
            Edit->Preferences and unchecking 'Enable Acrobat JavaScript'.
          o Install the appropriate vendor patch as soon as it becomes
            available after appropriate testing.

*REFERENCES:*

*Adobe:*
http://www.adobe.com/support/security/advisories/apsa09-01.html

*McAfee:*
http://www.avertlabs.com/research/blog/index.php/2009/02/19/new-backdoor-attacks-using-pdf-documents/

*SANS:*
http://isc.sans.org/diary.html?storyid=5902

*Security Focus:*
http://www.securityfocus.com/bid/33751

*Shadowserver:*
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090219

*Trend Micro:*
http://blog.trendmicro.com/portable-document-format-or-portable-malware-format/

1/21/09: Downadup Virus Alert

There is a virus spreading rapidly on the Internet and via USB devices known as the Downadup or Conficker virus. This virus is related to a vulnerability in Microsoft Windows that was patched back in October of this year. The systems here at the Bloustein School are configured to automatically update and are protected from this vulnerability, but you should ensure that your computers at home are set the same way, or that you do a windows update at your earliest convenience. You should also ensure that your anti virus software is up to date as well. If you need any assistance in relation to running a windows update or checking your anti virus software, please contact us at ejbhelp@rci.rutgers.edu.

The formal announcement from MS-ISAC follows.

Thank you,

Martin O'Reilly

Subject: MS-ISAC Cyber Information Bulletin - Widespread Infections Due to
Vulnerabilities Defined in MS08-067

MULTI-STATE INFORMATION SHARING AND ANALYSIS CENTER CYBER INFORMATION BULLETIN

DATE ISSUED:
January 20, 2009

SUBJECT: Widespread Infections Due to Vulnerabilities Defined in
MS08-067

Widespread infections due to the vulnerability the Microsoft Server
Service (MS08-067) have recently been reported. The malware
responsible for the infections is referred to as WIN32/Conflicker /
Downadup Worm and current estimates for the number of infected systems
range from 2.4 million to 8.9 million computers. Originally the
vulnerability was being exploited by a Trojan, but recently the
malware has become a worm capable of propagating without interaction.
The worm will attempt to spread by guessing the passwords to file
shares on the system. The act of guessing passwords has resulted in
some organizations experiencing account lockouts. The worm will also
spread via removable media.

Once a system is infected, it will contact a pseudorandom, dynamically
generated domain name. These domain names are changing frequently,
with hundreds of new domain names being generated daily. The worm will
check the domain for any updates to the malware and also report how
many systems have been successfully infected. However, the volume of
domains being generated makes it impractical to stop this infection by
blocking the domain names or IP addresses. At this time, the worm does
not perform any additional malicious activity. If a compromise has
been identified, the passwords on the system must be reset to a more
complex and stronger password.

It is recommended that security device logs be examined for egress
traffic to the domain names included in the following links as this
may be an indication of an infection. However, it should be noted that
this is not a complete list and the absence of egress traffic to these
domains may not rule out an infection.

http://www.f-secure.com/weblog/archives/downadup_domain_blocklist_13_16.txt

http://www.f-secure.com/weblog/archives/downadup_domain_blocklist_17_31.txt

Microsoft has released instructions for manual removal of the worm.
Additionally, the January version of the Malicious Software Removal
Tool from Microsoft will detect and remediate infections due to the
vulnerability. However, the worm will disable automatic Microsoft
Windows updates, so this software must be downloaded manually.

RECOMMENDATIONS:

We recommend the following actions be taken:
* Apply Microsoft patch MS08-067
* Download and run the January Malicious Software Removal Tool from Microsoft
* Follow the instructions in the Microsoft KB article for manual removal
* Provide the administrator account of the computer with a strong password
* Completely disable the AutoRun function
* Ensure that all anti-virus software is up to date with the latest signatures.

REFERENCES:

Microsoft:
http://support.microsoft.com/kb/962007
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

F-Secure:
http://www.f-secure.com/weblog/

CNN:
http://www.cnn.com/2009/TECH/ptech/01/16/virus.downadup/index.html

MS-ISAC:
http://www.msisac.org/advisories/2008/2008-034b.