Man...Life's bz like hell. No time to even update blog. So many interesting things happened in my life...where to start....maybe i'll update on my next post (not sure when)
As for now there has been a virus outbreak in my working environment...global outbreak...some attacker out there exploited in one of the MS vulnerabilities (out of band release) released last month. To be specific, it's MS08-067 - Vulnerability in Server Service Could Allow Remote Code Execution.
Initially all client machines and servers was patched (my team was responsible to initiate and coordinate the patching activity). However some smart peaople out there failed to adhere to instructions...causing mass exploit of servers and client machines.
Apparently the attacker deployed a worm (remotely) that could drop copies of itself to system root. From there, it accesses certain website which downloads trojans to this machines/servers. The trojan then uses random ports to access port 445 at other location i.e domain controller and Active Directory. It then does a brute force to get username and passwords.
Our IDS team initialally capture the suspicious traffic and allerted us. We then continued our investigation, found the root cause and currently performing the clean up. Our anti virus vendor came up with the bandage pattern file that detected and quarantines these malicious files.
Now we're pushing the patch (to unpatched servers/machines) via SCCM. The bandage pattern is also being deployed. BSOD also occured during the deployment...making our task miserrable. The earliest i go back home nowadays is 9 p.m. Go back then have to wake at 3.00. a.m. to sit for confrence call with the rest of the teams globally.
Lesson - Never ever take a MS patch for granted...deployed it as soon as it's released!
p.s. - *NIX users should be celebrating by now (i'm damn sure the attacker is a *NIX maestro)