Notices
NSC-030804: IMPORTANT: many Windows machines compromised
IMPORTANT: many Windows machines compromised
Preliminary results of scanning the campus network indicate that a large number of Windows computers (~2500) have been broken into (compromised) with a "rootkit." A rootkit is an attack script which installs a set of programs on a computer and leaves a back door for intruders to subsequently access the system.
Windows computers were hit with these rootkit compromises before the recommended preventive security patches were installed, or the security patches were not installed. If patching took place after the rootkit was installed, the "front door" to more compromises was closed, but the "back door" for intruder access is still open, and the attacker programs are still present. Patching will not close the "back door" or remove the attacker's programs.
It is important that all affected machines be repaired as soon as possible. In addition, all machines must have current security patches installed as soon as possible to prevent further compromises.
You need to do the following:
1. Get all Windows computers in your department up to date with security patches.
2. Check for the presence of the most prevalent rootkit on all Windows computers in your department.
3. If the rootkit was installed, run the cleanup toolkit to repair the system, or reformat and rebuild the system from scratch, as recommended for machines that contain sensitive information.
NOTE: Several other rootkit variations have been discovered on Windows computers. These rootkit variations are not nearly as widespread, and NSC contacts are being informed as we identify them. Cleanup for other rootkit variations will be manual, or requires the machine to be reformatted and rebuilt from scratch. The IT Security Office will continue to scan the campus network looking for compromised machines. We will contact NSC's with updated information as it becomes available.
You and your collegiate IT leaders and management must decide whether you will have your support staff go around and check all computers, or have staff and faculty do it themselves. If you choose to have staff and faculty "patch, check, and repair" their own computers, a sample instruction message is below. If you send an instruction message out, please include appropriate desktop support/contact information for your department for user questions and assistance.
Jane Drews
IT Security Officer
PS - Our thanks go to friends at Purdue University for developing and sharing their version of the cleanup toolkit.
----------------------------------------------------------------------------------------------
Sample Message Template to Staff and Faculty:
A widespread security problem has been identified on campus Windows computers. It is very important that you take the following steps to ensure the security and continued smooth operation of your computer:
1.) Run the "Windows Update" program (Start -> All Programs -> Windows Update, and follow instructions.)
2.) Click on the following URL: http://localhost:6651 to check for the presence of intruder access to your computer.
3.) If an admin login web page appears, your machine needs to be repaired. (Point your web browser at the following URL: http://www.its.uiowa.edu/cs/helpdesk/virus/rpcfix.htm, and then click "download"and "open" to run the repair script.) If "Page can not be found" appears, you do not need to run the repair script.
4.) Run Norton Anti-Virus "LiveUpdate", and then a full scan of your computer. (Select File, LiveUpdate, and follow the prompts; and then select Scan, Scan Computer, select your C: drive, and click "Scan".)
If you have questions or need assistance, please call your department computer support staff.
----------------------------------------------------------------------------------------------