Old Enemies Come Back

Sunday night we were having dinner with some friends, a gathering that included someone who rides herd on the IDS at a Major University. Just as he got to the house, his phone started ringing--something was knocking a couple of key segments off the network. It turned out that a host on the network had been given a new dose of Sasser--and the result was an IDS log file large enough to choke servers, which cascaded down to sensors, which then caused problems in dealing with the issue. He took care of the problem in a few minutes, but there were more phone calls, and a renewed acquaintance with a problem we thought had been handled.

Now comes word from F-Secure that a new Sober variant, Sober.N is seeding itself, and spreading through infected .ZIP files. As I mentioned in the last podcast, attention to user training (Don't Open Unexpected ZIP Files) will be as important as AV signatures in stopping this one early. Beyond that, the renewal of old threats is a solid reminder that the early versions of these worms tended to be more proof of concept that serious damage attempts--the real payoff in terms of network damage is yet to come. We've been warned--let's get busy protecting our networks through technology and training.