[jayeliot]

My daughter received the following notice from her college Network Security Dept. They say that a "bot" was caused by a virus related to Adobe Acrobat / Reader. Their solution is a complete rebuild of her laptop. I have no control over this, but just wanted your opinion. Is a rebuild really necessary ? I cannot provide you with a HiJack log as the computer is out of state with my daughter.

HP laptop ; XP service pack 2

Thanks

Jay

______________________________________________________________________
______________________________________________________________________

The specific bot was caused by a trojan which exploited the recent Adobe Acrobat/Reader vulnerability. After a format and rebuild, Acrobat Reader 8.1.2 should be installed - the most recent version which is not vulnerable.

-------------------------------------------------------------------------------------------------------------------
Good day,

State's ITS Security Operations and Services detected your Residence Hall system as being compromised. Your IP address/connection is being temporarily disabled because it is likely that your personal computer is infected with a BOT.

YOUR COMPUTER WILL NEED TO BE BACKED UP, REFORMATTED, REBUILT, AND SECURED.

To help safeguard the content of your machine and prevent unauthorized activity as well as the further spread of the bot, your Residence Hall connection will be disabled until your machine can be rebuilt and secured. The action to disable connectivity only affects your Residence Hall Ethernet connection and does not affect your Penn State Access Account, which is still active. You have the ability to use computer labs while your Residence Hall Ethernet connection is disabled. Please be aware that if your system is detected as compromised on the modem/dial-up or wireless networks, your Access Account may be locked.

***** IMPORTANT *****
Per State's Housing and Food Service (HFS) Network policy:
ResCom MUST be involved in the formatting and rebuilding of your machine in order for
your Residence Hall Ethernet connection to be re-enabled. Our office, ITS Security
Operations and Services, CANNOT override the HFS policy. Please do not reply and
request any exceptions to the ResCom-must-rebuild policy.
***************************

Bot-controlled machines may, among other things, download and execute files, steal system information, send spam or malware to other users, add new accounts, and/or perform Denial of Service (DoS) attacks. Some variants have been known to include keystroke loggers. The only sure method of recovery from this compromise is to rebuild the machine rather than attempting to remove files.

Note: If your operating system is Microsoft Windows XP, a system restore to an earlier date is NOT the proper remedy.

YOU MAY WISH TO BACKUP YOUR PERSONAL DATA.

ITS SOS *must* receive notification from ResCom to re-activate your residence hall connection which is a multi step process usually taking between 24-48hrs (when submitted M - F). The time required for this process to be completed will depend on the availability of your local support personnel and the normal re-activation process. You will need original installation software with valid licenses

[lunarlander]

If her machine has joined a bot-net, then a rebuild is necessary. The PC is under somebody elses' control.

[steveie85]

A rebuild is not nessacary. A simple complete reformat is the only steps needed. After that, I recomend installing a strong anti-virus such as AVG and an anti-malware program such as SuperAntiSpyware. Sounds like they are looking to make some money.

[jayeliot]

Stevie85

What is the difference between a simple complete reformat and a rebuild ? I would have thought that a reformat of the hard drive wipes out everything, including the O/S. Yes ?

[jayeliot]

As for someone making money by doing a rebuild, I think not. Her college is taking care of all this using their volunteer staff. But I do have questions about their rules.

When she brought her laptop to college as a freshman, she had trouble connecting to their WiFi network. At home we had no problems connecting to my wireless router. They determined that the cause was with my TrendMicro Security 2006. And also with Spybot which I have had installed for years based upon recommendations from this forum.

So, in order to get her into their WiFi, they replaced TrendMicro with something else. And they removed Spybot. They said that their network would provide the necessary protection. Well, that appears to have been faulty advice.

How would she have gotten this bot ? They say that the culprit capitalized on a vulnerability in an earlier version a Adobe Acrobat Reader. If we had installed AVG and SuperSpyware, would that have prevented this attack ?

[steveie85]

A reformat would wipe the hard drive clean yes. A rebuild means they think there is some hardware that meeds to be replaced. There are 2 types of format's as well, the first and one I would recommend is a complete one which also makes sure the hard drive is fine. The second is a quick one, which just erases the files on the drive but doesn't check to ensure there are any bad sectors.

Do you know what the anti-virus program they used was? Any anti-virus program other then Macafee or Panda anti-virus would have helped and a good anti-spy-ware program would have worked to prevent it. I would let them do what they need to, but I would draw the line at the format. Let them do that and nothing more. I would then take it to a reputable computer tech and get them to take a look at it. Most will not charge for just making sure everything had been done right. I would actually take it to a computer tech first and get there opinion first. That way your dealing with the campus computer people with a little more knowledge and a second opinion on your part.

[lunarlander]

Just a tidbit of info, I read in the Register security news that the exploit for Acrobat surfaced 2 weeks before the patch. So I doubt any signature based AV would be able to stop it.

http://www.theregister.co.uk/2008/02...eader_exploit/

I use the term rebuild to mean format and re-installation of Windows. Sorry I wasnt making myself clear.

[steveie85]

Oh reformat yes. It should be taken care of in the patch and an anti-virus such as AVG should have an update to rid the system of it. So really no format should be needed.

[jayeliot]

What version of Adobe Acrobat has this vulnerability ? An Adobe update reminder popped up a day or so ago and I accepted the update on my home PC. It is on my desktop and appears to be version 8.0. I have not used it and so far have not had problems. What do you recommend ?

[steveie85]

I always recomend the latest version, which with Adobe is version 8.1.2. I had not heard of any vulnerabilities in Adobe. I would imagine it would be in versions 6 or 7.