Security Status Log

MOREnet Security status Wednesday, December 26, 2007 - 13:00:
Updated: Friday, January 4, 2007 - 8:00

Storm Update

Status is green but we want to keep people updated about new variants of Storm. Keep checking back for updates to this page.

There are too many subject lines to keep track of them all. Every subject line so far has related to Christmas or New Years, especially the New Year.

If you have a way of blocking by web site name, we will keep updating this page with new domain names as we find them. We will "break" the links by inserting spaces in the name so you don't accidently click on the link and infect yourself.

Current Domain names are:

History of MOREnet Alerts

MOREnet Security Status Friday, December 14, 2007.

MOREnet Security Status was changed to yellow because of multiple spear phishing attempts happening at all MOREnet member sites.

The first spear phishing message arrives with the subject line: VERIFY YOUR *name* EMAIL ACCOUNT NOW, where *name* is replaced with your organization's name. We sent an example of this email message to the security-l list. We should be able to block this email for subscribers of the MOREnet Email and Virus Spam filtering service. As long as the subject line doesn't change, it should begin being blocked this afternoon.

The second message, while it doesn't seem to be as wide spread is probably more nefarious because it installs a keystroke logger on the machine. The subject line on this second message is targeted to an individual: Pending complaint for (User's name), (Organization's name) (Registration Number: *number*)
There is a zip attachment with the message which is the PWSteal.Trojan. You can read more about the Trojan at Symantec's web site. Websense as an example of this second type of message. We will probably NOT be able to block these email messages because the subject line changes for every organization. The only long term solution for this problem is user education.

MOREnet Security status beginning, Wednesday, March 1, 2006.