Bug Fixed in Sophos Anti-Virus for Mac OS X

If you were experiencing some issues with your Sophos client on the Mac, it should now be fixed with the release of Sophos Anti-Virus for Mac OS X 9.1.7. The update was issued to users at MIT running version 9.1.6. and they should be experiencing no more problems.

If, for whatever reason, you did not receive the update or are still experiencing the issues described in the article linked above, please contact the Help Desk: http://ist.mit.edu/help.

A Year After Sophos Was Released to MIT

There are over 14,000 MIT computers currently running Sophos Anti-Virus. Computers include those in the WIN domain and self-administered MIT hosts. If you aren’t familiar with Sophos, when installed, the software runs in the background, with little to no interruption to your work. When Sophos finds an infected file, the software alerts you and locks the file. You can delete the file, using the Sophos Quarantine Manager. Because the client communicates to the Sophos Management Console (administered by IS&T), various useful pieces of information, such as the status and health of the Sophos client on a machine is provided to the console.

GameOver Zeus P2P Malware

GameOver Zeus (GOZ), a peer-to-peer variant of the Zeus family of bank credential-stealing malware identified in September 2011­, uses a decentralized network infrastructure of compromised personal computers and web servers to execute command-and-control.

The malware was used by criminals to infect victims with ransomware such as Cryptolocker. Although the government has taken control of GameOver’s servers, preventing further infection of Cryptolocker, there are many, perhaps hundreds of thousands of computers still infected.

Systems at risk:

  • Microsoft Windows 95, 98, Me, 2000, XP, Vista, 7, and 8
  • Microsoft Server 2003, Server 2008, Server 2008 R2, and Server 2012

The US government recently released this technical advisory on GOZ to provide further information. A system infected with GOZ may be employed to send spam, participate in DDoS attacks, and harvest users’ credentials for online services, including banking services.

One of the solutions provided in the advisory is to use and maintain anti-virus software. The software supplied by Information Systems & Technology at MIT, Sophos Anti-Virus, protects against this malware. To clean up a computer already infected, Sophos also offers a separate, free Virus Removal Tool.

Read more at Sophos online.

Hacked, Now What?

The topic of this month’s issue of OUCH!, the security awareness newsletter from SANS.org, is about what to look for to determine if your computer is hacked and if so, what you can do about it.

It can happen even when you’re being careful about browsing online and downloading software. Here are some things mentioned in the issue of OUCH! to keep in mind and to help you survive a computer virus:

  • To see if the computer has been compromised: check your anti-virus program for any indicators that it was not able to remove affected files to quarantine. Other indicators may be that programs are running that you did not install, windows or ads pop open without you requesting them, or the computer is crashing or very slow.
  • The sooner you respond to a compromise, the better. Contact the Help Desk and, if it involves a work computer, your supervisor.
  • DO NOT turn the computer off. You may destroy valuable evidence.
  • Disconnect the computer from the network and put it to sleep.
  • Ways to survive a compromise: make sure you have backups running.
  • Change your important passwords (all of them) from a computer you trust.
  • The computer may need to be rebuilt from scratch. A professional help desk will save your data, if possible, and wipe the computer clean of all software, then reinstall the operating system and files, after ensuring none of them are infected.

For information on how to respond to a compromise when at MIT, see the Knowledge Base.

Upcoming Event: Sophos and Sophos Reporting on March 6th

The IT Partners planning team has announced its next luncheon. Andrew Munchbach from the Security Operations team will discuss MIT’s anti-virus software, Sophos, as well as running reports from Sophos.

Please join us on Thursday March 6 at 12:00 in Marlar Lounge (37-252).

Lunch will be served at noon, and the discussion will begin promptly at 12:15. Please confirm if you plan to attend by sending email to rsvp-itpartners@mit.edu.

Sophos Replaces McAfee at MIT

There has been quite a bit of activity recently to improve information security at the Institute. One such effort, initiated by Information Services & Technology, is aimed at providing the MIT community with a new malware protection product. After several months of testing, Sophos Anti-Virus was selected by IS&T as the best solution.

As of July 1, you can download Sophos to a Mac, PC or Linux machine; documentation on installing and using Sophos has been added to The Knowledge Base.

Sophos is replacing the malware protection products by McAfee. One of the most important differences between the two is that Sophos comes with console management, which provides IT administrators with some useful intelligence, including notifications when malware has been detected on machines. The software has also shown to run more quietly (and almost invisibly) in the background.

Please contact the IS&T Help Desk for any questions or concerns.

McAfee’s Code-Signing Problem with Mac OS X

Last week, McAfee accidentally revoked the digital key the company uses to certify applications that run on Apple’s Mac OS X platform. The incident caused problems for customers who wanted to install or upgrade their Mac antivirus products.

If you have been attempting to install or upgrade McAfee Security for Mac, you may have noticed that the application was blocked from running on the system. Temporarily disabling Gatekeeper did not allow installation to proceed.

Luckily, McAfee engineers resolved the issue and have provided an updated binary of McAfee Security 1.2 for Mac. The new installer is available on the IS&T Software Grid.

The latest information on the issue is posted here.