Endpoint Protection

Is SEPM 12 protected from this now Dorkbot? see below

https://www.us-cert.gov/ncas/alerts/TA15-337A

They have signatures for it, called W32.Inabot byt Symantec, but nothing specific to the latest detection. It's been around for awhile though:

AV signatures:

https://www.symantec.com/security_response/writeup.jsp?docid=2013-042312-3124-99&tabid=3

https://www.symantec.com/security_response/writeup.jsp?docid=2013-043013-4522-99

IPS signature:

https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=26662

You're best bet here is to keep IPS up to date as well as some user security awareness.

I reviewed all update for December 2015 and don't see anything yet:

https://www.symantec.com/security_response/definitions/certified/detail.jsp?certid=2015-12

Can you please let us know when a signature is released?

Hi Artk1,

Thanks for the query.  I confirm what is posted above: this is a botnet that has ben around for about 4 years.  Symantec does have detections for the latest Dorkbot malware.  The files are detected as W32.IRCBot.NG, W32.IRCBot and related signatures.

Please do ensure that your organization is well defended:

Symantec Endpoint Protection – Best Practices
http://www.symantec.com/theme.jsp?themeid=stopping_malware&depthpath=0

Should you encounter new, undetected samples please do submit them to Secutrity Response for analysis!

Symantec Insider Tip: Successful Submissions!
https://www-secure.symantec.com/connect/articles/symantec-insider-tip-successful-submissions

For the benefit of future visitors with the same query, please do take the time to mark this thread as solved if your question has been answered.

With thanks and best regards,

Mick

Adding another IPS signature:

https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=26764