Universities Taken Offline to Fight Worms, Viruses

chrismg2003 writes "Nationwide universities are opening their doors to new students but closing off their network services. The Blaster worm has caused universities to take drastic actions to protect their campus networks. Universities have gone as far as shutting down their entire resnet network and bringing it back up dorm-by-dorm after each computer has been certified worm-free. The ICMP ping requests alone have brought down my university's resnet multiple times and we are scrambling to clean the worm from all computers before it forces us to follow suit with other universities."

Re:Places of Wisdom?

[abh]

> upgrade to a more secure operating system. If you mean Linux, I assume you somehow are going to fund training all the students how to use it, along with getting all of the school's faculty and staff to support it, along with providing for Linux patch management efforts. Yeah, right. Back to the real world we go...

Whats the point of a virus

Lets see here..

Two scenarios

Scenario A-

Computers taken off line. Productivity is lost entirely.

Scenario B-
Virus hits. Productivity reduced.

Hmm.

Re:Whats the point of a virus

[shepd]

What's missing is the time duration:

>Scenario A-

Probably about 2 hours. That's a 25% total productivity loss for a day, if you happen to include lunch as being productive.

>Scenario B-

Okay, lets say the virus hangs about for a week, and causes a 10% productivity loss. Compressed to one day, that's a 50% productivity loss.

Seems to be scenario A is the best choice...

Re:They should have patched IN JULY

[dicepackage]

It doesn't work when most students bring computers in from home that are unpatched.

Say what?

[ldm]

"I think we really need to groom a new type of student who is responsible for their computer security," said Kathy Gillette, manager of George Mason University's beleaguered tech support center. "A lot of them lived at home and mom or dad took care of the computer so they've never learned how to fix them, but hopefully we'll be able to teach them that too."

*blink* I have yet to encounter a situation where a college-level student has their home computer taken care of by a parent... quite the opposite, usually. WTF?

Re:Say what?

[RatBastard]

What you don't understand is that most of these computers are never repaired. They aren't patched and they are never cleaned of virii or spyware.

offline?

The ICMP ping requests alone have brought down PLU's gatekeeper (resnet) multiple times

sounds like somebody needs better sysadmins to me. perhaps a better network layout wouldn't hurt either.
why not block those icmp requests at the switches to each bank of dorms? you do have switches, don't you? you can then look at the logs and find out which machines are infected.
why not deny any outgoing smtp traffic from resnet machines?
why not block the ports used by these specific worms?
why not implement some proxy servers, so that students at least have access to the web while everything else is offline?

if you were working at a real company, and not a dorm, you'd be fired for "shutting down the network". disabling all services is NOT an acceptable solution.

Re:Can ISPs get with it too?

[AuMatar]

No. My computer is patched, and I pay for web access. I will NOT put up with being shut down for no reason. Either they need to target the virus vectors, or don't do it at all. The minute my machine is ever turned off because someone near me has a virus is the minute I cancel my account and change providers.

OK, great. At least there are funny quotes

[randyest]

The action seems perfectly reasonable to me:

To get the school's message across, all students were asked to sign a document confirming that their computers were updated with all the needed security upgrades. Not enough students confirmed that their machines were updated, prompting the GMU action today. Administrators said they would try later today to reconnect dorms, weeding out students with infected PCs. Students living off campus can continue to dial in to the campus computer network.

Looks like the kids are getting a decent deal on virus-removal and system updates too:

Students are being charged $30 if a university technician is called in to clean an infected machine, a school spokesman said. Students can go to off-campus experts for a fix but must certify that their computers are updated with the latest security fixes before being allowed to access the campus network.

Hmph, I can't find anything wrong here. Of course, there are a couple of choice quotes from the kids who, I believe, are our future:

Kimberly Borchert, a 19-year-old sophomore, said her computer "freaked out" as soon as she plugged it into the school's network last week.

Freshman Andrew Canose was one of several GMU students who encountered problems after installing the university-provided anti-virus software. Canose found the new program conflicted with an older anti-virus program already on his computer. "My computer is like at war with itself and won't work," he said.

But my favorite lines are from the admins, such as this gem:

"I think we really need to groom a new type of student who is responsible for their computer security," said Kathy Gillette, manager of George Mason University's beleaguered tech support center. "A lot of them lived at home and mom or dad took care of the computer so they've never learned how to fix them, but hopefully we'll be able to teach them that too."

And the classic:

"There were a certain percentage of students that wouldn't listen to us unless we hit them upside the head with a lockout," he said. "You simply can't deal with these problems until you've got your network under control."

Switching Operating Systems is not the answer.

[dustinmarc]

Saying that everyone should switch operating systems is not the answer to the problem. Although Windows has more than it's share of problems, other operating systems aren't flawless. If everyone went out tomorrow and switched to a Mac or Linux I can promise you that the number of viruses and worms for these systems would go through the roof. Considering that an average user either a. doesn't know how, or b. even bothers trying to use something as simple as Windows Update, do you really think they are going to know how to secure a Unix based system.

Here's a solution

[geekoid]

Toss a webpage up that says:
"We detected MSblaster on you machine, please goto to microsoft wupport, and download the appropriet patch"

Just let it sit there for 60 seconds, then let them conintue on.

After they hey the site three times, send them an email with directions. always point towards microsoft support.
all this can be automated pretty darn quickly.

Re:Here's a solution

[Karl+Cocknozzle]

Toss a webpage up that says:
"We detected MSblaster on you machine, please goto to microsoft wupport, and download the appropriet patch"

I think this is a brilliant world. Unfortunately, there are already some sleazy companies who have pop-up ads that say the same thing. (ie. "You're infected with MSBlaster, patch your machine, then protect yourself permanently with (whatever the company's product is called.)"

You could also exploit a common NT hole by sending an NTMESSENGER message to them. (ie. "Message from Root@yourdomain.com: Your machine has been infected with a virus, please visit Windows Update to apply the patch ASAP.) ...But of course that would probably not have much in the way of positive effect, and would annoy plenty of people as well.

Re:Places of Wisdom?

[cperciva]

people using Windows are just about as insensitive to their peers as people who, say, smoke

No. People who don't apply security patches are about that insensitive. There are a lot of mismanaged Windows machines in the world; there are also a lot of mismanaged linux and BSD machines.

We see Windows worms because that's a big target; but let's not delude ourselves into thinking that our favourite operating systems are immune.

Re:Easily avoided, your' right!

[TheAwfulTruth]

And far FAR easier than "switching" to Linux.

Anyone "retarded" enough to get infected with a virus on Windows is FAR too "retarded" to not get their linux box rooted. Especially with the blaster virus. It could be blocked by two compeltely seperate and simple prevention schemes.

If you have your linux box, unsecured on the net, then you are the "retarded" one. You have either been rooted already and don't know it or it will happen soon.

If you HAVE secured it, I guarantee you did more work to do so that it would have taken anyone to prevent being infected with Blaster.

Re:Non-windows Students

[dboyles]

You should get a partial tuition refund if you don't use Windows, and thus the university's IT doesn't have to worry about you.

Since when does using Linux mean IT doesn't have to worry about you? A friend of mine set up a Linux box a few years ago. ITS showed up at his office and shut his computer down because it was (unintentionally) DDoSing the DHCP server.

I'm a Linux user as well, but I certainly don't think that it solves all problems. Should knowledgeable Windows users who keep their systems patched receive a tuition discount too? And students who use more than their share of network resources, should they pay more?

Ow. But you know...

[JimmytheGeek]

sometimes the techs are so harried for time that they don't get around to patching their own shit.

Sometimes they are so lame they can't be bothered to wipe their own asses, either...

Still, what a professional embarassment!

Re:Can ISPs get with it too?

[Lemmy+Caution]

Of course, you get to go right past airport security without stopping, too, because you know you're not a terrorist. Right?

Problem solving,

[miffo.swe]

Identify what is the source of the problem and then get rid of it. In this case i think demanding safer systems would be a wise solution. Just cut off the bosos who have infected computers.

That should make linux etc popular. Every windows user has stare at their empty nic while the nerds just keeps using the network as usual.

Re:Can ISPs get with it too?

[Grishnakh]

Sorry, I don't buy this argument. Suppose there's some terrible disease going around. However, there's a freely-available vaccine available for anyone who's not so lazy that they can't call a number and have a county health worker at their front door in 10 minutes to personally give them a shot. There's enough vaccine available for everyone in the whole country, and then some; however, the county health workers will only come if you call. There's public service announcements all over radio, TV, the internet, and public highway signs telling you all of this, so there's no way you can't know of it. Everyone at work talks about it. Lastly, this disease only affects some people. People with green eyes are naturally immune.

But even with all this, lots of people for some reason are just too lazy or too stupid to get this vaccine. According to you, every place should be quarantined to make sure the disease doesn't spread further, even though this is going to be a major PITA to all those people who got vaccines, and all the green-eyed people who don't have any problem in the first place. This is stupid. What should be done is just let the disease run its course, just like we do with the flu every year. Anyone too lazy or stupid to protect themselves, given how easy it is to do and how impossible it is to not know better, deserves to die.

Re:Can ISPs get with it too?

[CastrTroy]

Do you not realize the problem with what you just wrote?

No Internet == No Email

A couple of incorrect premises

[Tor]

Interesting article. It misses a couple of noteworthy points, though, perhaps out of the author's ignorance rather than oversight.

• Symantec (and other anti-virus vendors), like now Microsoft, use Akamai to proxy their web site. A DDoS against the main Symantec site will only be so effective; a DDoS attack against Akamai will be severely "washed out" due to the sheer number of Akamai servers out there (some 13,000?)
  
  
• Similarly, a DDoS against FBI or the "Department of Homeland Defense" will only be able to target their public presence (e.g. the main FBI website), not the thousands of disparate computers used by FBI agents out there. Even if FBI as an organization are served behind a single net.presence (router, dns, etc) (are they?), it would be trivial for agents to temporarily or permanently gain access through other channels (e.g. as individual customers of an ISP).
  
  
• The article mentions "whois" as a mechanized way of obtaining domain names. However, public WHOIS servers (at least those that are hosted by domain name providers) do not provide a means to obtain a list of domains - only to query for information about a given record (domain name, IP address, contact handle, etc..). In other words, "whois" lookups will not work the way that the author presumes.
  
  
• The author also mentions open mail relays as a means for the virus [sic -- it would be a worm, not a virus] to propagate itself. This can certainly be done, but for little benefit. Most mail transport agents (MTAs) record the IP address of the connecting client in its Received: header -- by tracing the Received: header trail, one can usually get all the way back to the originating IP. Sure, this IP belongs to an "innocent" third party whose computer is infected, but, unlike the case with spam, relaying the mail through open relays will not help very much in its effort to spread.
  
  
• The author mentions using P2P network to spread the virus via MP3 files. As far as I know, this is not possible - no MP3 player will execute malicious code given in a filename opened as a music file.
  
  
• The author mentions putting entries into the [Windows] system registry to make the system appear to have the latest patches, when, in fact, it does not, thus disabling the "Windows Update" application from functioning properly. This will work with the version of Windows Update included in XP and earlier versions, but if the user is actually using the Windows Update application, (s)he will by now have obtained a version for which this exploit does not work.
  

I'm only on page 3 of 7.. but think I have made enough comments to show that we should take this article with more than a grain of salt. I'm going to read the rest of the article now.

-tor

Comp Sci students...

[chill]

Any upper level (Junior/Senior) CompSci students who were infected and notified by the automated bot should be ASHAMED!

It should also be noted in their record. (Wants to run a network, but can figure out Windows Update, personal firewalls or anti-virus software...)

Re:Comp Sci students...

[freeweed]

I think you'd be surprised just how many Comp Sci students don't even know what the C: drive is in windows, or what a firewall even is. I agree with your sentiment, but at least 50% of the kids I'm in school with (just finished 3rd year) still store everything in 'My Documents', use default everything within Windows, and whine and bitch every time they have to do homework using anything other than WindowsXP and Java.

Doesn't bother me though, because the lack of competition has meant that I have gotten top pick out of any co-op jobs I've applied for :)

Re:Why Not Just Require All Students To Use MacInt

[WasterDave]

Insightful? How about entirely wrong?

Certainly there are far fewer OS X virii, but it's far from true to say it can't be done.

Dave

Re:Can ISPs get with it too?

[Tripster]

As someone managing 2 cable plants with dialup and wireless pools mixed in I couldn't agree more. As soon as we saw our routers get wonky I investigated to see what it was, saw more than a dozen cable clients spewing garbage like crazy and promptly blocked them at the routers.

Next I investigated what the worm was, it was Blaster and it was brand new, we noticed it before the virus companies released a thing. I found out what ports they were using and blocked those, those ports are now permanently closed since they have no use on the public internet and can easily be handled with a VPN connection.

Then came SoBig.F, our mail servers became bogged down as infected hosts would send a message per minute or so, so now I have instructed the mail scanner to simply discard any incoming email with a .pif/.bat/.scr attachment, everything else is still clear and still goes through a virus scanner. The blocked extensions can be legitimately sent via .zip if someone really does want to send such a file.

Oh, our users, appreciate the steps being taken to ultimately protect their systems and to help keep the network stable as possible.

More broadband services need to actively block certain ports and strip attachments at the door. For those that don't want blocking then feel free to get your own T1 instead.

Re:Places of Wisdom?

[cperciva]

This bug has been in Windows for over a decade

Yes, and there are bugs which were in Sendmail for over a decade before they were discovered. Ditto for BIND. And BSD. And it would almost certainly be the same for linux, if linux were old enough.

My employer (who keeps up with security patches) was only halfway through the desktop update cycle.

For some value of "keeps up with security patches" meaning "is halfway through applying security patches which were released four weeks ago".

Re:Places of Wisdom?

[cperciva]

A bit over half the world's domain names are hosted on Apache servers. If you look at big targets (companies running https, for example), there isn't much difference between Apache and IIS.

This is, however, rather irrelevant to the question of worms; most of the machines hit by Code Red had IIS running (and weren't patched, of course) but weren't actually hosting any web sites.

the little details...

[alizard]

A person who doesn't understand how things work at the detail level has no business trying to do high-level design. Your suggestion that an EE doesn't need to know how to solder is appalling.

The "gentleman scholar" approach you advocate to teaching engineering has been tried.

It results in highly trained people with degrees who design and build things that don't work in the real world.