Universities Taken Offline to Fight Worms, Viruses

chrismg2003 writes "Nationwide universities are opening their doors to new students but closing off their network services. The Blaster worm has caused universities to take drastic actions to protect their campus networks. Universities have gone as far as shutting down their entire resnet network and bringing it back up dorm-by-dorm after each computer has been certified worm-free. The ICMP ping requests alone have brought down my university's resnet multiple times and we are scrambling to clean the worm from all computers before it forces us to follow suit with other universities."

Re:Places of Wisdom?

[abh]

> upgrade to a more secure operating system. If you mean Linux, I assume you somehow are going to fund training all the students how to use it, along with getting all of the school's faculty and staff to support it, along with providing for Linux patch management efforts. Yeah, right. Back to the real world we go...

Say what?

[ldm]

"I think we really need to groom a new type of student who is responsible for their computer security," said Kathy Gillette, manager of George Mason University's beleaguered tech support center. "A lot of them lived at home and mom or dad took care of the computer so they've never learned how to fix them, but hopefully we'll be able to teach them that too."

*blink* I have yet to encounter a situation where a college-level student has their home computer taken care of by a parent... quite the opposite, usually. WTF?

Re:Can ISPs get with it too?

[AuMatar]

No. My computer is patched, and I pay for web access. I will NOT put up with being shut down for no reason. Either they need to target the virus vectors, or don't do it at all. The minute my machine is ever turned off because someone near me has a virus is the minute I cancel my account and change providers.

OK, great. At least there are funny quotes

[randyest]

The action seems perfectly reasonable to me:

To get the school's message across, all students were asked to sign a document confirming that their computers were updated with all the needed security upgrades. Not enough students confirmed that their machines were updated, prompting the GMU action today. Administrators said they would try later today to reconnect dorms, weeding out students with infected PCs. Students living off campus can continue to dial in to the campus computer network.

Looks like the kids are getting a decent deal on virus-removal and system updates too:

Students are being charged $30 if a university technician is called in to clean an infected machine, a school spokesman said. Students can go to off-campus experts for a fix but must certify that their computers are updated with the latest security fixes before being allowed to access the campus network.

Hmph, I can't find anything wrong here. Of course, there are a couple of choice quotes from the kids who, I believe, are our future:

Kimberly Borchert, a 19-year-old sophomore, said her computer "freaked out" as soon as she plugged it into the school's network last week.

Freshman Andrew Canose was one of several GMU students who encountered problems after installing the university-provided anti-virus software. Canose found the new program conflicted with an older anti-virus program already on his computer. "My computer is like at war with itself and won't work," he said.

But my favorite lines are from the admins, such as this gem:

"I think we really need to groom a new type of student who is responsible for their computer security," said Kathy Gillette, manager of George Mason University's beleaguered tech support center. "A lot of them lived at home and mom or dad took care of the computer so they've never learned how to fix them, but hopefully we'll be able to teach them that too."

And the classic:

"There were a certain percentage of students that wouldn't listen to us unless we hit them upside the head with a lockout," he said. "You simply can't deal with these problems until you've got your network under control."

Re:Easily avoided, your' right!

[TheAwfulTruth]

And far FAR easier than "switching" to Linux.

Anyone "retarded" enough to get infected with a virus on Windows is FAR too "retarded" to not get their linux box rooted. Especially with the blaster virus. It could be blocked by two compeltely seperate and simple prevention schemes.

If you have your linux box, unsecured on the net, then you are the "retarded" one. You have either been rooted already and don't know it or it will happen soon.

If you HAVE secured it, I guarantee you did more work to do so that it would have taken anyone to prevent being infected with Blaster.

Ow. But you know...

[JimmytheGeek]

sometimes the techs are so harried for time that they don't get around to patching their own shit.

Sometimes they are so lame they can't be bothered to wipe their own asses, either...

Still, what a professional embarassment!

Re:Can ISPs get with it too?

[Lemmy+Caution]

Of course, you get to go right past airport security without stopping, too, because you know you're not a terrorist. Right?

Re:Can ISPs get with it too?

[Grishnakh]

Sorry, I don't buy this argument. Suppose there's some terrible disease going around. However, there's a freely-available vaccine available for anyone who's not so lazy that they can't call a number and have a county health worker at their front door in 10 minutes to personally give them a shot. There's enough vaccine available for everyone in the whole country, and then some; however, the county health workers will only come if you call. There's public service announcements all over radio, TV, the internet, and public highway signs telling you all of this, so there's no way you can't know of it. Everyone at work talks about it. Lastly, this disease only affects some people. People with green eyes are naturally immune.

But even with all this, lots of people for some reason are just too lazy or too stupid to get this vaccine. According to you, every place should be quarantined to make sure the disease doesn't spread further, even though this is going to be a major PITA to all those people who got vaccines, and all the green-eyed people who don't have any problem in the first place. This is stupid. What should be done is just let the disease run its course, just like we do with the flu every year. Anyone too lazy or stupid to protect themselves, given how easy it is to do and how impossible it is to not know better, deserves to die.

A couple of incorrect premises

[Tor]

Interesting article. It misses a couple of noteworthy points, though, perhaps out of the author's ignorance rather than oversight.

• Symantec (and other anti-virus vendors), like now Microsoft, use Akamai to proxy their web site. A DDoS against the main Symantec site will only be so effective; a DDoS attack against Akamai will be severely "washed out" due to the sheer number of Akamai servers out there (some 13,000?)
  
  
• Similarly, a DDoS against FBI or the "Department of Homeland Defense" will only be able to target their public presence (e.g. the main FBI website), not the thousands of disparate computers used by FBI agents out there. Even if FBI as an organization are served behind a single net.presence (router, dns, etc) (are they?), it would be trivial for agents to temporarily or permanently gain access through other channels (e.g. as individual customers of an ISP).
  
  
• The article mentions "whois" as a mechanized way of obtaining domain names. However, public WHOIS servers (at least those that are hosted by domain name providers) do not provide a means to obtain a list of domains - only to query for information about a given record (domain name, IP address, contact handle, etc..). In other words, "whois" lookups will not work the way that the author presumes.
  
  
• The author also mentions open mail relays as a means for the virus [sic -- it would be a worm, not a virus] to propagate itself. This can certainly be done, but for little benefit. Most mail transport agents (MTAs) record the IP address of the connecting client in its Received: header -- by tracing the Received: header trail, one can usually get all the way back to the originating IP. Sure, this IP belongs to an "innocent" third party whose computer is infected, but, unlike the case with spam, relaying the mail through open relays will not help very much in its effort to spread.
  
  
• The author mentions using P2P network to spread the virus via MP3 files. As far as I know, this is not possible - no MP3 player will execute malicious code given in a filename opened as a music file.
  
  
• The author mentions putting entries into the [Windows] system registry to make the system appear to have the latest patches, when, in fact, it does not, thus disabling the "Windows Update" application from functioning properly. This will work with the version of Windows Update included in XP and earlier versions, but if the user is actually using the Windows Update application, (s)he will by now have obtained a version for which this exploit does not work.
  

I'm only on page 3 of 7.. but think I have made enough comments to show that we should take this article with more than a grain of salt. I'm going to read the rest of the article now.

-tor

Re:Here's a solution

[Karl+Cocknozzle]

Toss a webpage up that says:
"We detected MSblaster on you machine, please goto to microsoft wupport, and download the appropriet patch"

I think this is a brilliant world. Unfortunately, there are already some sleazy companies who have pop-up ads that say the same thing. (ie. "You're infected with MSBlaster, patch your machine, then protect yourself permanently with (whatever the company's product is called.)"

You could also exploit a common NT hole by sending an NTMESSENGER message to them. (ie. "Message from Root@yourdomain.com: Your machine has been infected with a virus, please visit Windows Update to apply the patch ASAP.) ...But of course that would probably not have much in the way of positive effect, and would annoy plenty of people as well.