sasser virus (was Re: [unisog] student fees for cleaning.)

Russell Fulton r.fulton at
Fri May 7 23:49:55 GMT 2004

On Sat, 2004-05-08 at 07:49, Peter Van Epp wrote:

> 	While I'm not from the U of Utah, sasser here was a non event. There
> were 5 or 7 machines hit last week sometime in one day and then 1 and 2s as
> people bring in laptops or dial in from home among our 8,000+ machines.
> 	Ports 135, 137, 139, 445 are blocked in and out at the border (and
> attempting to scan out is logged and whacked) is presumably the reason why
> we didn't see a large number of infections.

I'll echo Peter's comments (more or less).  In fact we have not yet had
a single case on campus (at least that I know of).  One faculty dropped
me a note to say that one of their staff brought in a home machine that
turned out to be infected with sasser.

Our precautions are much the same as SFU's -- Argus is your friend when
it comes to quickly detecting infected systems, blocking netbios at the
boundary keeps the full onslaught at bay (but see below).

As of Friday we were about 99% patched according to our scanning but
there are still enough machines (1% of 7,000) which may be infected when
(not if) someone brings it onto campus via laptop or dialin/vpn.

One of my next projects is to revamp our measures for scanning machines
connecting via vpn, wirless and dialup.  I also want to automate
disconnection of such systems if they start scanning.

In the slightly longer term we plan to implement a network login
(probably based on 802.1x which we are using for wireless) which will
allow us to track transient machines on media other than wireless.


Russell Fulton                                    /~\  The ASCII
Network Security Officer                          \ /  Ribbon Campaign
The University of Auckland                         X   Against HTML
New Zealand                                       / \  Email!

More information about the unisog mailing list