[unisog] zotob and returning students, what are you going to do?

infosec@yorku.ca infosec at yorku.ca
Thu Aug 18 19:45:50 GMT 2005


We're doing some similar stuff but consider the following:

1.  Our DHCP server gives out IPs with a netmask of and 
gateway of the DHCP server itselt.  Thus the only computer on the 
"authentication/registration" vlan that they should be able to talk to is 
the DHCP server itself.

2.  We are using a modified/customized and beefed up version of UofT's ESP 
which we dubbed YSS.  A user cannot get to the registration until they 
pass the client-side scan.  Thus... if they have Zotob.. and cannot apply 
the patches (which we allow via proxying through the same server) they 
cannot get a "clean bill of health."  Therefore, they cannot register and 
are instructed to contact our helpdesk for assistance.

We feel that with these measures in place we should be "relatively" 
prepared for much of the chaos that will undoubtedly ensue.  This is not a 
panacea though.  Allowing routers on the network adds one level of 
complication that only the original system will be forced to conduct this 
procedure.  We have yet to generate a viable solution for this case. 
Nonetheless, hopefully (crossing fingers and knocking on wood) the overall 
impact should be controllable and hopefully significantly better than 
years past.

Information Security
York University
Toronto, ON Canada
infosec at yorku.ca

On Thu, 18 Aug 2005, Matt Ashfield wrote:

> Hey All
> Well, with this new worm out, and students returning in the next couple of
> weeks, we're starting to wonder what impact this is going to have on our
> network when thousands of student home computers show up on campus and
> connect to our network. Most of these are uneducated users who are running a
> mélange of outdated and unpatched versions of Windows.
> <insert Blaster Worm flashbacks here>
> We have a system in place to scan for and apply windows updates as well as
> do some other scans (spyware and virus) before a user is fully connected to
> the network. But we have noticed a serious flaw. With some versions of
> Zotob, it prevents you from properly applying Microsoft patches. You could
> scan for and remove zotob, THEN apply the patches, but in that short period
> of time between the scan and the patching, will users (we're thinking
> Residence users here mainly) get infected so quick (more blaster
> flashbacks...) that they won't be able to apply the necessary patches in
> time and run into more problems?
> I guess I’m just floating this out here for discussion and am wondering what
> others are doing. We block 445 at the perimeter, but once students are in
> Residence, they pretty much do what they want within that network.
> Matt Ashfield
> Network Analyst
> Integrated Technology Services
> University of New Brunswick
> (506) 447-3033
> mda at unb.ca
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

More information about the unisog mailing list