[unisog] zotob and returning students, what are you going to do?

Ramon Kagan rkagan at yorku.ca
Thu Aug 18 20:30:29 GMT 2005


That is true.  We run the noxscan (formerly 011scan) on at least an hourly 
basis to scan our class B as well as our private address space.  Takes 
about 10 minutes on a severely underpowered pentium 2 - 333 with 96 MB 
ram.  We will be upgrading that soon, so odds are the scan will be under 5 
minutes.  The output of the scan is forwarded to an autoprocess we've 
developed that contacts the user or appropriate tech group to fix the 
problem.  However, this is for systems already on the network and thus 
reactive.  Our other solution, YSS, is designed to be far more proactive.

Ramon Kagan, GCIA
York University, Computing and Network Services
Information Security  -  Senior Information Security Analyst
(416)736-2100 #20263
rkagan at yorku.ca

-----------------------------------   ------------------------------------
I have not failed.  I have just	       I don't know the secret to success,
found 10,000 ways that don't work.     but the secret to failure is
 				       trying to please everybody.
 	- Thomas Edison				- Bill Cosby
-----------------------------------   ------------------------------------

On Thu, 18 Aug 2005, William O'Malley wrote:

> Nasl scripts from Nessus and/or this tool has been mentioned a bunch:
> http://infosec.yorku.ca/tools/
> On 8/18/05 2:12 PM, "Matt Ashfield" <mda at unb.ca> wrote:
>> Hey All
>> Well, with this new worm out, and students returning in the next couple of
>> weeks, we're starting to wonder what impact this is going to have on our
>> network when thousands of student home computers show up on campus and
>> connect to our network. Most of these are uneducated users who are running a
>> mélange of outdated and unpatched versions of Windows.
>> <insert Blaster Worm flashbacks here>
>> We have a system in place to scan for and apply windows updates as well as
>> do some other scans (spyware and virus) before a user is fully connected to
>> the network. But we have noticed a serious flaw. With some versions of
>> Zotob, it prevents you from properly applying Microsoft patches. You could
>> scan for and remove zotob, THEN apply the patches, but in that short period
>> of time between the scan and the patching, will users (we're thinking
>> Residence users here mainly) get infected so quick (more blaster
>> flashbacks...) that they won't be able to apply the necessary patches in
>> time and run into more problems?
>> I guess I¹m just floating this out here for discussion and am wondering what
>> others are doing. We block 445 at the perimeter, but once students are in
>> Residence, they pretty much do what they want within that network.
>> Matt Ashfield
>> Network Analyst
>> Integrated Technology Services
>> University of New Brunswick
>> (506) 447-3033
>> mda at unb.ca
>> _______________________________________________
>> unisog mailing list
>> unisog at lists.sans.org
>> http://www.dshield.org/mailman/listinfo/unisog

More information about the unisog mailing list