[unisog] zotob and returning students, what are you going to do?

Leigh Vincent l.vincent at ballarat.edu.au
Fri Aug 19 00:51:53 GMT 2005

One of the things we have in place is that most of our internal switches filter tcp/445 and we also have a firewall device on our res. network.  Also we are trying to make use of any means possible to heighten user awareness to patch Patch PATCH.

Just out of interest.....  What do people think about the newly identified msdds.dll exploit  ( http://isc.sans.org ).


Leigh Vincent
Information Security Officer
Information Services
University of Ballarat
PO Box 663

Ph.: 03-5327 9386
Mobile: 0439 357 203 
l.vincent at ballarat.edu.au

>>> "Matt Ashfield" <mda at unb.ca> 08/19/05 4:12 am >>>
Hey All

Well, with this new worm out, and students returning in the next couple of
weeks, we're starting to wonder what impact this is going to have on our
network when thousands of student home computers show up on campus and
connect to our network. Most of these are uneducated users who are running a
mélange of outdated and unpatched versions of Windows.

<insert Blaster Worm flashbacks here>

We have a system in place to scan for and apply windows updates as well as
do some other scans (spyware and virus) before a user is fully connected to
the network. But we have noticed a serious flaw. With some versions of
Zotob, it prevents you from properly applying Microsoft patches. You could
scan for and remove zotob, THEN apply the patches, but in that short period
of time between the scan and the patching, will users (we're thinking
Residence users here mainly) get infected so quick (more blaster
flashbacks...) that they won't be able to apply the necessary patches in
time and run into more problems?

I guess I'm just floating this out here for discussion and am wondering what
others are doing. We block 445 at the perimeter, but once students are in
Residence, they pretty much do what they want within that network.

Matt Ashfield
Network Analyst
Integrated Technology Services
University of New Brunswick
(506) 447-3033
mda at unb.ca 

unisog mailing list
unisog at lists.sans.org 

More information about the unisog mailing list