Re: Virus/Trojan/Worm in the Dorms

[Hendra Hendrawan <hendra () YORKU CA>]

 $z

Sent from mobile device


----- Original Message -----
From: Dennis Meharchand [dennis () VALTX COM]
Sent: 09/02/2011 08:35 PM AST
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Virus/Trojan/Worm in the Dorms



Valt.X Technologies is a Vendor - this is a Vendor Response.

They are going to need to take all of the computers off the network and
clean them.

Where we can help is this : We have developed a lock down technology called
Valtx Absolute Security for Windows.

It locks down the C: Drive so any attempted malware infection gets deflected
and eliminated with a simple reboot.

Unlike Anti-Virus which may miss 50-100% of new malware Valtx Absolute
Security for Windows covers 100% of all malware - known or new zero day.

With a lock down technology implemented they don't have to worry about
re-infection as every reboot eliminates anything that may have attacked the
computer.



Perhaps the best way to clean the systems is to take the hard drives out and
connect them to a clean system with updated Anti-Virus or download a free
online tool such as Trend Micro's Housecall available at
http://housecall.trendmicro.com/housecall/ .



I said we could help - here's my offer:

Valt.X is a startup about to launch Valtx Absolute Security for Windows.

If they contact me I'll arrange for them to get free copies for all of the
student's computers.



Cheers,



Dennis Meharchand

CEO, Valt.X Technologies Inc.

Cell: 416-618-4622

Email: dennis () valtx com

Web: www.valtx.com



From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Allen Wood
Sent: September 2, 2011 7:36 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Virus/Trojan/Worm in the Dorms



I'm sending this on behalf of a neighboring college.  It looks like they
need help in a pretty bad way... here's their message-

****************

We've got a bit of a mess here - not quite sure how we're going to deal with
it.  We contract with AT&T to provide internet service in our dorms.  We
don't provide tech support to our students for  their personal computers.
Even if that weren't our policy, two techs can't provide technical support
to 900 kids (not to mention the other 1900 computers we have that are spread
over 4 different campuses).

This trojan turns computers into rogue DHCP servers - once the bad IP
address has been handed out to a computer on the network, it's then pointed
to a bad DNS server - that in turn sends the computer to a website in
Romania that displays a web page stating that the browser is out of date and
provided a link to an executable file that is supposed to update the brower
- and that executable then infects another computer.  It appears we're
dealing with a variant of Rorpian.A.

At this point, the network in our dorms isn't operational - it's impossible
to connect to the valid DHCP server because there are so many infected
computers now.  We don't have any system in place to log or track computers
- so even though we can run Wireshark and see the traffic, we have no way of
tracking that back to an individual to try to eliminate the rogue servers.
In addition, we've had an ongoing problem with residents of the apartment
complex across the street (not associated with us) using our wireless
network - and odds are, they're now infected as well.

We've tried 4 different anti-virus/malware products and none have seemed to
work as far as cleaning the computers that we deliberately infected in an
attempt to find a solution.  So far now, we have our dorm network shut down
entirely to prevent further infection - and we have 900 furious students.

We don't have  the manpower to offer to format these student computers - and
even if we did have enough people, and were willing to accept the liability,
we wouldn't be able to put their software back on.  We're also not
comfortable with "suggesting" that the students take their computers to a PC
repair shop (even though that's probably the only answer) for the same
reason.   Even at that, if one rogue server is still out there, we're going
to have the issue again once we turn the network back on.  And what if that
rogue server is in the apartment complex that we have no control over?

Anyone have any ideas on how to combat this?  We've been banging our heads
against the wall for two days now and admit we may not even be thinking
clearing any more.  At the moment we can't think of a way out of this.  Any
suggestions would be welcome.

Probably the good news out of all of it is that this will probably either
cause the maintaining of the dorm internet to be outsourced, or we'll get
the equipment we need to manage it properly.  In the meantime, though,
that's not going to help us.

*******************

I'll be happy to forward on any suggestions or ideas that you may have.

Thanks in advance,



Allen