Educause Security Discussion mailing list archives
Re: Virus/Trojan/Worm in the Dorms
From: "Eric C. Lukens" <eric.lukens () UNI EDU>
Date: Tue, 6 Sep 2011 09:41:10 -0500
Forcing the use of your own DNS servers by blocking DNS to all but your own DNS servers would also be an important method prevent further spread, and future infections in general. Plus, machines that try to use outside DNS servers can be easily flagged as potentially infected, or connected to a bad DHCP. The downside is that students that previously used OpenDNS or Google DNS would find they don't work, but in an outbreak scenario, that should be an acceptable sacrifice. -Eric -------- Original Message -------- Subject: Re: [SECURITY] Virus/Trojan/Worm in the Dorms From: James R. Pardonek <pardonjr () PURDUECAL EDU> To: SECURITY () LISTSERV EDUCAUSE EDU Date: 9/6/2011 9:32 AM
It would be interesting to know and helpful for them if they had a switched network with switches that have some intelligence in their dorms. We prevent this by not allowing traffic from student computers that source common ports such as DHCP or HTTP. Regards, Jim Please let me know if there is anything additional I can assist you with to ensure the service you received today has been excellent. James R. Pardonek, CISSP CEH CPT Assistant Director for Information Security and Assurance Information Services Purdue University Calumet Hammond, Indiana P: (219)989-2745 *From:*The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Tim Fairlie *Sent:* Tuesday, September 06, 2011 9:25 AM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* Re: [SECURITY] Virus/Trojan/Worm in the Dorms Hey Allen, Any idea how those folks made out with this outbreak? Our kids moved in yesterday and we saw the same thing. We've been able to stop it from spreading, but cleaning the infected machines has so far been a lengthy task. Was wondering if you knew how they've addressed it Tim Timothy J. Fairlie - Director Network/User/Telecommunication Services (N.U.T.S) Rider University fairlie () rider edu <mailto:fairlie () rider edu> ----- "Allen Wood" <awood () HILLCOLLEGE EDU <mailto:awood () HILLCOLLEGE EDU>> wrote:I'm sending this on behalf of a neighboring college. It looks likethey need help in a pretty bad way... here's their message-**************** We've got a bit of a mess here - not quite sure how we're going to dealwith it. We contract with AT&T to provide internet service in our dorms. We don't provide tech support to our students for their personal computers. Even if that weren't our policy, two techs can't provide technical support to 900 kids (not to mention the other 1900 computers we have that are spread over 4 different campuses).This trojan turns computers into rogue DHCP servers - once the bad IPaddress has been handed out to a computer on the network, it's then pointed to a bad DNS server - that in turn sends the computer to a website in Romania that displays a web page stating that the browser is out of date and provided a link to an executable file that is supposed to update the brower - and that executable then infects another computer. It appears we're dealing with a variant of Rorpian.A.At this point, the network in our dorms isn't operational - it'simpossible to connect to the valid DHCP server because there are so many infected computers now. We don't have any system in place to log or track computers - so even though we can run Wireshark and see the traffic, we have no way of tracking that back to an individual to try to eliminate the rogue servers. In addition, we've had an ongoing problem with residents of the apartment complex across the street (not associated with us) using our wireless network - and odds are, they're now infected as well.We've tried 4 different anti-virus/malware products and none haveseemed to work as far as cleaning the computers that we deliberately infected in an attempt to find a solution. So far now, we have our dorm network shut down entirely to prevent further infection - and we have 900 furious students.We don't have the manpower to offer to format these student computers- and even if we did have enough people, and were willing to accept the liability, we wouldn't be able to put their software back on. We're also not comfortable with "suggesting" that the students take their computers to a PC repair shop (even though that's probably the only answer) for the same reason. Even at that, if one rogue server is still out there, we're going to have the issue again once we turn the network back on. And what if that rogue server is in the apartment complex that we have no control over?Anyone have any ideas on how to combat this? We've been banging ourheads against the wall for two days now and admit we may not even be thinking clearing any more. At the moment we can't think of a way out of this. Any suggestions would be welcome.Probably the good news out of all of it is that this will probablyeither cause the maintaining of the dorm internet to be outsourced, or we'll get the equipment we need to manage it properly. In the meantime, though, that's not going to help us.*******************I'll be happy to forward on any suggestions or ideas that you may have. Thanks in advance,Allen
-- Eric C. Lukens IT Security Policy and Risk Assessment Analyst ITS-Network Services Curris Business Building 15 University of Northern Iowa Cedar Falls, IA 50614-0121 319-273-7434 http://www.uni.edu/elukens/
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Re: Virus/Trojan/Worm in the Dorms, (continued)
- Re: Virus/Trojan/Worm in the Dorms Valdis Kletnieks (Sep 05)
- Re: Virus/Trojan/Worm in the Dorms Dennis Meharchand (Sep 05)
- Re: Virus/Trojan/Worm in the Dorms Kris Monroe (Sep 05)
- Re: Virus/Trojan/Worm in the Dorms Flynn, Gary - flynngn (Sep 05)
- Re: Virus/Trojan/Worm in the Dorms Flynn, Gary - flynngn (Sep 05)
- Re: Virus/Trojan/Worm in the Dorms Renaud, Robert (Sep 05)
- Re: Virus/Trojan/Worm in the Dorms Kevin Wilcox (Sep 05)
- Re: Virus/Trojan/Worm in the Dorms James R. Pardonek (Sep 06)
- Re: Virus/Trojan/Worm in the Dorms Eric C. Lukens (Sep 06)
- Re: Virus/Trojan/Worm in the Dorms Jeff Kell (Sep 06)
- Re: Virus/Trojan/Worm in the Dorms James R. Pardonek (Sep 06)