Re: Virus/Trojan/Worm in the Dorms

["Maloney, Michael" <mmaloney () MIDDLESEXCC EDU>]

Since some of these worm variants are employing modified MBR’s and encrypted partitions, your best might be to scan the 
systems with a bootable rescue CD.  We’ve used the Kaspersky one here with great success.  

 

Our approach to our infestation earlier in the summer was to isolate machines that were issuing DHCP addresses in a 
VLAN that went nowhere.  Since we have a NAC server it made it fairly easy, just pull the MAC address out and into the 
gates of hell it went.  The PC was not put back on the regular network until a technician had re-imaged the PC.    To 
prevent any PC’s that had been infected and shut down during the summer break from re-infecting the network, we had the 
techs scan each PC individually with the rescue CD.   

 

 

 

********************************************
Mike Maloney
Sr. System Engineer
Middlesex County College
2600 Woodbridge Avenue
Edison, NJ 08818
Phone: 732-906-7754
Cell: 908-217-2086
Fax: 732-906-4266
Email: mmaloney () middlesexcc edu <mailto:mmaloney () middlesexcc edu> 
********************************************

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Tim 
Fairlie
Sent: Tuesday, September 06, 2011 10:25 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Virus/Trojan/Worm in the Dorms

 

Hey Allen, 

Any idea how those folks made out with this outbreak?
Our kids moved in yesterday and we saw the same thing. We've been able to stop it from spreading, but cleaning the 
infected machines has so far been a lengthy task.

Was wondering if you knew how they've addressed it


Tim

Timothy J. Fairlie - Director
Network/User/Telecommunication Services (N.U.T.S)
Rider University                fairlie () rider edu 

----- "Allen Wood" <awood () HILLCOLLEGE EDU> wrote: 
>

> I'm sending this on behalf of a neighboring college.  It looks like they need help in a pretty bad way... here's 
> their message-
>
> ****************
>
> We've got a bit of a mess here - not quite sure how we're going to deal with it.  We contract with AT&T to provide 
> internet service in our dorms.  We don't provide tech support to our students for  their personal computers.  Even if 
> that weren't our policy, two techs can't provide technical support to 900 kids (not to mention the other 1900 
> computers we have that are spread over 4 different campuses).
>
> This trojan turns computers into rogue DHCP servers - once the bad IP address has been handed out to a computer on 
> the network, it's then pointed to a bad DNS server - that in turn sends the computer to a website in Romania that 
> displays a web page stating that the browser is out of date and provided a link to an executable file that is 
> supposed to update the brower - and that executable then infects another computer.  It appears we're dealing with a 
> variant of Rorpian.A.
>
> At this point, the network in our dorms isn't operational - it's impossible to connect to the valid DHCP server 
> because there are so many infected computers now.  We don't have any system in place to log or track computers - so 
> even though we can run Wireshark and see the traffic, we have no way of tracking that back to an individual to try to 
> eliminate the rogue servers.  In addition, we've had an ongoing problem with residents of the apartment complex 
> across the street (not associated with us) using our wireless network - and odds are, they're now infected as well.
>
> We've tried 4 different anti-virus/malware products and none have seemed to work as far as cleaning the computers 
> that we deliberately infected in an attempt to find a solution.  So far now, we have our dorm network shut down 
> entirely to prevent further infection - and we have 900 furious students.
>
> We don't have  the manpower to offer to format these student computers - and even if we did have enough people, and 
> were willing to accept the liability, we wouldn't be able to put their software back on.  We're also not comfortable 
> with "suggesting" that the students take their computers to a PC repair shop (even though that's probably the only 
> answer) for the same reason.   Even at that, if one rogue server is still out there, we're going to have the issue 
> again once we turn the network back on.  And what if that rogue server is in the apartment complex that we have no 
> control over?
>
> Anyone have any ideas on how to combat this?  We've been banging our heads against the wall for two days now and 
> admit we may not even be thinking clearing any more.  At the moment we can't think of a way out of this.  Any 
> suggestions would be welcome.
>
> Probably the good news out of all of it is that this will probably either cause the maintaining of the dorm internet 
> to be outsourced, or we'll get the equipment we need to manage it properly.  In the meantime, though, that's not 
> going to help us.

*******************
> I'll be happy to forward on any suggestions or ideas that you may have.
>
> Thanks in advance,

  

Allen
>