|
May-June 2004
Home Page
E-Notes Home Page |
 |
|
Lessons Learned
Past Experience Prevents Wide Spread Of Sasser Worm
Every computer user is familiar with the scenario.
Microsoft announces the discovery of another security flaw in the Windows operating system and releases a software patch to fix it, urging customers to install the patch as soon as possible. Computer security experts, the news media, and computer support staff reiterate the warning. Still, a large percentage of customers either remain unaware of the vulnerability or ignore it. A few weeks later, a computer worm emerges to exploit the security flaw that the patch was designed to fix. Spreading from computer to computer across the Internet, the worm infects hundreds of thousands of vulnerable computers, leading to huge losses of productivity and potential risks to the privacy and security of personal and business information.
Georgetown University endured this scenario last August when one of the worst computer worm outbreaks in history rampaged through the campus network. Hundreds of Georgetown students, faculty, and staff joined multitudes around the globe whose computers were infected by the combined onslaught of Blaster and Welchia. Just as the fall semester was starting, students, faculty, and staff were saddled with virus-infected computers. UIS support staff were overwhelmed for weeks, fielding requests for help and in some cases spending hours repairing each infected machine.
The scenario played out once again this April. On the thirteenth, Microsoft announced the release of a patch to fix a newly discovered vulnerability. UIS alerted the campus community the following day and sent a second broadcast message last Friday, two days before the worm hit Georgetown’s network. Then, early Sunday morning, two weeks after the patch had been released, the Sasser worm emerged to infect hundreds of thousands of computers around the world, among them several hundred at Georgetown.
Though the scenario was the same, the rate of infection was not. Far fewer computers were infected by Sasser than were infected by Blaster and Welchia in August. UIS's automatic network scanning tools found approximately 6,000 unpatched computers during the Blaster and Welchia outbreak. 1,800 unpatched computers were detected the day before Sasser hit campus, and the number dropped to 400 by Monday afternoon after UIS staff spent the day working with departments and individuals. While inefficient programming may have slowed the spread of Sasser, the fact the many of Georgetown University’s Windows users have now configured their computers to perform automatic Windows Updates also significantly helped.
Unlike the Blaster and Welchia attacks, which continued for two weeks, the Sasser attacks were mostly contained within two days. Wider adoption of automatic Windows and Symantec Updates had the greatest impact, but strategies formulated in August 2003 also helped. Worms spread through networks quickly because users with infected computers often don't know they are infected and remain connected to the network, spreading the worm to other computers. In 2003, the Help Desk and desktop support technicians were flooded with requests to remove Blaster and Welchia from computers, until a removal CD was distributed to the community free of charge. The CD, containing Windows patches, a worm removal tool and illustrated instructions, allowed owners with infected computers to clean and secure their own machines. This time, the day after the virus hit, a Sasser removal CD was ready for distribution.
Unfortunately, many student computers in dorms were infected by the Sasser worm. As students brought in their computers to be repaired, UIS staff discovered that many of the computers were also infected with variations of Gaobot, spayware, and other viruses. The UIS Service Desk worked to assist students. Students worked in UIS and library computing labs to complete their end-of-year papers and exams.
UIS extends its gratitude to the thousands of users who adopted Windows and Symantec automatic updates after the barrage of Blaster and Welchia. We hope that all of our classmates and colleagues will consider joining them in the interest of keeping their data secure. The Web pages How to Protect Your Computer: Guidelines for Students and How to Protect Your Computer: Guidelines for Faculty and Staff feature illustrated instructions for setting up automatic Windows Updates, anti-virus software, and other computer security essentials. Assistance with the instructions is offered by the UIS Help Desk. The world is certain to see another worm outbreak before too long, but learning is what we do best at Georgetown. Let's be ready. |
