90 likes | 203 Views
How CERN reacted to the Blaster and Sobig virus attack. Christian Boissat, Alberto Pace, Andreas Wagner. Overview. About Blaster and Sobig Timeline of events at CERN Patch distribution technologies used at CERN Summary of Incident Conclusions. About Blaster and Sobig.
E N D
How CERN reacted to the Blaster and Sobig virus attack Christian Boissat, Alberto Pace, Andreas Wagner
Overview • About Blaster and Sobig • Timeline of events at CERN • Patch distribution technologies used at CERN • Summary of Incident • Conclusions
About Blaster and Sobig • W32.Blaster.Worm / Welchia Worm • Exploits of DCOM RPC vulnerability, no user interaction was required to spread. • DOS attack to Windowsupdate download site • Sobig.F • variant of known mass-mailing, network-aware worm that sends itself to all the email addresses that it finds on a PC. • Several improvements to previous versions, like multithreaded SMTP engine etc. • Issue: Virus definition update only available after first infections were detected onsite (virus pattern file in beta for several hours)
Patch distribution technologies at CERN • Systems Management Server (SMS) • Distribution of repackaged and grouped hotfixes, service packs, IE updates; packages also available via Group Policies • Domain Startup-Scripts • for urgent patches (and floppy with hotfix for new PCs) • System Update Services (SUS) • Presently under evaluation • in combination with SMS Packages to ‘force’ installation
CERN results and effort involved Infected Systems: Blaster/Welchia (~300), Sobig (12) (At end of August in FTE weeks) NB: Does not include effort in other Divisions The hotfix webpage was visited 12’200 times in August The emergency measures page 2600 times in second half of August
Conclusion • Despite this “negative” presentation, all CERN Central computing services and its network continued to work without interruption • Standard users (more than 95 %) also continued to work as usual • Unmanaged computers were heavily affected • Many visitor computers were not up-to-date for virus and patches • Owners of unregistered computers could not be contacted and informed • This is the lesson to learn • However, this has triggered additional efforts to further improve patch distribution methods and to reduce further the deployment time • Everybody now takes security more seriously and we did not need a catastrophic disaster to achieve this