1 / 9

How CERN reacted to the Blaster and Sobig virus attack

How CERN reacted to the Blaster and Sobig virus attack. Christian Boissat, Alberto Pace, Andreas Wagner. Overview. About Blaster and Sobig Timeline of events at CERN Patch distribution technologies used at CERN Summary of Incident Conclusions. About Blaster and Sobig.

Download Presentation

How CERN reacted to the Blaster and Sobig virus attack

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. How CERN reacted to the Blaster and Sobig virus attack Christian Boissat, Alberto Pace, Andreas Wagner

  2. Overview • About Blaster and Sobig • Timeline of events at CERN • Patch distribution technologies used at CERN • Summary of Incident • Conclusions

  3. About Blaster and Sobig • W32.Blaster.Worm / Welchia Worm • Exploits of DCOM RPC vulnerability, no user interaction was required to spread. • DOS attack to Windowsupdate download site • Sobig.F • variant of known mass-mailing, network-aware worm that sends itself to all the email addresses that it finds on a PC. • Several improvements to previous versions, like multithreaded SMTP engine etc. • Issue: Virus definition update only available after first infections were detected onsite (virus pattern file in beta for several hours)

  4. W32.Blaster.Worm in the news

  5. Timeline of Events at CERN (I):

  6. Timeline of Events at CERN (I):

  7. Patch distribution technologies at CERN • Systems Management Server (SMS) • Distribution of repackaged and grouped hotfixes, service packs, IE updates; packages also available via Group Policies • Domain Startup-Scripts • for urgent patches (and floppy with hotfix for new PCs) • System Update Services (SUS) • Presently under evaluation • in combination with SMS Packages to ‘force’ installation

  8. CERN results and effort involved Infected Systems: Blaster/Welchia (~300), Sobig (12) (At end of August in FTE weeks) NB: Does not include effort in other Divisions The hotfix webpage was visited 12’200 times in August The emergency measures page 2600 times in second half of August

  9. Conclusion • Despite this “negative” presentation, all CERN Central computing services and its network continued to work without interruption • Standard users (more than 95 %) also continued to work as usual • Unmanaged computers were heavily affected • Many visitor computers were not up-to-date for virus and patches • Owners of unregistered computers could not be contacted and informed • This is the lesson to learn • However, this has triggered additional efforts to further improve patch distribution methods and to reduce further the deployment time • Everybody now takes security more seriously and we did not need a catastrophic disaster to achieve this

More Related