of 9 /9
How CERN reacted to the How CERN reacted to the Blaster and Sobig virus Blaster and Sobig virus attack attack Christian Boissat, Alberto Pace, Andreas Wagner

How CERN reacted to the Blaster and Sobig virus attack

Embed Size (px)

DESCRIPTION

How CERN reacted to the Blaster and Sobig virus attack. Christian Boissat, Alberto Pace, Andreas Wagner. Overview. About Blaster and Sobig Timeline of events at CERN Patch distribution technologies used at CERN Summary of Incident Conclusions. About Blaster and Sobig. - PowerPoint PPT Presentation

Citation preview

Page 1: How CERN reacted to the  Blaster and Sobig virus attack

How CERN reacted to the How CERN reacted to the Blaster and Sobig virus attackBlaster and Sobig virus attack

Christian Boissat, Alberto Pace, Andreas Wagner

Page 2: How CERN reacted to the  Blaster and Sobig virus attack

OverviewOverview

About Blaster and Sobig Timeline of events at CERN Patch distribution technologies used at

CERN Summary of Incident Conclusions

Page 3: How CERN reacted to the  Blaster and Sobig virus attack

About Blaster and SobigAbout Blaster and Sobig

W32.Blaster.Worm / Welchia Worm Exploits of DCOM RPC vulnerability, no user interaction was

required to spread. DOS attack to Windowsupdate download site

Sobig.F variant of known mass-mailing, network-aware worm that sends

itself to all the email addresses that it finds on a PC. Several improvements to previous versions, like multithreaded

SMTP engine etc. Issue: Virus definition update only available after first infections

were detected onsite (virus pattern file in beta for several hours)

Page 4: How CERN reacted to the  Blaster and Sobig virus attack

W32.Blaster.Worm in the newsW32.Blaster.Worm in the news

Scandinavia's Nordea bank 70 branch offices closed, worm in servers of all 440 offices

CSX Railways Curtailed train service while restoring computer systems during 8 hours

New York Times Asked via public address system to shut off all computers (1/2 day)

CFF Web site problems for users (timetable, ticketing), long waits

Maryland Motor vehicle administration affected

Federal Reserve Atlanta/GA Bank affected

Air Canada 50% of phone reservation system capacity affected plus some check-in operations

China 2,000 intranet systems stopped

Page 5: How CERN reacted to the  Blaster and Sobig virus attack

Timeline of Events at CERN (I):Timeline of Events at CERN (I):

16 July Microsoft releases a security bulletin warning about a so-called RPC vulnerability (MS03-26) affecting most versions of the Windows operating system

24 July IT launches a campaign to protect computers against this vulnerability. 5200 systems are patched (one command)

1 Aug Scan tool available: 500 vulnerable systems detected.

Administrators contacted using Network DB information

11 August Leading antivirus companies warned about an exploit (W32.MSBlaster) rapidly spreading around the world. It is expected to make massive attacks against windowsupdate.com as of Saturday 16 August

13 August Mail sent to each Division Leader with the list of vulnerable machines

Page 6: How CERN reacted to the  Blaster and Sobig virus attack

Timeline of Events at CERN (I):Timeline of Events at CERN (I):

15 August Despite multiple reminders, more than 200 Windows systems are still vulnerable. Site security shows suspicious scanning activities, in particular via dial-in or VPN, which are blocked for the week-end.

Risk that those computers could launch the attacks and thereby potentially bringing down the whole or parts of the network and potentially reducing the ability of the organization to execute its mission.

18 August IT management decides to block vulnerable systems at the network level and to continue restrictions on the ACB and VPN service. No time to follow the usual consulting channels. Affected users are informed, provided the entry in the registration DB is up-to-date

18 August An even more severe threat exploiting the vulnerability, "W32.Welchia", appeared causing disruption at several sites

18 August Task force in place to help users to get back to normal.

19 August In the afternoon, a mass mailing virus (W32.Sobif.F) started to appear at CERN and affects several users

Page 7: How CERN reacted to the  Blaster and Sobig virus attack

Patch distribution technologies at CERNPatch distribution technologies at CERN

Systems Management Server (SMS) Distribution of repackaged and grouped hotfixes,

service packs, IE updates; packages also available via Group Policies

Domain Startup-Scripts for urgent patches

(and floppy with hotfix for new PCs)

System Update Services (SUS) Presently under evaluation in combination with SMS Packages to ‘force’ installation

Page 8: How CERN reacted to the  Blaster and Sobig virus attack

CERN results and effort involvedCERN results and effort involved

Action Preventive Repair

Apply patch to 5000 machines via NICE 0.1

Security 4.0

Network group 6.0

User Support 3.5

Coordination 0.5

Local support 4.0

Total 0.1 18

NB: Does not include effort in other Divisions

The hotfix webpage was visited 12’200 times in AugustThe emergency measures page 2600 times in second half of August

Infected Systems: Blaster/Welchia (~300), Sobig (12) (At end of August in FTE weeks)(At end of August in FTE weeks)

Page 9: How CERN reacted to the  Blaster and Sobig virus attack

ConclusionConclusion

Despite this “negative” presentation, all CERN Central computing services and its network continued to work without interruption

Standard users (more than 95 %) also continued to work as usual

Unmanaged computers were heavily affected Many visitor computers were not up-to-date for virus and patches Owners of unregistered computers could not be contacted and

informed This is the lesson to learn

However, this has triggered additional efforts to further improve patch distribution methods and to reduce further the deployment time

Everybody now takes security more seriously and we did not need a catastrophic disaster to achieve this