02 September 2003

PC virus and worm incidents

More malicious code attacks, their impact on the Division, and what can be done about them.

The increase in virus and worm activity targeting computers running Windows operating systems over the past few weeks has consumed significant amounts of TSU resources. Client Services Division has coordinated a review of the University’s response to these world wide threats, and the bottom line is that the University has not suffered as much as some organisations, that although we didn’t do badly we could be doing better, and that we should be seeing this as a wake-up call. The most significant issue that has come out of the review is that computers attached to the University network must have the appropriate software “patches” to foil attacks, and that the anti-virus software is constantly updated.

Operating system updates

The attacks of the nature we have seen over the last three weeks exploit vulnerabilities in Windows operating systems that have been previously identified and for which Microsoft has provided “patches” before the vulnerabilities are exploited, sometimes more than a year before. The sequence with exploitations is always the same:

  1. a vulnerability is discovered,
  2. a patch is issued, then
  3. someone exploits the vulnerability.

Only unpatched machines suffer directly from the exploitation of the vulnerability, although other users suffer from the attacks with avalanches of emails or saturated networks.

Although Microsoft supports a process ("Windows Update") to maintain Windows operating systems (at least the ones we use in the Division), there are several difficulties with the process:

  • Users have to be involved in the process.
  • Not all updates are required for all computers.
  • Some updates are:
    • Large,
    • take a long time to install, and
    • take up a lot of network bandwidth that has to be paid for.
  • Some updates may not work as planned and render computers unusable.

Client Services Division is investigating an on-campus software update server ('SUS'), and developing a process to ensure Windows operating systems are automatically patched when required with certified updates as tested by the University IT community.

In the meantime, TSU staff are being reactive and patching computers that become comprised by malicious code. This is not an ideal situation, but it is the only way in which we can currently manage with the resources we have at our disposal. It may be prudent to ask staff using PCs to run Windows Update on their machines, and helpdesk will monitor patches as they are released by Microsoft and advise staff to run the update if it is deemed necessary. Updates and patches to student machines in labs (including postgraduate machines) will need to be managed by TSU.

Anti virus software updates

The University is site-licensed for Network Associates' McAfee VirusScan software. PCs should be configured to maintain the software scanning engine itself and the virus definition files on a regular basis. This process should not be turned off.

Access to the University network

Attaching computers with malicious code on them to the University network is the major source of virus and worm attacks. A particular threat is unpatched and unmaintained portable computers that are taken off-campus and attached to the Internet (from home, say), being infected, then returned to the University and plugged back into the network. Guidelines for the Management of Information Technology by Campus Units states:

The responsibility for the integrity and security of the Campus Network ... rests with the Client Services Division eg. no equipment can be connected to the "Campus Backbone" network.... without the authorisation of the Client Services Division...
http://www.canberra.edu.au/uc/policies/it/it-guide.html [accessed 1 September 2003]

In theory this means that Client Services should authorise each instance of, for example, a portable computer being plugged in to the University network. It has been suggested that no such authorisation would be given without the computer being subject to an audit to ensure it is free of malicious code and is fully up-to-date with system software patches, anti-virus software and virus definition files, every time it is proposed to attach the computer to the University network. This would in practice be unworkable.

To prevent Client Services Division from insisting that all computers to be attached to the network are tested to ensure they are fully patched and protected from viruses every time they are to be attached to the network, it is imperative that all such computers are up-to-date. The University is site licensed for all University-owned machines to be patched and maintain the latest anti-virus software and virus definition files: owners are responsible for ensuring any private machines are up-to-date before attaching them to the network. Any machine that is not up-to-date should be either updated immediately or removed from the network until it is.