IT SECURITY BULLETIN - SEP 03

1. Review of recent major IT Security Incidents
---------------------------------------------------------------------
July and August had several IT Security incidents, but the ones that
featured most prominently were MS-Blaster, Welchia and Sobig.F.

1a. MS-Blaster and Welchia
MS-Blaster and Welchia exploited the Microsoft RPC vulnerability
announced in mid-July. More than 1,000 computers in the University
were affected by the MS-Blaster worm. Around a week later, this worm
was eclipsed by the Welchia worm. About 400 computers in the
University were affected by the Welchia worm.

Reports on the MS-Blaster outbreak from departments revealed that
infections ranged from 94.7% of computers to 0%. A number of infections
were "brought in" to the University network on notebooks which were
infected elsewhere.

The Welchia worm was more aggressive. It generated traffic that congested
many networks and the Internet. The border routers blocked 4GBytes of
worm-generated traffic in a day.

1b. Sobig.F
About 100 University computers were infected with the Sobig.F virus. The
release of Sobig.F and Welchia on 18 August caused severe congestion of
email and network systems. The staff central e-mail server blocked 80,000
virus-laden e-mails per day when the virus was at its peak.

While the worms mentioned above in 1a can infect a computer without any
user action, the Sobig.F virus utilised social engineering to entice users
to execute the virus-laden attachment. Efforts to educate users on "safe
computing" must be increased.

2. Configuration of McAfee Virus Scan - by Elliot Gingold
------------------------------------------------------------------------------------
The default configuration of McAfee Virus Scan sets up a scheduled
update download on a weekly basis. For the current version (7) the
download is scheduled for each Friday at 5 pm. This is intended to
follow the standard weekly DAT update which McAfee posts each
Thursday (US time).

This update frequency is totally inadequate given the speed at which
current viruses are spreading. For viruses such as Sobig.F, most of
the damage occurs during the first few days after its discovery. For
this reason it is become very common for DATs to be released in
response to new threats rather than just weekly.

We would thus strongly suggest that configuration of Virus Scan on all
systems within the University be altered so that checks for updates are
made on a daily rather than weekly basis. At the same time it would be
helpful to ensure that the client is pointed to our local mirror as its
first option rather than the McAfee US site (the default). The local
mirror address is
ftp://ftp.unimelb.edu.au/pub/pc/virusscan7x/

It is clearly the case that EPO would be the most convenient way to push
these changes to clients from a central location. However, this can also
be done using a standard Virus Scan console on an administrator's computer
by remotely connecting to the local workstations. The console would, of
course, have to be running under an account with administrative rights
on the local machines.

3. Central email virus scanning
----------------------------------------------
The anti-virus solution resides on the central email gateway (muwayb)
and uses the Sophos Anti-virus software to scan all attachments less than
2 megabytes in size. Should an attachment contain a recognised virus, it
will be deleted and replaced with the following text contained within an
attachment called Substitute.txt

There have been queries on the rationale behind delivering the text portion
of the email with the substituted attachment as described above. This is
implemented to handle cases when a legitimate email is sent by a user, but
with an attachment that is unknowingly infected with a virus. Substituting
the attachment makes it safe for the recipient, while preserving and
delivering the text portion of the email ensures that communication between
the sender and recipient is not lost. If the rule was to delete a virus-
infected email totally, the recipient would be totally unaware of the
communication initiated by the sender.

The main inconvenience to having the rule that preserves communication is
receiving the virus generated but now disinfected emails. The text portion
and the safe attachment have no informational value to the recipient.

No Sobig.F virus emails passed through the central email gateway without
first being disinfected. Due to the volume of the emails, and also the well
defined names of the virus-laden attachments, it was decided that the emails
generated by the Sobig.F virus would be deleted by the central email gateway.
This conserved computing resources otherwise spent examining emails for viruses.