Desktop Security: Worms and Viruses

1
Desktop Security Worms and Viruses

• Brian Arkills, CC NDC-Sysmgt

2
Worms

• Whats a worm?
• Code that spreads from one computer to another
  using some vulnerability. When your computer has
  a worm, it is called compromised. Once
  compromised, your computer is actively trying to
  infect other computers.
• What protects me?
• In all but a few cases, vulnerabilities have
  security patches. The security patches might be
  for the operating system, e.g. Windows XP, and
  applications like Internet Explorer. We
  distribute security patches automatically in
  Nebula.

3
Security patches

• How does my computer get patches?
• In general, MS releases patches on Wednesday.
• We approve these patches Friday morning
• A special client on your workstation notices the
  patches on our server sometime Friday (and in a
  few cases early Saturday).
• Your workstation downloads the patches, and
  applies them at 11pm on the day after it has
  downloaded them.
• So your computer has to be on the network to
  detect the patches, download them, and then be on
  at 11pm to apply them. The 11pm time is key.

4
Critical patches

• In some cases, Nebula decides that a patch is so
  critical that it should be applied as quickly as
  possible.
• In these cases, the patch is approved immediately
  (but wont be applied until 11pm).
• Additionally, we package critical patches to be
  installed at user login.
• As part of the login process, we also keep track
  of which computers have a critical patch. This
  allows us to ensure Nebula is secure as quickly
  as possible.

5
Missing patches

• What might prevent my workstation from getting
  patches?
• Not being on at 11pm to apply the patches.
• Not being on the network to detect the patches.
  Computers that are taken home or are offline for
  long periods of time are in danger.
• Having applied a patch manually, but chosen to
  not reboot. All subsequent patches will fail to
  reboot, until the computer is manually rebooted.

6
Viruses (or is it virii?)

• Whats a virus?
• Code that is executed by a user that does
  something unexpected to the user. Frequently,
  email attachments are the vector for a virus. A
  virus does not exploit a vulnerability in an
  operating system or application, it takes
  advantage of a user. A variety of things can
  happen because of a virus.
• What protects me?
• McAfee VirusScan scans for viruses on your
  computer. Prior to that, the email infrastructure
  scans for viruses in email. Both scanning engines
  rely on virus definitions. These are
  configuration files that must be updated to
  reflect the latest discovered viruses.

7
Virus definitions

• How do my definitions get updated?
• There are two separate processes that update the
  virus definitions
• For gold workstations, during login, the
  definitions are updated to the latest version.
• Alternatively, a process that runs 4 times a day
  pushes definitions to all nebula workstations
  (gold and bronze) that are on the network.
• Finally, a report runs once a day . It queries
  every Nebula workstation to determine what
  version it has. If that version is greater than 2
  versions ago, it is reported to support teams.
  Support teams may contact you for manual
  intervention in this case.

8
Question/Answers

• Open forumAsk away!
• No questions? How about
• What happened to the Tues/Sat. night patches?
• What happened with the recent Blaster/Nachi
  worms?
• How do I avoid patch reboots?

9
What happened to the Tuesday night/Saturday night
patch process?

• We had to change the underlying patch technology
  we used primarily because the cost of our
  previous tool became prohibitive. The new tool we
  are using isnt flexible enough yet to allow a
  complex set of patch times.
• However, the new tool has some improvements that
  should mean greater patching success rate and
  therefore better security in Nebula.

10
What happened with the recent Blaster/Nachi worms?

• We had quite a few compromises that resulted in
  rebuilds from Blaster and the non-worm precursors
  to Blaster, about 70 computers or 3.5 of
  Nebula. This is quite a bit less than what most
  of UW saw. We were among the first UW folks to
  note compromises, and almost without fail we
  caught compromises before they were discovered
  and the network port shut down. But we dont
  think this was acceptable. So we implemented
  quite a few changes in the patching process (most
  of which weve skimmed over). And we noticed the
  improvement when Nachi came along a few weeks
  later. There were very few compromises from
  Nachi.
• Why did the 70 computers get compromised? What
  failed (and how are things different now)?
• There are a number of different scenarios that
  caused failures.
• The time between patching used to be 1 week. If
  you missed a patch one week, you had to wait a
  week.
• The scanning tool we used to use had a problem we
  werent aware of if a computer was in power
  saving mode, depending on the hardware, it might
  take longer for the computer to wake up then the
  scanning timeout. This would result in the tool
  skipping the computer (and then itd need to wait
  another week).
• Computers that were off during either the
  scanning time or the patch application time
  wouldnt get the patch (and would have to wait
  another week). Scanning now happens daily
  (assuming the computer is on the network), and
  the patch application time is 11pm on the day the
  patch is detected (although usually this is still
  just once a week).
• We now also keep track of which computers have
  critical patches. This is an important sanity
  check.

11
Avoiding random reboots

• How do I avoid a reboot from a patch at a time I
  dont like?
• Nebula security patches only reboot your computer
  at night or at login. This is the least intrusive
  time we can pick, and shouldnt be a problem for
  most people. But if you run processes overnight
• For normal patches, run Windows Update anytime
  Wednesday afternoon through Friday afternoon. But
  please reboot your computer when you apply the
  patch. This will avoid a reboot over the weekend.
• For critical patches, your support team can give
  you warning that Nebula has approved a patch for
  application as soon as possible. Some support
  teams automatically inform their users, others
  dont. Once you have this info, you can either
  use Windows Update or the login process to patch
  your computer manually to avoid a reboot at night.