cancel
Showing results for 
Search instead for 
Did you mean: 

Sasser Worm and Varients

Plusnet Staff
Plusnet Staff
Posts: 12,169
Thanks: 18
Fixes: 1
Registered: 04-04-2007

Sasser Worm and Varients

Hi Everyone,

I'm looking for some feedback as to what everyone thinks we should do regarding customers whose PC's are infected with the worms like Sasser and the others that are about.

There's several different options that we have looked at and what we want to know is what you, our customers, feel would be the best option. How would you like to be contacted/treated if your PC was infected and you were unaware?

Our long term goal is to set up some kind of web holding page, similar to the port 135 block we have that we can initiate whenever we find a customer that is infected which would block off virtually all activity but still allow them to access Windows Update, etc. to remove the virus and patch their PC. Unfortunately the development time required for this means it is at least 6-12 months away.

The following options have been suggested, please feel free to agree, disagree, take them apart or suggest alternatives we haven't thought of. What we don't want to do is implement something that our customers aren't happy with.

    1. Disable a customer's broadband access until they remove the virus.

    2. Block more ports on the network. Sasser uses port 445 as well as a few others, we could block these, but they would be blocked for everyone and there would be no way of opting out, so any legitimate use of these ports (P2P or whatever) would be affected as well.

    3. Continue the way we currently work, i.e. contact the affected users and advise them that they are infected with a virus and ask them to remove it.


EDIT: Made this post sticky so that I can pick up the comments at the weekend.
154 REPLIES
csogilvie
Grafter
Posts: 5,852
Registered: 04-04-2007

Sasser Worm and Varients

What's done with the 135 stuff would be good - perhaps give them 2 days, and then disable the connection in case they are away ?
N/A

Sasser Worm and Varients

In 1. when you say "disable a customer's broadband" would they have any idea why it had been disabled? Or would it just all of a sudden stop working. I think that would cause more trouble than it's worth as many customers would have no idea why the connection stopped and would most likely be angry.

2. Could you name the other ports? It's funny how you state p2p as being one of the "legitimate" uses Cheesy Most p2p programs allow the ports used to be changed, so I doubt that's a problem (although I'm sure there are other legitimate programs which operate on these ports which can't be changed).

3. This would be my personal choice, depending on how it's carried out. Is it an automated affair which has the users emailled as soon as certain port activity is seen, or is it completely manual (I.E. relying on abuse reports)? If it's manual I fear it might be too slow (as I understand that abuse departments are often heavily backlogged) and might not do much to prevent more infections. However, I think that this (for me at least) is the most preferable, as long as it was followed up (if a customer continues to leave their machine infected then they receive another warning, and then their connection is temporarily disabled).

Just my 2p Smiley
N/A

Sasser Worm and Varients

Quote
What's done with the 135 stuff would be good


Does this work on the new routing equipment (the name of which I can't remember now - the thing which runs along side the existing redbacks). I don't know why but I was under the impression that this equipment couldn't detect certain port activity and display the custom website. Maybe I just made it up though, who knows Smiley
csogilvie
Grafter
Posts: 5,852
Registered: 04-04-2007

Sasser Worm and Varients

I'm not sure if it works on the 622MB (Juniper?) or not - but that was the only suggestion i really agreed with Wink
N/A

Sasser Worm and Varients

That's the one - the Juniper. I'll see if I can find where I got that idea from...

EDIT: Here - see IanWild's reply (the last in the thread).

Quote
Customers connected via the ERX (On the 622MB/s BT central pipe) unfortunately can't have this system applied.


Although...

Quote
We have asked Juniper (Who make the ERX) for the functionaility to do the same as we can with the Redback units, but this is likely to take them a good few months more to deliver.


If this was available on the Junpier platform aswell then I agree with Colin, it would be the most preferable as the page displayed is more informative and useful to the user (therefore less likely to annoy them).
Plusnet Staff
Plusnet Staff
Posts: 12,169
Thanks: 18
Fixes: 1
Registered: 04-04-2007

Sasser Worm and Varients

Sasser uses the following ports according to F-Secure

Summary of TCP ports used by the worm:

445/TCP: - The worm attacks through this port

5554/TCP: - FTP server on infected systems

9996/TCP: - Remote shell opened by the exploit on the vulnerable hosts

I think the network guys said there were others as well.

"Disable a customer's broadband" would be that we'd disconnect their session if they were connected and then stop them from re-authenticating. I agree that this could cause more trouble than good if it wasn't used correctly.

As far as I know the port 135 detection is not yet available on the Juniper.

The best solution might be the one with the least amount of development work, but at the moment there are literally hundreds if not thousands of people on our network whose PC's are infected and our abuse team receive a lot of reports every single day.
N/A

Sasser Worm and Varients

Ever considered making it a condiition of service provision that customers should have an up to date, recognised virus checker in place?

Is there any way of doing a 'push' of something like Trend Micro's Housecall, or if not then just a re-direct ( after a suitable warning ).
csogilvie
Grafter
Posts: 5,852
Registered: 04-04-2007

Sasser Worm and Varients

Personally, I would object to that being a condition of service, but perhaps thats just me - and its probably unenforcable - prove either of my two PCs have Virus Scanners?
N/A

Sasser Worm and Varients

IIRC, there is already a line in the contract that states that customers must keep there system secure and virus free.

This is the rule that PlusNet can use to disconnect the users.

I am inclined to say disconnect them, however, I have previously stated that this is too agressive and wont win you any friends.

However, somthing does need to be done.
N/A

Sasser Worm and Varients

Quote
Personally, I would object to that being a condition of service, but perhaps thats just me - and its probably unenforcable - prove either of my two PCs have Virus Scanners?


Why - it probably can't be monitored effectively but if it could it wouldn't be unreasonable. Bit like accepting that you'll drive on the left hand side of the road - it's for your own good but also benefits everyone else using the road.
N/A

Sasser Worm and Varients

But if someone's driving on the wrong side of the road it's blatantly obvious. If someone is not protecting their PC correctly, the first sign you get is when they're trying to spread their worm to you. Then you end up right back where we are - deciding what should be done (they can technically be disconnected already due to what Phil mentioned in the Terms, so adding the need for anti virus won't strengthen that position).
N/A

Sasser Worm and Varients

Quote
(they can technically be disconnected already due to what Phil mentioned in the Terms.


...hmmm well seems we've already agreed to it then Smiley
N/A

Sasser Worm and Varients

Well one thing that you could do (for free, and quite simply) which would be a good start is to add a line into the "we hope you are enjoying the service.....yada yada" email, which points people to a site mentioning the importance of this, and a free AV such as avast! or avg...make it default in any email sent to a customer and stick it on the portal login page

but anyhow - email people to tell them, then disconnect if no action from them after a couple of days - they will soon ring to find out whats happening
N/A

Sasser Worm and Varients

They can be disconnected: however at the moment they would not be presented with a reason. I can imagine if I found my internet had suddenly stopped working I would be slightly annoyed. This would then require the customer to ring up customer support (another point - would take up more CSR's time) and find out what the problem is. I agree that at face value this is ideal - what better way to prevent infection than by removing those that are infected - but from a customer point of view I can't imagine it being liked.

However (I'm contradicting myself quite a bit today Smiley) I think that this is probably the best way to effectively tackle the problem at hand. As long as it was understood (by the customers) that the connection would be temporarily disabled if virus-generated traffic was coming from their machine, and the reasoning behind this, then I think it's the only way to go. Obviously the 135-style method would be preferred, but as this is not currently available on the Juniper platform then I think it's not really feasible to even consider it.

Apologies for the long posts, just trying to make myself clear Smiley