August 13, 2003
Summary
The Blaster worm impacted more than 100,000 computers worldwide, including a large number of desktop computers at UCOP on Monday and Tuesday, August 11 and 12. The nature of the Blaster attack required that IR&C; temporarily disconnect approximately 100 machines from the UCOP network. The Blaster worm has now been contained and network service has been restored to almost all users.
Background
Over the last two weeks, there has been a sharp increase in the volume of computer viruses and related attacks on computers that run the Microsoft Windows operating system. Many of these attacks are tied to a significant security vulnerability that Microsoft announced on July 16. In keeping with our standard practice, IR&C; prepared for potential attacks by making configuration changes to the corporate firewall as recommended by CERT, a national group that provides guidance on Internet security, and by advising departmental PC coordinators to install critical Microsoft security patches.
Blaster Attack
Despite IR&C;'s preparations, UCOP computers were infected by the Blaster worm. Once inside our firewall, the worm spread rapidly by using infected machines to attack other computers. Once the attack began, we had no choice but to disconnect from our network any infected computer that attacked other computers in an effort to spread the worm. In these instances we made every attempt to notify the assigned computer users and departmental PC coordinators, and we reconnected the affected computers once the systems were cleaned and patched.
Future Attacks
A number of variants of the Blaster worm have already appeared elsewhere on the Internet and we expect that attacks seeking to exploit other Windows security vulnerabilities will continue for the foreseeable future. Therefore, it is critical that all computers used on the UCOP network routinely receive updated virus definition files and Windows security patches. It is especially important that laptops receive these updates since they may be exposed to viruses and worms when they are connected to other networks outside of UCOP (e.g., home ISP connections). IR&C; will continue to take all possible steps to protect the network from the outside via the corporate firewall and will make security recommendations and patches available to the PC coordinators. However, if a similar situation should reoccur, we will again need to disconnect affected computers that may attack other computers. If you experience problems with your computer, or believe your desktop computer or laptop has not received a recent security patch, please immediately contact your departmental PC coordinator (xls).
As you may have heard, there is the potential for a second phase of the attack to occur beginning Saturday, August 16. As an additional precaution, we would like to request that you shut down your computer before leaving work for the weekend, if possible.
Thank you for your assistance in helping to secure the UCOP network.
