01-31-2004, 08:27 PM
MyDoom was actually contained pretty quickly. Our campus had it blocked from getting to the outside world by 4pm on Monday (we first noticed it about 15 minutes before that). We had all the server side e-mail virus scanners updated and a new patch for the campus install of McAfee pushed out by 6pm. There were sill about 40 infected machines, but we had all those cleaned by noon on Tuesday. For awhile we had the mail servers dropping all zip files until Sybari could get the update to us. But again, outside of the campus network were shut down quick. I imagine that our case wasn't much different from a lot of the organizations out there. Rapid containment of trojans is getting pretty easy. MyDoom only spread so fast because of the coordinated launch times.
Now worms are a bit harder. We are still fighting occasional outbreaks of Welchia, FireDaemon, and gaobot. But those are mainly due to people not using secure admin passwords or doing a rebuild and not getting the DCOM patch put on right away, and since our security team won't remove the network block until the system has been completely reformatted due to the backdoors that most of the worms put in to allow other compromised to be installed, some people get reinfected a couple of times.
Now worms are a bit harder. We are still fighting occasional outbreaks of Welchia, FireDaemon, and gaobot. But those are mainly due to people not using secure admin passwords or doing a rebuild and not getting the DCOM patch put on right away, and since our security team won't remove the network block until the system has been completely reformatted due to the backdoors that most of the worms put in to allow other compromised to be installed, some people get reinfected a couple of times.
---
It's all just zeroes and ones and duct tape in the end.
It's all just zeroes and ones and duct tape in the end.