Nearly all Laboratory computers that run the Microsoft operating system are back on the network after a world-wide attack by hackers using a high-risk worm that can take over individual computers.
Staff from the Microsoft Systems Management Server Security Update Service in Desktop Computing (CCN-2) used their automated system to distribute the patch for the W32.Sasserworm. Systems not subscribing to the SMS update service had to be manually patched. System Administrators and Organizational Computer Security Representatives across the Laboratory were notified and unpatched systems were blocked from the network once the worm was known to exist.
"This was a great job that required quick reaction and a thorough understanding of the problem by the folks on the Enterprise Software Management Team, the Network Engineering Group and system administrators," said Charlotte Lindsey, acting Chief Information Officer (CIO).
The W32.Sasser family of worms runs on computers that use several of the Microsoft Windows operating systems. The worm damages computer performance and potentially can leave desktop computers vulnerable to a takeover by a hacker, who can use the host computer to further distribute the Sasser worm.
In the most recent, high-risk Sasser attack, the Enterprise Software Management Team began distributing the latest Microsoft vulnerability patch on Monday evening, April 19, using their SMS Security Update Service. By Friday morning, April 23, more than 4,000 computer systems had been patched via the distributions.
A week later, hackers posted on the Internet a coded exploit to take advantage of the original vulnerability; within a couple of days, the Laboratory and thousands of other sites around the world were under assault by the hacker community by the variant of the Sasserworm that evolved from the exploit.
On Saturday, May 1, hours after the new worm appeared on the Internet, the Laboratory's Network Engineering Group (CCN-5) began blocking vulnerable computers - those that had not received the patch distributed by the SMS Security Update Service or through manual installation. In order to be reconnected to the Laboratory network, computer users had to call the Security Update Service for the patch. Over a 24-hour period, about 1,000 computers received the patch and were reconnected to the network.
The Sasserworm patch now has been installed on more than 5,500 systems through the SMS Security Update Service. More information about the Security Update Service is available at http://ccn.lanl.gov/source/orgs/ccn/ccn2/esm/lanl_sms_sus.shtml online.
-- Jim Danneskiold