back to article Exeter Uni goes offline to fight mystery malware

The University of Exeter took the unusual step of temporarily taking its network down this week in response to a virulent virus outbreak. Computers at the south west England university were taken offline on Monday for a clean-up in response to an unidentified malware outbreak, which has since been contained. By Thursday the …


This topic is closed for new posts.
  1. The Original Ash

    Not standard practice?

    You have a site with hundreds of computers linked by a gigabit LAN to some pretty high-speed servers hosting millions of pounds worth of research data (and all the clerical, admin, student work etc) and there's a particularly virulent worm making its way around your network. It's been stated that it corrupts data on infected machines.

    If the choice comes down to "Drop the switches, lose live data, save the majority of stored data" or "Stay up, risk reinfection of cleaned clients, potentially lose large quantities of stored data" I'd have the breaker out faster than you can say "I'm in the middle of a COMMIT!"

    1. markp 1

      hmmm, sounds familiar

      Where'd that link go to the old, old security report surrounding the appearance and rapid spread of the first internet worm? I can't remember what the response was now - let it run riot to best study and eradicate it, or start isolating stuff ASAP, firebreak style, and communicating over phone and limited email links instead.

  2. Verne

    Well, there you go....

    I suppose full marks are due to those who shut down the system to limit the damage but when everything seems to rely on a big interconnected network the phrase "putting your eggs in one basket" spings to mind. Why does everything have to be so network based when it is a prime target for those who are not adept to living in a civilised society?

    I would have thought that some form of back-up (yes, I konw it's old fashioned, but it works) network in a limited form could at least have kept the VoIP working. Good job the mobile phone network wasn't taken out as well!

    Have a nice day.

    1. markp 1

      very odd they went down as well

      I'm pretty sure the IP Phones where I am use completely different subnet addresses, switches and the like. They are able to share the PC ethernet cables in a limited way, to allow for ease of location, but the traffic for the two different systems is quickly filtered apart at the nearest reasonably smart router (some areas are devoid of IP Phone or have them on dedicated sockets because there aren't enough of the said routers about).

      Shouldn't have been too hard to say "ban all traffic from devices on IPs X thru Y but allow that on A thru B"? Or even, for certain domain based nets, ban them by MAC list...

      But then when you notice something awful happening and dive for the Big Red Switch there may not be time for considerations like that. If we had something similar going on, we may suffer just as bad. And now I'm trying to remember if the phones were affected that one time we had a NIC in a remote part of the building run wild and start barfing 1000 broadcast packets a second over the entire LAN... probably so? But then we do also have an analogue PBX kicking about for emergency backup anyway.

      Thinking of your first point though, this is why chucking all your stuff in the cloud is risky. I'll stick with my plethora of optical backups and flashdrives. Sneakernet is hard to kill without a rifle.

  3. Anonymous Coward

    Graham Clueless?

    "Graham Cluley, senior technology consultant at Sophos, said that systems may have been taken offline to fight a worm that exploited a specific vulnerability, perhaps involving Vista. Cluley added that although disconnecting systems is not standard practice in malware cleanups, it may be necessary to stop a handful of systems reinfecting everything else."

    Sure it's very often a first response action?! Find the source of the outbreak and if possible isolate the bastard(s) asap! Then clean or destroy as necessary taking time to do it properly without worrying about what further damage it can do.

    Place I'm working at recently had a problem with a rogue laptop (ironically an unauthorised pen-tester who's script got carried away and started locking out domain accounts!). One of the first responses was to track down the source via MAC address and then shutdown that switch port. Second response was to find the muppet and have a *quiet* word with him, and the manager who let him onsite... ;-)

    1. markp 1

      sounds about right

      Sophos is rather over-paranoid in my limited experience. You're unlikely to get any nasty infections whilst making use of their services, but at the same time you may find it rather difficult to get any work done either. If the programs you need aren't being auto quarantined or firewalled, then it's running endless PC-crippling scans and finding lots of "suspect" files to put in data-jail.

      Though it may ultimately pay off in THESE situations!

  4. Anonymous Coward
    Anonymous Coward

    "The Cornwall campus was isolated from the main University of Exeter network"

    Was? It always has been! The network's run by University College Falmouth, and is completely separate from the main Streatham/St Luke's network anyway.

    It's been quite a laugh sitting here, watching the panicky emails come in. I feel rather smug.

  5. Anonymous Coward


    Was the query you sent done by e-mail?

    That would explain why you haven't got any response.

  6. Anonymous Coward
    Anonymous Coward

    anyone else think..

    ... that since no-one has yet given a name to this worm, and now four days later it doesn't seem to have got anywhere else, it might be some student's unauthorised, unofficial and extra-curricular CS project ?

  7. Anonymous Coward

    isolated subnet

    Surely the obvious solution is to isolate all of the Windows boxes in a diseased subnet; then when the inevitable virus outbreak occurs you can shut it down without affecting computer users.

  8. markp 1

    As no-one else has said it yet, I must post the inevitable.


  9. Anonymous Coward

    Well if you...

    are going to have lots of windoze on the network, you get what you deserve.

    (or as i paraphrase it, if you sleep with dogs you are going to get fleas)

  10. Anonymous Coward

    Catcher in the Blades...

    cornflicker is doing the rounds again...

    and some leading AV apps are not handling it correctly !!!

    STOP.... my servers gone tits up again...

  11. Anonymous Coward
    Anonymous Coward

    Since this is right on my doorstep...

    it seems the students are actually swapping over to Ubuntu fast rather than risk losing all their work.

    So far i've had a que at my door here in Falmouth for the last 2 days.

  12. Timothy Creswick

    Sensible Measures

    It's surprising that there's been almost no report on the topology of the affected network, and how that ultimately contributed to the large-scale effects of this incident.

    As with most universities, Exeter University widely uses public IP addresses in it's primary network allocation for connected devices (this huge subnet means there's no technical requirement for any address translation since they're a long way from subnet exhaustion).

    However, the University regularly uses /21 ( subnets internally, with insufficient segregation [with VLANs] of logical segments. In addition, many network segments are wired in long spurs, which means that isolating one network segment may necessarily require isolation of cascaded segments which needn't have been architechted in that way.

    Finally, and arguably most importantly, the university uses no internally firewalling of it's subnets in their central routing platform (think: zoned firewalls). There is firewalled access for traffic originating outside their primary /16 network, but that still leaves 65k+ addresses all of which can directly connect to each other. To my knowledge there is little or no IDP or traffic monitoring across segments, although this only helps if you actually segregate your networks at the Layer 2 & Layer 3 level.

    Certainly, there's no excuse for an attack which (ostensibly) only affects Windows workstations and servers to mean that VoIP networks should be affected, and indeed it should be possible on any corporate network to leave VoIP up and running, even if there's shared infrastructure.

    Finally, you have to wonder how the majority of network connected Windows machines went un-patched.

    Just my $0.02, but didn't seem that anyone else was saying it.

  13. Anonymous Coward

    No-one's mentioned

    whether or not Exeter has any Unix/Linux kit.... I would hope so (students at my Uni are heavily intio ubuntu), but of course taking the whole network offline would also take the non-Windows stuff off as well!

    Quite sure there're a few well pissed off Unix users, wondering why they're penalised for the lack of security in other areas!

  14. Anonymous Coward

    All the P's

    As usual ignored

    As usual panic when it all goes wrong

    Maybe they'll learn one day


    Proper Prior Planning Prevents P*ss Poor Performance, Produces P*ss Poor Protection, Promotes Pain, (and probably in this cae) Prevents Payrise

    1. Anonymous Coward
      Thumb Down

      Far Too Optimistic....

      > As usual ignored

      > As usual panic when it all goes wrong

      > Maybe they'll learn one day

      No chance - you obviously have no experience of the management culture at the University concerned!

  15. chipmunk1975

    not my problem

    im a student there and thankfully due to the shortcomings of the IT department here i now have an extra week to complete my work! more time down the pub yeehaaa!

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2022