Zotob damage deep but not widespread

TalkBack 6 of 10:

Next »

« Previous

• Thread View
• Flat View

Hello Russ

First - my apologies for the many spelling/grammar errors you will see in this. I am on my laptop in a hotel and don't have access to a spelling/grammer checker on this machine. The laptop keyboard doesn't help either.

The reason I take these umbers with a grain of salt it because there is nothing to verify the validity of the claims being made. One of the few things that can be concretely proven is overtime costs of technical staff that deals with the outbreak. Other than that, many of the other claims are speculative at best. Another reason is the people who are making up these numbers? Are heads of security, who's job depends on there being a threat, or who's budgets need a boost filling out these surveys? "Gee boss, we could have prevented this outbreak if we had had an extra ______ in our budget. Look how much money we lost in "productivity" this time."

For example, you cite money lost in productivity and lost customers, but how to you verifiy that this money is really being lost? Who is calculating these numbers? Are there any tax write-offs to be had in claiming these numbers? Insurance claims?

As for lost productivity, how are you calculating this? Are companies viewing their workers as machines that have a set productivity/time ratio that never changes? People are not machines that are either on or off. They have the ability to make up for lost time by putting forth more effort than normal after the unexpected downtime.

I can see where a company might lose money in sales if they sell gizmos for $19.95 on TV and their entire income depends on compulsive buyers calling in with their "credit cards ready", but how many companies in your survey fit this sort of profile?

If a company like say, SBC can't field phone calls for three hours, isn't is logical to assume that the sales they "lose" will be made up in the future, since their customer base almost allways has no other choice when it comes to the services they provide?

Could it be that sales that are "lost" due to downtime might be made up for the simpole fact that many customers will end just trying back later?

Another problem I have is the way these numbers are reported in stories. Authors typically take the most interesting numbers and throw them out without any context at all. So the average cost was $97,000...so? How about some context so I can fathom whether or not that number is high or low? What do these companies do and for the ones that are claiming lost sales or productivity, how did they come about these figures?

You asked about my experience so let me share...

We were hit by the blaster worm a couple of years ago. We had been contemplating deploying SUS for months before that, but due to procrastination we hadn't. As a result the virus entered our network via a single infected laptop, and hit just about every one of our 1100 workstations. I had read about the worm outbreak over the weekend, so I had an idea of what we might have in store, so I went into work ion the moring looking for trouble. We got calls immediately about computers rebooting themselves. I knew what it was and had allready looked up the info on the virus and how to remove it. I wrote a machine startup script (deployed via AD group policy) that would install the patch, and run the latest superdat file for McAfee, kill the virus with pkill.exe, and reboot the machine. before rebooting the first time it would place an empty file in the system32 directory indicating that the machine had been patched. Upon booting again the script would detect the empty file and run a seperate batch of code. This would again kill the virus proccess and then run NAI's stinger app which would clean the virus from the machine completely. After that, the script would place another blank file in the system32 directory to indicate that the machine had been patched and cleaned. After that when the machine rebooted and the script would run but upon detecting the second blank file it would simply exit and do nothing.

Meanwhile, I set up ethereal on several machines in the office and set them up to "listen" for attacks from the worm. After about 30-40 minutes attacks died out to only a few machines. These were either machines owned by us that had corrupt domain accounts or for whatever reason were not in the domain, or machines that did not belong to us at all. For the machines that belonged to us, we went out an dealt with them by hand - they needed to be dealt with anyway, as we have a policy of having every machine be a member of our domain so that they can be remotely managed. for the machines that didn't belong to us, we would gather their mac addresses every couple of hours and filter them out at our core router, effectively cutting them off from the internet. This would get the owners' attention in a hurry and as a result, they would contact us and we would inform them of why they were being blocked.

The total time until we were able to focus on other tasks was three hours at most. Our staff members probably lost an hour of time with their computers as it took me a bit of time for it to get it out to all of the machines in the domain after I has released it. The majority of time was spent writing the initial script, setting up ethereal, and implimeting the cam filter on our router. We did spend some more time dealing with the machines that were not in our domain, but this was something that needed to be done anyway, as these machines were compliant with our polices.

I suppose if the worm was like slammer, remotely fixing them would not be an option as it tended to saturate networks to the point of making them useless, but in the case of Blaster remotely fixing them was not an issue.

As for the IT staff, we did not end up working any overtime due to this outbreak, and nothing that was uber-critical was pushed back. We are allways busy, so pushing back the day to day task by a few hours is going to cost us money in the long run.

I would estimate the total cost to us in this debacle was $0.00, as the organization I am in does not sell gizmos for 19.95, nor do we depend on being able to access our computers 24/7 to make money.

How about Zotob? Did it saturate networks like slammer did? Also, why were these companies not patched? The potential for mass infection of Windows has been apparent for many years now and when this particular vulnerability was annouced the potential for a worm was widely known.

Perhaps the story should read "Administrator imcompetence prior to the Zotob outbreak lead to an average loss of $97,000 for bussinesses surveyed."

Posted by: toadlife   Posted on: 10/27/05 You are currently: a Guest | Members login | Terms of Use

Alert moderator to an offensive message

Subscribe to this discussion via Email or RSS

SponsoredWhite Papers, Webcasts, and Downloads

• Reducing Server Total Cost of Ownership with VMware Virtualization Software VMware VMware virtualization enables customers to reduce their server TCO and ... Download Now
• Server Consolidation and Containment With Virtual Infrastructure VMware To meet the constant demand to deploy, maintain and grow a broad array of ... Download Now
• The Impact of Virtualization Software on Operating Environments VMware Today's use of virtualization technology allows IT professionals to ... Download Now