Shelob: Using home brew and open source applications to keep your network virus/spyware free.

In the past several years, virus infections have risen steeply and techniques used to spread these viruses have become more and more clever. Blaster and others started a trend by using vulnerabilities in un-patched Windows PCs to spread themselves via TCP/IP. This new scheme has crippled university networks at the start of each school year for the past three years. Shelob, hurriedly developed during the outbreak of Blaster in 2003, has since helped the University of Indianapolis avoid outages caused by virus outbreaks that have crippled networks at other universities. Using a combination of open source applications and home brew scripts, U of I Information Systems has successfully eliminated the "start of semester blues". Since Shelob's conception, the University of Indianapolis has not had any network or services outages related to virus outbreaks.

What makes Shelob work?

Detection:

Snort, Amavisd, NMAP

A virus or spyware infected pc can be identified in many ways. Currently, we've implemented detection plugins for Snort, Amavisd and NMAP. Using output from each of the above applications, a MySQL table is populated with a list of mac addresses and other identifiers.

Isolation:

ISC DHCPD, OpenVMPS

We’ve integrated Shelob into our homebrew NetReg system. If an infected PC is identified, that PC is given an un-routed IP address and the port to which that pc is connected is assigned a VLAN that only contains other infected hosts.

Instruction:

ISC Bind, Apache httpd

In a similar fashion to how most NetReg systems work, Shelob uses a fake zone file that points all DNS lookups to a web server. The web server then serves a web page that informs the user that he or she has a virus and gives instructions on how to clean it. McAfee VirusScan, virus definition files and many Windows updates are also distributed from this web page. The PC remains isolated until virus or spyware activity stops originating from the PC.

What's in the future for Shelob?

Required Windows Updates:

We have considered using our local Windows Software Update Server to report which PCs have checked in for updates. If a PC was not seen at least once every month, it would be forced into Shelob where the user's only option would be to update the PC. The PC would only be allowed onto the public network once the PC had checked in and installed all recent updates.

Copyright Infringement Warnings:

We have considered using Shelob to isolate users who violate copyright laws. If we receive notifications from the RIAA or others, we could automatically isolate the offenders and force them to read through our network usage agreement. After three offenses, the case could be sent to the judicial board of the university.



SourceForge Project Information
http://ungoliant.sourceforge.net/

Developers of Shelob
Shawn Austin austinsr@uindy.edu
Matt Wilson mwilson@uindy.edu
Steve Corbin corbinsm@uindy.edu

CIO
Jeff Russell jrussell@uindy.edu

Director of Client Services
Michelle Duman mduman@uindy.edu