School traps infected PCs in its web

ORLANDO, Fla. -- A team of IT staffers at the University of Indianapolis last week showed off a bundle of open-source tools and scripts it uses to trap and isolate PCs infected by viruses or spyware.

Dubbed Shelob, after the sinister giant spider in J.R.R. Tolkien's Lord of the Rings , the software identifies suspect traffic patterns, identifies the computers involved and then shunts them to a closed virtual LAN. Users get an appropriate Web screen, explaining what's happened and how to fix their PC or whom to call for help.
 
Shelob's inner workings were shown off last week in Orlando, Fla., at Educause, the annual user conference for IT professionals in higher education. You can find one instance of Shelob in action in this January alert to students.

The school says that since being rapidly thrown together during the Blaster worm outbreak of 2003, Shelob has helped to keep it free of network or service outages related to virus infections. One limitation: it works only with clients that are plugged directly into the LAN, not wireless devices.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

ORLANDO, Fla. -- A team of IT staffers at the University of Indianapolis last week showed off a bundle of open-source tools and scripts it uses to trap and isolate PCs infected by viruses or spyware.

Dubbed Shelob, after the sinister giant spider in J.R.R. Tolkien's Lord of the Rings , the software identifies suspect traffic patterns, identifies the computers involved and then shunts them to a closed virtual LAN. Users get an appropriate Web screen, explaining what's happened and how to fix their PC or whom to call for help.
 
Shelob's inner workings were shown off last week in Orlando, Fla., at Educause, the annual user conference for IT professionals in higher education. You can find one instance of Shelob in action in this January alert to students.

The school says that since being rapidly thrown together during the Blaster worm outbreak of 2003, Shelob has helped to keep it free of network or service outages related to virus infections. One limitation: it works only with clients that are plugged directly into the LAN, not wireless devices.

Shelob's creators are Shawn Austin, Matt Wilson, and Steve Corbin, all with the university.

To detect traffic anomalies, Austin says, the team wrote plug-ins for three open source programs, Snort, an intrusion detection program, Amavisd, an interface between message transfer agents and various content checking programs, and NMAP, a network scanner. A tool called Bleeding Snort keeps Snort's virus signatures updated daily. Using the output from these programs, Shelob populates a MySQL database table with a list of MAC addresses and other identifiers.