VOLUME 33, NUMBER 5 THURSDAY, October 4, 2001
ReporterTop Stories

CIT urges installation of anti-virus software
Recommendation comes in wake of Nimda worm's slowing of Internet traffic

send this article to a friend

By SUE WUETCHER
Reporter Editor

CIT officials are strongly urging members of the campus community to have anti-virus software installed on their computer workstations in the wake of a recent rampage by the Nimda worm, a "rogue" computer worm that infiltrated servers on campus Sept. 18 and slowed Internet traffic to a virtual standstill.

Although the infected servers have been cleaned and brought up to the latest patch levels—software bug fixes intended to "patch" the holes in the system exploited by the worm—and anti-virus definitions have been published that stop the spread of Nimda, CIT continues to see the worm erupt on the network from computers that have not been cleaned and patched, said Rick Lesniak, director of Academic Services for CIT. "The really big question is, who's looking after all the student computers?" Lesniak asked.

 
 
   

He called the Nimda worm "a rogue computer program written by an Internet terrorist, or network of crackers." The program, he said, is intended to take advantage of several Microsoft software vulnerabilities "to spread itself copiously on the Internet and to infest vulnerable systems."

The worm is primarily aimed at Microsoft Host Web servers that are open to certain vulnerabilities, Lesniak said. The worm does not affect computers that do not use Microsoft operating systems or software, such as Macintosh, Linux or Unix. However, more than 90 percent of computers on campus are Microsoft OS computers, he said.

Servers that were at the latest patch levels were immune to the worm, he said, but those below those levels became hosts to a mass-mailing barrage with an attachment "README.EXE" that was invisible to recipients. Once the mail was read by the innocent user—or even previewed in Outlook and Outlook Express—the program attachment would gain access to the system, change system files and possibly open the C drive as a network share—available for anonymous network use. Vulnerabilities in Microsoft Internet Explorer also were exploited.

Lesniak noted that although the terms often are used interchangeably by the general public, there is a difference between a worm and a virus. A virus infects individual computers by attaching itself to programs and data files, replicating itself on a hard disk drive and then damaging files and causing system havoc, he explained. A worm, on the other hand, is designed to infest a network of computers, moving from computer to computer within a network and doing damage along the way. Nimda is by definition a worm, but it has a virus component in which it attaches itself to files to do damage, he said.

In fact, the Nimda worm is more virulent that other viruses that have been circulating recently, such as Code Red, primarily because of its multifaceted modes of attack—mass emailing, taking advantage of vulnerabilities in Microsoft Host Web servers (Internet Information Server or IIS) and modifying system initialization files to allow for anonymous access, he said.

Lesniak said that the worm was detected in a vulnerable server at UB at about 9 a.m. on Sept. 18 and within hours more than 20 servers were infected and spewing email out to innocent victims. Additionally, people reading email were spreading the virus. So by noon, the campus internet backbone was reaching saturation and UB's connection to the Internet was saturated.

"The net effect was a choked network where no data could pass," he said "Since UB already has high level of Internet use, this problem caused network stoppage."

Lesniak said that as soon as CIT knew of the virus/worm, it alerted system administrators to remove their computers from the network and shut them down—"literally, pull the network plug to prevent further infection through the internet."

Once the worm was contained for the majority of infected servers, CIT's next step was to identify it, Lesniak explained.

Since UB's internet connection was jammed—and access to Web sites for companies that identify and provide remediation for worms and viruses, such as Symantec and McAfee, was unavailable—CIT staff phoned colleagues at those companies and at other universities to assess the nature of the NIMDA worm. By late evening, Symantec had published some recommendations for how to remediate the worm and began to send out virus definition files for anti-virus programs to prevent infection, he said.

Two steps were required to remediate each computer, Lesniak said: bring the vulnerable software up to latest patch levels to plug the holes exploited by the worm, and then to scan and disinfect the computer using anti-virus programs with the latest virus definitions to either quarantine or eradicate the infected files.

He noted that UB has a site license for Norton Anti-Virus, published by Symantec, that is available to download and install on work and home computers. "No one at UB should have a computer linked to the Internet without this software," he said, adding that it's also distributed on the Tech Tools 2001 CD for students and faculty to use.

Lesniak stressed that UB computer users continue to be plagued by viruses and worms on a regular basis.

"For example, today I had two attempts to infect my system with the SirCam Worm, both detected and quarantined by the Norton Anti-Virus software," he said. "So, even though Nimda may have passed, many viruses/worms continue. Vigilance is the only answer."

Front Page | Top Stories | Briefly | Q&A | Electronic Highways
Mail | Photos | Sports | Exhibits, Notices, Jobs
Events | Current Issue | Comments?
Archives | Search | UB Home | UB News Services | UB Today