|
Computer Security Update
The Attack of the Worms
|
|
|
|
Computer Security Update
The Attack of the Worms
|
|
|
During the summer, two powerful computer viruses spread through the Internet community. One of the viruses, identified as W32/Sircam, focused its infectious activity on personal computers. The other virus worm, named Code Red, targeted Web servers running Microsoft Internet Information Server (IIS). Each of these viruses presented the campus with a unique challenge this summer, but there are steps we can all take to reduce the likelihood of becoming infected by either virus.  Sircam Worm: How It Spread and Its Impact
The Sircam virus was widely reported throughout the world this summer, spreading through the campus as unsuspecting users opened either Sircam infected email attachments or infected files on shared network drives. The names of the infected email file attachments were randomly selected from the sender's infected computer. In addition, a Sircam infected email message was often received from a familiar source, as the virus tended to distribute itself to email addresses defined in the infected computer's Windows Address Book. The English language version of a Sircam infected email message, typically stated:
I send you this file in order to have your advice. See you later. Thanks" Even if the Sircam worm didn't actually infect your computer, many UC Davis email account holders reported receiving a large volume of inbound Sircam infected email. We understand this large email volume caused a number of accounts to exceed quotas and disrupted the delivery of messages. This particular virus also raised new privacy and security issues because the infected email file attachments could have resulted in the public distribution of confidential or sensitive information. Prevention, Innoculation Key
Sircam virus infections are preventable. First, we all need to be cautious about opening suspicious email and email attachments. If you know the sender, you might want to call the sender to verify the content, especially if you question the content. Second, we should all be using and maintaining one of the commercially available antivirus programs on our desktop computers. Bovine Online, a collection of Internet software tools, includes a current copy of Norton AntiVirus. Bovine Online is sold in the UC Davis Bookstore Computer Shop and is priced at $4.99. As new computer viruses are randomly released, it is a good idea to configure your anti-virus software to download daily any new anti-virus programs, available via the vendor's Website. If the update is present, it should be installed as soon as possible.Finally, if you suspect your computer has been infected with the Sircam virus, there are free tools available to remove the infection and restore your computer. Symantec released a Sircam removal tool. McAfee also released a similar tool. Code Red Worm: How It Spread and Its Impact
This virus, named after the soft drink of the same name, exploited a missing IIS indexing service security hotfix (MS01-033 and, possibly, MS01-26). The worm spread as infected IIS web servers randomly searched for and infected other vulnerable IIS Web servers throughout the Internet. This replication effort was responsible for increased Internet traffic around the globe and was also found to have a negative impact on a few non-IIS devices, such as Cisco DSL routers and selected HP printers.When the Code Red worm finds a vulnerable IIS server, the Web pages are altered to display a defacement message. Depending on the system date, the now infected Web server attempts to randomly infect other IIS Web servers, send a denial of service attack to the White house Web server, or enter into a dormant stage. More significantly, as newer versions of the Code Red virus appeared later in the summer, the worm was modified to install backdoors for later access by an unauthorized person. Our Response
To reduce the original impact of this worm within the campus, IET mobilized to quickly scan the entire campus network to identify vulnerable IIS Web servers. About 90 vulnerable servers were identified and the system administrators of these servers were notified and asked to take corrective action.Despite this tremendous effort, the campus continues to see evidence of Code Red infections today. External and campus Web site administrators continue to report evidence of Code Red traffic to their Web servers. A number of these infected Web servers have been found to be test servers infrequently used. We also identified quite a few of the infected Web servers within student on-campus residences. In some cases, the students were unaware they were running Web servers or were unaware of the need to test and apply security patches. Presently, campus Web servers infected by Code Red are subject to disconnection from the UC Davis network under the Emergency Network Security Policy, pending the installation of the requisite security patches or, if appropriate, disabling of the server. Precaution Is Key
Code Red worm infections can be prevented if you take precautionary measures. Such measures include timely testing and applying vendor security patches for operating systems and applications and removing unnecessary programs/services from your computers. The Code Red worm does represent a new generation of malicious code, and the campus will need to develop creative methods to respond to new virus challenges. Looking to the Future
The Sircam virus and the Code Red Worm infections raise the need for expanding antivirus measures beyond the desktop. While prevention at the desktop computer is an important component of any antivirus program, it is impossible to ensure broad compliance with antivirus program usage and maintenance at the desktop computing level. Expanding antivirus programs to other computing and network locations, such as the email server level, will be receiving additional attention in the near future. |
|
|
