By SUE WUETCHER
Reporter Editor
CIT officials are strongly urging members of the campus community to
have anti-virus software installed on their computer workstations in
the wake of a recent rampage by the Nimda worm, a "rogue" computer worm
that infiltrated servers on campus Sept. 18 and slowed Internet traffic
to a virtual standstill.
Although the infected servers have been cleaned and brought up to
the latest patch levelssoftware bug fixes intended to "patch" the holes
in the system exploited by the wormand anti-virus definitions have
been published that stop the spread of Nimda, CIT continues to see the
worm erupt on the network from computers that have not been cleaned
and patched, said Rick Lesniak, director of Academic Services for CIT.
"The really big question is, who's looking after all the student computers?"
Lesniak asked.
He called the Nimda worm "a rogue computer program written by an Internet
terrorist, or network of crackers." The program, he said, is intended
to take advantage of several Microsoft software vulnerabilities "to
spread itself copiously on the Internet and to infest vulnerable systems."
The worm is primarily aimed at Microsoft Host Web servers that are
open to certain vulnerabilities, Lesniak said. The worm does not affect
computers that do not use Microsoft operating systems or software, such
as Macintosh, Linux or Unix. However, more than 90 percent of computers
on campus are Microsoft OS computers, he said.
Servers that were at the latest patch levels were immune to the worm,
he said, but those below those levels became hosts to a mass-mailing
barrage with an attachment "README.EXE" that was invisible to recipients.
Once the mail was read by the innocent useror even previewed in Outlook
and Outlook Expressthe program attachment would gain access to the
system, change system files and possibly open the C drive as a network
shareavailable for anonymous network use. Vulnerabilities in Microsoft
Internet Explorer also were exploited.
Lesniak noted that although the terms often are used interchangeably
by the general public, there is a difference between a worm and a virus.
A virus infects individual computers by attaching itself to programs
and data files, replicating itself on a hard disk drive and then damaging
files and causing system havoc, he explained. A worm, on the other hand,
is designed to infest a network of computers, moving from computer to
computer within a network and doing damage along the way. Nimda is by
definition a worm, but it has a virus component in which it attaches
itself to files to do damage, he said.
In fact, the Nimda worm is more virulent that other viruses that have
been circulating recently, such as Code Red, primarily because of its
multifaceted modes of attackmass emailing, taking advantage of vulnerabilities
in Microsoft Host Web servers (Internet Information Server or IIS) and
modifying system initialization files to allow for anonymous access,
he said.
Lesniak said that the worm was detected in a vulnerable server at
UB at about 9 a.m. on Sept. 18 and within hours more than 20 servers
were infected and spewing email out to innocent victims. Additionally,
people reading email were spreading the virus. So by noon, the campus
internet backbone was reaching saturation and UB's connection to the
Internet was saturated.
"The net effect was a choked network where no data could pass," he
said "Since UB already has high level of Internet use, this problem
caused network stoppage."
Lesniak said that as soon as CIT knew of the virus/worm, it alerted
system administrators to remove their computers from the network and
shut them down"literally, pull the network plug to prevent further
infection through the internet."
Once the worm was contained for the majority of infected servers,
CIT's next step was to identify it, Lesniak explained.
Since UB's internet connection was jammedand access to Web sites
for companies that identify and provide remediation for worms and viruses,
such as Symantec and McAfee, was unavailableCIT staff phoned colleagues
at those companies and at other universities to assess the nature of
the NIMDA worm. By late evening, Symantec had published some recommendations
for how to remediate the worm and began to send out virus definition
files for anti-virus programs to prevent infection, he said.
Two steps were required to remediate each computer, Lesniak said:
bring the vulnerable software up to latest patch levels to plug the
holes exploited by the worm, and then to scan and disinfect the computer
using anti-virus programs with the latest virus definitions to either
quarantine or eradicate the infected files.
He noted that UB has a site license for Norton Anti-Virus, published
by Symantec, that is available to download and install on work and home
computers. "No one at UB should have a computer linked to the Internet
without this software," he said, adding that it's also distributed on
the Tech Tools 2001 CD for students and faculty to use.
Lesniak stressed that UB computer users continue to be plagued by
viruses and worms on a regular basis.
"For example, today I had two attempts to infect my system with the
SirCam Worm, both detected and quarantined by the Norton Anti-Virus
software," he said. "So, even though Nimda may have passed, many viruses/worms
continue. Vigilance is the only answer."