Posted on 02/01/2009 11:42:01 PM PST by Swordmaker
Three weeks after a virus infected computers across the Vancouver school district, information technology staff are being forced to attend to thousands of computers individually - and still have a long way to go before the system is running efficiently.
The virus hit most computers in the school district on January 7. Since the virus replicates itself from one computer to the next, staff were instructed to shut down every computer in the school district.
"My understanding is we weren't the only ones to get it," said Vancouver School Board chair Patti Bacchus, who acknowledged repairs have taken much longer than expected.
"Getting IT workers from school to school has been a slogging process."
VSB spokesman David Weir said he doesn't know how many tech workers are working on the problem.
There are more than 10,000 computers in the district, each of which had to be shut down and disconnected from the network, then individually scanned and repaired if necessary, said Weir.
An online student forum by Point Grey secondary students identified the virus as Win32.Krap.b trojan, a bug that affects mostly Windows operating systems, shutting down computers as soon as users try to start them.
Noel MacDonald, a Westside parent of an 11-year-old who attends Bayview elementary school, said many computers in his son's school have been marked with a red dot, signifying that the machine is so old it wouldn't be able to withstand the anti-virus program.
MacDonald said the school's Parent Advisory Council had paid for a computer lab with Macintosh machines, which haven't been affected.
Mohammad Akif, security and privacy lead at Microsoft Canada, told the Vancouver Sun someone on one of the district's computers could have downloaded an e-mail attachment containing a virus, visited a corrupt website, or used a USB stick and unknowingly transferred corrupt files from a home to school machine. Once the virus enters a computer system, it can attach itself to e-mails and documents, Akif said.
"The teachers are really upset about it," said Anna Ward, a grade 12 student at Lord Byng secondary school.
Ward and her fellow students are expecting mid-term exams soon, and she said there's little information on how they'll receive them.
While many computers are now working at Lord Byng, so many learning resources are kept within the computer system that instructors have found it difficult to work.
"It's really affected the teachers, who have to do everything at home. They couldn't record any marks or attendance," said Ward.
Weir said all student and staff-related data is safe, and IT staff focused their first efforts on sites related to the curriculum, such as school computer labs.
This is the biggest worm attack for years, and in theory could hit 350 million PCs or thereabouts. However, in spite of this “amazing” worm “skyrocketing,” F-Secure says: “Downadup infections appear to have peaked during the week.” Its latest reported estimate is only 15 million, which is not all that impressive for something that was first seen last November, and should be able to double every day.
Maybe the next version(s) will do better. But let's hope not.
Of course, there's no real reason why anyone should have Downadup/Conflickr: Microsoft patched that security hole last October with Microsoft Security Update MS08-067 (KB958644), and on October 25, I posted Microsoft releases critical patch, extra to Windows update to tell you to install it. I'm sure there are a few unlucky souls among the estimated 15m victims, but I suspect most have got Downadup/Conflickr because they are too lazy or too dim to install Windows Updates, or they're running pirated copies of Windows.
I just grabbed the first one on Google. There were so many to choose from.
Here then, here's one from December.
“Users of Windows Vista and Server 2008 can breathe easy as those packages are unaffected by the flaw. XP - running SP3 - is also clear of trouble.”
So the bottom line is that people who are running pirated versions of Windows that are not updated run some risk. OK.
Or perhaps it's because previous updates have hosed their computers (see post #30 above) or because something they installed happened to uninstall the patch.
Oh wait, that could never happen!
Er, well...maybe it could, since it's happened before.
And those users that have installed the SP blocker built by Microsoft to get around all the problems associated with SP3.
If you browse the internet of open email without having security updates and without having a virus scanner, you should probably be doing something else with your time.
There is another free and relatively painless preventive, which I use with my business clients.
I do occasional backups of System State. It takes about two minutes and can be scheduled.
Restoring System State after a virus attack takes about ten minutes — including a reboot and reinstallation of updates.
I recovered four machines by this procedure. It’s a lot less painful than tracking down spyware removers, and a lot faster than reformatting. Unfortunately I need tricks like this, because the companies I work with do not restrict internet access, and given enough users, some will install almost anything.
Or you could just run an operating system that isn't a cheap whore for every virus, worm and other bit of malware around.
I recovered four machines by this procedure.
Well, you hope so.
The problem with "restoring" owned machines is that you can't ever be sure that you got everything.
Security best practice for a compromised machine is format and re-install from known, clean media.
Unfortunately I need tricks like this, because the companies I work with do not restrict internet access, and given enough users, some will install almost anything.
No, the unfortunate part is that you think this kind of thing is necessary.
Simple solution: just stick with notebook paper and pencil. Never fails.
Old school prevails!
If Mac ever does they'd end up being as lazy & bloated as MSFT.
I don't :-)
OK, I'm pretty good about security updates.
“attacks would take the form of tricking users into opening an attachment, so it’s not an auto-execute risk,”
Don't worry, it's only a zero-day exploit and although it requires the user to do exactly what Vista's UAC has trained users to do, there will be an auto-execute zero-day exploit along soon.
Microsoft security holes, death and taxes.
My experience is otherwise. I don't completely trust malware scanners, but restoring executables and the registry removes active malware. You can then clean any infected files, because they're orphaned.
The plural of "anecdote" is not "facts".
Besides, Microsoft disagrees with you.
You can’t clean a compromised system by removing the back doors. You can never guarantee that you found all the back doors the attacker put in. The fact that you can’t find any more may only mean you don’t know where to look, or that the system is so compromised that what you are seeing is not actually what is there.
The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).
Depending on what you mean by compromised, I could agree. But all the machines I have any control over have up-to-date anti-virus, anti-spyware, and the latest patches. The internet is accessed through a hardware firewall with all incoming ports blocked.
The cases where I had to reinstall were not successfully infected. Basically the duel between the protective software and the attempt to install malware resulted in an unbootable machine.
If the user isn't an Administrator, there isn't any remote rooting.
But that's true of any executable that a user downloads and runs within their user space - the executable can f*** with that user's files, but it can't touch the rest of the system.
Windows privilege escalation bugs are a dime a dozen. Here's the first one that came up on a search...
Privilege escalation vulnerability affects Windows Vista SP1, XP
That exploit, while not yet seen in the wild, was due to an inherent problem in all modern versions of Windows known as Token Kidnapping. It's a design flaw in Windows. It's not something that you can just patch, to fix it would require a complete re-design of the Windows architecture.
The gist of it is: Any user can make certain system calls that allow that unprivileged user to run processes as any other user, including the administrator.
Details here.
Matters not one bit.
Once a system has been compromised, unless you are running (and properly running) a file verification system like Tripwire, ALL files on the machine are now suspect.
Detection software only catches stuff that is well known. J. Random Attacker may not use well-known exploits. He might use a well-known trojan to install something he wrote, in which case all of your third-party software won't do a thing to detect it.
The internet is accessed through a hardware firewall with all incoming ports blocked.
How about outbound ports? Are you aware of how a bot net works?
The bot software gets installed on a machine. It can be by trojan or worm. The bot software sits there quietly and then contacts a server on the Internet. That's how it gets it's instructions. Many of them are spam bots. They download a list of addresses and spam messages and start sending spam out.
The bot gets controlled not by someone sending messages to the bot, but by the bot communicating outbound.
Unless you are blocking outbound traffic, and snooping the outbound traffic with an intrusion detection system, a firewall that only blocks inbound traffic does little to help.
Bottom line, once a machine has been infected you can never be sure you got everything. And much of the new malware isn't like the old stuff. It doesn't bother the user and it doesn't hog up your bandwidth. It's quiet and unobtrusive. It joins up with millions of its brothers and that's where the power comes from.
Just "cleaning" the systems is insufficient. And it's not just me saying that. Wipe and reinstall is industry best practice for a reason.
My firewall logs outgoing traffic, and I read it occasionally.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.