Lessons
from another malware meltdown
by
Alan Zisman (c) 2009 First published in
Business
in Vancouver January 27-February 2, 2009; issue 1005
High Tech Office column
At the foot of this column,
there’s a tagline reading: “Alan Zisman is a Vancouver educator and
computer specialist.” Really that means I teach and manage a computer
lab in an east Vancouver elementary school.
For the past two
weeks, my job has been made harder because some network servers and
some workstations within the Vancouver school system have been among
the millions of other Windows systems worldwide successfully attacked
by malware. The school district IT department shut down infected
servers and sent memos out to all schools requesting that all Windows
systems be shut down until technicians could check each one
individually ensuring that it was uninfected and protected. As I write,
online services and most school offices and libraries are back up and
running, but it will take time to get to all of the systems in
classrooms and in labs like mine.
The Vancouver school system is
far from alone. As I write in mid-January, the estimated number of
computers infected with what is called Downadup, Kido or Conficker has
grown daily, rising over a four-day period to 8.9 million from 2.4
million, according to Finnish security experts F-Secure. The British
navy has reported problems with computer systems on some warships.
The
disturbing thing is that the vulnerability to Downadup attacks has been
known for months. Microsoft released a patch last October in an unusual
“out of cycle” security update. Since then, about two-thirds of all
Windows systems have installed the patch and are not susceptible to the
attack. But that leaves millions of vulnerable home and business
systems.
Unpatched servers and workstations behind a firewall
are not safe. It’s too easy for a laptop to be infected while on the
road and then be brought in, spreading the worm within the firewall.
And Downadup can even spread via USB flash drives, which again often
travel in and out of a firewall’s security zone.
Perhaps because
it has been several years since Blaster and other pandemic malware
attacks, users (and system administrators) have become complacent. Some
organizations have policies requiring the testing of security patches
before applying them widely. That’s a good idea in theory, but it
leaves large numbers of systems unpatched for extended periods.
One
infected system within a network spreads the infection to other
unpatched systems. Infected systems are hooked into botnets, serving up
mass amounts of spam e-mail messages. An estimated 90% of all spam
comes from such botnets.
When a server is infected, users might
be unable to log in to active directory accounts; users on infected
workstations might be unable to browse to common security company
websites. Infected systems busy sending out mass spam mailings may seem
more sluggish than usual, especially online.
Even if you don’t see those symptoms, don’t assume your Windows system
is free of this infection.
Microsoft’s malicious software removal tool (updated each month –
microsoft.com/security/malwareremove)
will scan for it, cleaning it off if necessary. Symantec (of Norton
Antivirus fame) also has a free
downloadable utility
to check for and remove it – Google “Downadup Symantec.” Afterward,
make sure that Windows is set to download and install updates
automatically and that you’re running antivirus and antispyware
utilities and that these are regularly updated.
Users of alternatives to Windows – Mac and Linux, for instance – are
too polite to be gloating over this.
While
I’m waiting for IT technicians to check the Windows systems in my
computer lab, I’m booting some to Ubuntu CDs; this Linux-based,
non-Windows operating system can run without installing anything on my
hard drives, letting users access the Internet and run the very capable
OpenOffice application suite while being invulnerable to Downadup and
other malware targeting Windows systems.
I’m going to
investigate whether it makes sense to move in this direction
permanently. It might make sense for my organization – and yours – to
ask the same question. •
Alan Zisman is a
Vancouver educator and computer specialist. He can be reached at
www.zisman.ca. His column appears weekly.