As the MyDoom/Novarg virus crawled through the Internet last week, campus officials in the Division of the Chief Information Officer scrambled to block it from infecting computers on the network. As benign as this worm was to normal users, checking its spread was still a top priority for the officials, and they followed the procedures that are in place for these situations.
According to Sharon Roy, director of Academic and Research Computing, the strongest part the department plays in virus protection is offering a free license for Norton Antivirus to all students and faculty. Beyond that, they rely on the individual users to know enough to update their virus definitions regularly and check for emergency updates during virus alerts. Roy said that while the RPI community as a whole, particularly the students, is generally good at updating, there are a few people who are less prepared and less cautious when handling these types of situations.
“If people would really religiously ask themselves a few questions before opening attachments in e-mails, we would be a lot better off. But too many people are like ‘Yay, someone sent me something! It’s my birthday!’” said Roy.
Not all responsibility for stopping viruses rests with the user, however. The mail server enforces certain protections available that were put in place as the virus spread. According to mail server logs, infected e-mails first started appearing Monday night at around 7 pm, and soon began flowing in at a rate of approximately 40 per minute. The staff then configured the server to block all e-mails coming in that had .ZIP files attached, a move that may have caused the loss of some legitimate data, but probably prevented many infections. “It’s not something people should count on, but we do provide some security at that level,” said Roy.
One of the particulars of this recent attack that Help Desk Manager Patrick Valiquette said most likely caused a lot of concern for users was its ability to send an infected e-mail that seemed to be from an address that it was not. Thus, when companies began blocking the e-mails and sending replies that an infected e-mail had been sent, many people mistakenly believed their computer had the worm. “I think it caused a lot of concern,” said Valiquette.
Valiquette said that the department tries to be a bit “proactive” in dealing with viruses. They sent out an e-mail to the campus with a warning about the virus, and posted information on the Kiosk website and on RPI TV.
Valiquette described how the department had used their new blocking technique, reported by The Polytechnic in the November 19, 2003, issue, to stop one user whose infected computer was sending so many infected e-mails that it amounted to a “denial of service” on the mail server, preventing other users from sending mail. The technique prevents individual users from accessing Internet resources except the Symantec website to update their virus data files. According to Doig, approximately 50 users have been blocked in that way.
“We realize how important having Internet access is, especially here,” said Valiquette, but he emphasized that extreme measures are sometimes necessary. Associate Director of Networking and Telecommunications Graham Doig said that their methods of contacting users generally work, but that people sometimes don’t update despite urges and warnings, or might forget about less-frequently used machines sitting in corners, and blocking becomes necessary. Some of these machines are still not patched from last summer’s “Blaster” virus alerts, he said. Doig continued that they’re working on ensuring that people who are responsible for these “static machines” are taking care of them.
