Computer Security Responds Quickly to 'Mydoom' Worm Attack

A vicious, fast-spreading new worm that began spreading across the Internet Monday briefly eluded some of Duke's defenses before the university's computer experts launched a successful counter-attack.

Duke's e-mail filters stood at the ready when the high-profile e-mail worm Mydoom began spreading undetected. Mail sent to an address at duke.edu goes through the university's mail gateways, which are loaded with anti-virus software, before landing in the recipient's inbox. The software is supposed to identify infected mail so a virus can be quarantined or thrown away. Some messages with the Mydoom worm, however, slipped through these defenses.

 

"We started receiving copies of the virus Monday evening, and unfortunately the mail servers weren't catching all of them," Christopher Cramer, university information technology security officer, said. Initial e-mails were labeled with misleading subject lines such as "test," "Mail Delivery System," "Error" or "Mail Transaction Failed." They carried "executable" attachments with extensions such as .exe, .pif and .zip.

 

Some unsuspecting users were tricked by the technical jargon of these subject lines and opened the attachments, unleashing the worm that began e-mailing itself to every address it could find on the user's hard drive. The virus also reportedly contains a program that logs keystrokes on the computer, opening up a back door for hackers to exploit later.

 

Duke's Systems and Core Services (SCS) team reacted swiftly to the crisis. By 8 p.m. Monday, it had updated the anti-virus software on the gateway and begun catching all subsequent Mydoom messages. By the following morning, Duke's gateway filters had blocked 278,000 Mydoom messages.

 

"There are a number of infected machines on campus because folks went ahead and opened the attachments that were delivered before the filters were in place. The IT security office and SCS are making a list of the infected computers -- particularly those in the dorms -- and the security office is contacting them individually," Cramer said.

 

Users with infected computers are being instructed to update their anti-virus programs with versions that can detect and remove the virus and clean up the "back door" to deter subsequent problems.

 

Cramer and others also said they hope the incident will encourage Duke users to learn more about how mail filtering works, so they can better protect themselves.

 

Some Duke schools and departments operate their own e-mail systems. The law school, for instance, runs one called Novell GroupWise. The law school also has its own Internet mail gateway, which uses an anti-virus product called Guinevere that relies on a third-party anti-virus program to identify and delete viruses in e-mail messages. Even though the software checks hourly for new viruses, law school IT staff have to manually adjust their software programming to deal with cases such as the Mydoom outbreak.

 

"Law school computers run VirusScan and are programmed to check for updates when they reboot," said Ken Hirsh, the school's director of computing services. "We ask our faculty and staff to reboot their computers every day. We provide reminders about installing and updating anti-virus software on their own computers and about safe user behavior, such as not opening e-mail attachments on messages where the context is suspicious."

 

For most email users on campus, however, the first line of defense is filtering at the level of the e-mail gateway. Duke began using the McAffee product in 2001, before many other academic institutions that now employ anti-virus software on their mail gateways.

 

Since then, Duke switched to a package called PureMessage, which examines every piece of mail that comes through the gateways, checking for viruses. Several times daily, OIT receives updates for new viruses and revises its own list or launches new versions of the virus-scanning software when they become available.

 

"These mail gateways throw away some viruses that we know are complete junk. Other e-mail messages may have useful information that the sender intentionally tried to send but wound up infected with a virus," Cramer said. "The infected content of these messages is either cleaned and sent on, or it is quarantined and the recipient is sent instructions on how to receive the content if they really want it."

 

Oddly enough, one drawback of this approach is that virus filters on mail servers have become so proficient at stopping infected e-mails from getting through.

 

"People get so used to having no viruses arrive in their e-mail that they assume anything they receive is safe," Cramer said. Despite this false sense of security, however, newer viruses may penetrate the gateway filters before anti-virus vendors are able to update their software.

 

Thus, even though Duke's anti-virus software can look for "virus features" in an e-mail without knowing what the virus is, and was able to detect some copies of Mydoom when it first hit, it cannot solve the virus problem by itself. Cramer urges individuals to follow some basic steps to avoid complications from infected e-mail messages in the future:

 

• Unless you've specifically requested an attachment file, don't open it, even if it is from someone you know.
• Run anti-virus software. Duke provides the McAfee anti-virus software to all members of the university community. It can be downloaded at www.oit.duke.edu/virus.
• If you're using Microsoft Outlook, turn off your preview option.
• Consider using a more secure mail reader. Many viruses are targeted at Microsoft Outlook and Outlook Express. Consider using Mulberry or Mozilla Mail instead.

People with questions about anti-virus software are encouraged to visit www.oit.duke.edu/virus or to contact the OIT Help Desk at 684-2200.