We've just been through the Week of the Virus here at the MSDN Magazine offices. There's no way that you were unaffected by both SirCam and Code Red (I and II) if you're a computer professional, so we'll spare you some of the basic explanation. However, the various responses to the latest e-mail-borne virus and the server-borne worm provide a cautionary tale.
First, there was SirCam. This virus popped up one day and started to make its way around e-mail. We received dozens and dozens of infected files from people who had MSDN Magazine aliases in their address books. (Thanks for writing! We love e-mail!) Two weeks later, we were still receiving messages from stragglers. Fortunately, our Exchange admins isolated the problem before it started, and detected and blocked all the infected files that were sent our way. In the past, we've seen these viruses bounce around internally, but that just didn't happen this time. The credit goes to vigilant security and effective virus checking.
Just as the SirCam influx was dying off, Code Red cranked up. The first Code Red worm was mostly harmless, but someone saw it and decided that its loader code would be a great loading mechanism for their own, far more destructive Trojan worm. It installed a file called root.exe in the script directory of any unprotected Internet Information Services (IIS) box it found, then potentially replaced explorer.exe with a Trojan that helpfully reinstalled itself every time the user would do something crazy like delete its rogue registry settings. When your machine's been owned like this, the only real fix is to reformat it and start fresh.
There were a number of reports of Code Red II being carried around firewalls by some helpful employees. All you need are a couple of unpatched machines inside the firewall and the worm is in and issuing requests. Then, even on protected machines, you could see hundreds of infection attempts per day, from dozens of machines on that network. Each attempt could involve an HTTP transaction with lots of data, so it would be easy to see where they were coming from, but many companies don't have adequate tracking mechanisms when machines move from group to group.
So what have we learned from this little slice of Hell? It's a whole lot easier to stop these onslaughts before they start rather than after. SirCam and its future friends can be almost completely disabled by keeping your virus checking turned on and updated regularly. Avoiding new worms like Code Red is a little more involved, but it's vital to your server's health.
- Check your IIS logs every day. We noticed the early Code Red attempts by doing this, and we scrambled to make sure all our machines were protected before the worst of the storm. On machines that are exposed to the world, you can find all kinds of other stuff. Many search engines enjoy sending spiders through your machines every day to check your content. This can be a surprising drag on your throughput. The solution is to use a robots.txt file (https://support.microsoft.com/default.aspx?scid=kb;EN-US;q217103); well-behaved spiders read this and abort processing your site.
- Check your FTP logs every day, especially if you have writable directories. Now that Napster is a shell of its former self, bored teens are searching blocks of IP addresses for open directories. We suddenly found that one of our home servers had been turned into a repository for MP3s of the world's worst pop music. All the guy's friends knew about it too, and they downloaded several GB of files in the three days it was up. In Windows 2000, you can block access by IP address—and you can also send mail to the abuse alias at the hacker's domain. (You can usually get this information by doing a tracert or nslookup of the IP address at the command prompt.)
- Always, always, always have the latest service pack and security updates installed on your operating system. Windows Update will do this for you automatically. If that's too hard for you, you can go to the Microsoft Security page (https://www.microsoft.com/security) and download patches yourself. The patch that heads off Code Red was available in June, but suddenly everyone needed to download it at once in August.
- Unregister any file extensions in IIS that you don't use. Code Red spread through the .ida and .idq extensions. Just delete them, delete the .printer extension, and remove any other extensions you're not using.
- Read MSDN Magazine every month. Just reading us won't help you avoid any viruses or worms, but it would make us happy. And really, isn't that what it's all about?
|
.gif)
.gif){kind=small}