October 27, 2008

‘Bot’ Epidemic Infects Campus

Print More

More than 1,000 Windows computers at Cornell fell victim to a widespread “bot” infection, the Cornell Information Technologies Security Office announced Friday evening through a University-wide e-mail alert.
A bot is a piece of malicious software, or “malware,” that can automatically perform various tasks that may range from downloading more malware to stealing passwords to attacking non-Cornell internet websites or servers.
None of the infected computers have shown observable change that can be seen by the user, according to Wyman Miles, manager of security engineering at the CIT security office. He explained that the lack of symptoms was probably a “deliberate attempt by the malware authors to conceal an infection for as long as possible.”
The current bot epidemic at Cornell is being spread solely through the use of removable hard drives, such as USB sticks, music players or cameras. Many infections are believed to have occurred when students inserted their hard drives in public computers.
“We see the infection rate in public computing spaces and departments increase in the morning and throughout the day. These infections slowly dissipate in the evening as students return to their dorm rooms. At that time we see the infection rate increase on RESNET networks,” Miles stated in an e-mail.
“This infection has struck virtually all parts of campus,” he added.
So far, it appears that Macintosh and Linux computers are immune from this threat because the bot is designed to take advantage of Windows computers’ Autorun feature, which automatically starts up the software in removable hard drives. As a result, the bot can “jump directly” from an infected hard drive to the user’s computer, according to Thomas Young, deputy director of the IT security office. Turning off this Autorun feature can reduce the risk of getting an infection, and instructions to do so are available on the CIT website.
An even safer measure, however, is to restart a public computer each time before use. Many public computers at Cornell are protected by software called Deep Freeze, which erases any software installed by the previous user upon each restart. Many USB devices are believed to have caught the malware when they were inserted into infected public computers that have not been restarted.
Anti-virus software, on the other hand, is insufficient to fend off this infection.
“Unfortunately, we’re in a kind of arms race here: the virus builders (big organized crime groups in places like Russia) pay really smart people to dream up new attacks … And the scanning companies, like Symantec, generally need a week or two to code the virus detection and removal mechanisms,” Prof. Ken Birman, computer science, stated in an e-mail.
Currently Symantec AntiVirus cannot guarantee full protection against the threat because of the novelty of this particular bot, according to Young.
“Even if Symantec reports that it has cleaned up the virus, you may still be infected,” Young stated on the CIT website, which provided updates on the infection throughout the weekend.
Although the malware is spreading at a lightning speed, it can fortunately be removed quite easily.
“We have no reason to believe the bot will cause widespread damage to systems. Thus far, when found it has been fairly easy to remove without leaving lasting damage to files or the functionality of the machine,” stated Miles.
10 clean-up clinics have been setup across the campus by student and staff volunteers. The first Malware Detection Station, located on the second floor of Carpenter Library, started operation on Saturday. At 5 p.m. yesterday, 61 external hard drives were tested, 10 of which were contaminated.
“It is very quick and fast,” said Katie Jean ’12 of the testing process. She had previously popped her USB flash-drive in one of the two Linux computers that ran the testing program. Within seconds her flash-drive was declared clean.
The program was developed in a single day by Jason Lai ’11, Wen Jie Zhou ’11, Lucas Ackerman ’11, Yilok Wong ’11 and other contributors who all work as student consultants for the Academic Computer Center at the Engineering Library. Apart from improving the program they developed, student consultants of ACCEL also man the detection station, and send infected files to CIT for analysis.
Lai, who worked at the station yesterday, remarked that many students wished to obtain more information on the infection.
“Two-thirds of the people who came for the test asked us exactly what [the infection] does,” said Lai.
One of them was Jean, who noted that the e-mail from CIT was effective, but wished that it contained more details on “what the infection is and what it does.”
Lai also observed that posters warning students about the malware were seen in Carpenter Library at least a day before CIT sent the e-mail alert on Friday. It is uncertain as to who posted them.
CIT officers claimed that the widespread infection was first identified last Thursday afternoon. They also found traces of abnormal network activities on Wednesday, when the bots started to communicate with remote controllers, who are thought to be working for cyber crime organizations.
“It is safe to say that the campus first received infection two weeks ago. It is pretty difficult to detect bots these days because they use a lot of activity to conceal themselves. Unless they do something overt, it is actually pretty tough to find them,” Miles said.
“We do not know where the infection originated, but our belief is that it is designed to initially reach its victims in the most common manner today: an unsuspecting Web surfer visits a site hosting the malicious software. Once the machine is infected, it spreads to removable devices as they’re attached and used,” he added.
Young explained that between Thursday afternoon and Friday evening, CIT was “getting samples, analyzing data and talking with IT people, getting enough information together so it [was] worth sending out a one-shot message.”
“We do not want to give out alarmist information or set off a false alarm,” he said.
Birman noted that the development of organized Internet crime will get more robust in the future, and students should take more caution when using computers and take the initiative to learn more about it.
“We all need to be a bit more sophisticated, and part of this is to understand that the Internet isn’t a very secure place. This isn’t Microsoft’s fault, and there aren’t good guys out there either — you are just as much at risk on your Apple as on your PC. The fault lies in the internet economy, and Cornell students owe it to themselves to learn about this new world we live in, and to become sophisticated about it,” Birman stated.