Under Seige: Virus Attacks Cause Email Problems
During late August and early September the UWM
campus, like universities and businesses
everywhere, was hit by two major computer virus/
worm attacks: “Sobig” and “Nachi.” The malignant
viruses did not infect the nine servers that make up
the campus email system. However, side effects
from the attacks had a significant impact on campus
email users, making it appear as though there were
problems with the UWM email system.
The Sobig Virus
The Sobig virus arrived as an email message and
soon infected many computers on campus. Infected
machines then became unwitting relayers as the
virus searched for address books to use to propagate
even more infected email messages. The scale of
this attack was huge. If the virus found an address
book with 100 entries, it
would send infected
messages from every
address to every address.
In this single example, the
result would be 10,000
system-slowing messages
being sent.
System administrators all
over the country took
action to block the spread
of the virus. Many UWM
email users were affected
by these actions. Some
examples are:
ExecPC/Corecomm/Voyager: This
Midwestern Internet service provider (ISP)
is used by many UWM constituents. When
Sobig began sending emails, the ISP was
swamped with infected emails, many
coming from UWM. One action taken by
ExecPC was to block all email from UWM.
Since many UWM constituents forward
campus mail to their ExecPC accounts, this
caused much confusion. Many of the email
users thought there was a problem with
UWM’s system. UWM staff did communicate
with the ExecPC system administrators and
after a couple of days, the block was
removed.
Many systems around the country quickly
updated their virus protection systems to
detect the Sobig virus. Once again, this
resulted in confusing messages to email
users. The Sobig virus sends out bogus
emails from campus email users. The virus
protection systems detect the infected
emails and send an email back to the
sender indicating that the infected email was
not delivered (“Our email scanner has
detected a VIRUS in your email. Your email
has been stopped.”) Since the
user never sent the original
message, he or she was very
confused by this spate of
messages from the virus
detection systems. Unfortunately,
these messages don’t
fall under the definitions of spam
and the only way to handle them
is to delete them.
The Nachi Worm
The Nachi virus also affected
campus systems. Again, the
campus mail system was not
infected, but the virus still caused
havoc. When users of Nachi infected
machines dialed in to the UWM modem
pool, they began to try to infect other systems. The
result was much like a denial-of-service attack where
attackers attempt to “flood” a network, thereby
preventing legitimate network traffic.
Since the Alpha computers that handle modem pool
traffic also redirect much of the campus email traffic,
it once again looked like the mail system was failing.
After several days of trying to identify the problem,
campus staff were able to fix it by making
adjustments to the Slirp dial-in software.
Future Attacks
We now seem to be clear of most of the problems
caused by these two virus attacks. But virus attacks
will continue to be part of our future. Campus staff
are working diligently to detect and combat any new
attacks. As viruses hit, the I&MT Web page
(www.imt.uwm.edu) will notify you of the attack and
the measures you can take to combat them. Please
have some patience. These attacks are disrupting
to all of us.
What is the difference between
a computer virus and a
computer worm?
Viruses are computer programs that are designed to
spread themselves from one file to another on a single
computer. A virus might rapidly infect every application
file on an individual computer, or slowly infect the
documents on that computer, but it does not intentionally
try to spread itself from that computer to other computers. In most cases, that’s
where humans come
in. We send email document attachments, trade
programs on diskettes, or copy files to file servers. When
the next unsuspecting user receives the infected file or
disk, they spread the virus to their computer, and so
on. Worms, on the other hand, are insidious because
they rely less (or not at all) upon human behavior in
order to spread themselves from one computer to
others. The computer worm is a program that is
designed to copy itself from one computer to another
over a network (e.g., by using email). The worm spreads
itself to many computers over a network, and doesn’t
wait for a human being to help. This means that
computer worms spread much more rapidly than
computer viruses.
–From www.symantec.com
Anti-Virus Software
The McAfee VirusScan (PCs) or Virex (Macs)
anti-virus software from Network Associates is
installed on all Campus Computer Lab machines.
These products are also available for home use
for all UWM faculty, staff and students. The software
is included on the UWM Resource CD available
at the I&MT Resource Center (Bolton 225),
Golda Meir Library Reserve Desk and the UWM
Bookstore (while supplies last). There is no
charge for this software.
Back