Malware infections have ripple effects

In this occasional series, I am showcasing some of the best essays submitted by students in information assurance and cybercrime courses and programs at Norwich University. Mark Starry is a student in the Master of Science in Information Assurance program at Norwich; he submitted this work as one of his weekly essays in October.

The rest of this column is a slightly edited version of Starry’s report on some malware infections at his company. Starry’s report emphasizes how important user education and awareness are for fighting the secondary effects of attacks from malicious code.

* * *

Nimda

Our corporation has been the victim of malware on many occasions. The most damaging attack occurred in September 2001 by a worm called Nimda. Nimda used an exploit found in unpatched versions of Microsoft’s Internet Explorer browser to gain access to our corporate network and attack Web servers running Microsoft’s Internet Information Server.

This was the first worm to attack our corporate network that did not use e-mail as the initial transport mechanism. This was also the first worm that affected our ability to use the corporate intranet.

Upon the initial outbreak of Nimda, the server that provides the front end to our corporate intranet was immediately knocked out of service. This front end linked together many of the services our organization requires to operate, such as paging, payroll, drug interaction and corporate policy.

We had just finished a project to move all printed reports that contain vital information to a Web-based interface on the intranet. The disruption of this report-to-Web service had an immediate effect on the quality of patient care, as caregivers struggled to manually compile data.

Our corporate Internet presence was also affected. Community tools like our physician finder and jobs database were unavailable. Information systems personnel worked around the clock for seven days before most of the services were restored. The effects of Nimda lasted for a month after the initial attack.

After the Nimda attack our information systems department used tactics like fear, uncertainty and doubt to insist that administrators patch all servers running Microsoft operating systems. Because our organization does not provide an ample test environment for the number of servers in operation, many patches and service packs were applied without first being tested. This process caused significant damage to many servers that had not been affected by Nimda. These events further extended the overall corporate losses from the original worm. There has never been a dollar value placed on the damage done by Nimda to our organization, but it is safe to assume it was significant.

Kournikova

Some malware authors intend their code to be harmless, but it’s never completely harmless. Any known form of malware must be investigated and eradicated to protect the integrity of a computer or network. Even a virus with a harmless payload requires a significant amount of our corporate resources and causes a noticeable effect on productivity.

Such was the case with the Anna Kournikova virus in February 2001. For us to provide a signature update for this virus, our antivirus software provider required us to update the scan engine in its program. After distributing the required updates, we soon found out that users running Windows 98 could no longer print.

The problem was a conflict between a dynamic link library file shared by the scanning and printing processes. The scan engine was allowed to update this file, but could not be used to restore it. Our corporate mechanisms for updating files on PCs could not be used, because the graphical interface locks the file and flags it as in use. All of the PCs running Windows 98 had to have new images placed on them to correct the problem. This problem consumed valuable corporate resources and undermined the credibility of the information systems department.

Hoaxes

Hoaxes can consume just as many resources as an actual virus. Even when prominent antivirus experts quickly publish the fact that a virus is a hoax, some virus hoaxes continue to work for years. One particular hoax that has been problematic to our corporation is an e-mail message that asks the user to delete a particular operating system file because it is (falsely) described as a planted virus acting as a time bomb. Deleting this file affects the way certain Java applications run. Our help desk and desktop support team have spent many hours helping users restore this file.

Defending against malicious code will always be an important factor to the security of our information systems. The cycle of vendors releasing new software and new exploits being discovered in these software applications will continue for the foreseeable future. As we offer increased services that give users many ways to connect to our systems, we will increase the potential for malware infestations in our information systems. As a corporation we should continue to increase the user awareness by educating them on types of behavior that could lead to such a threat.

* * *

Mark Starry is the Chief Network Architect and Senior Security Advisor at Capital Region HealthCare in Concord, N.H. Mark can be reached by e-mail at mailto:MSTARRY@crhc.org