Vigilante Viruses

In Paul Boutin’s “Fight Virus With Virus” on MSN’s Slate, he mentions how the Blaster antidote worm, Nachi, was just as draining on network resources as Blaster itself:

”As the Blaster worm circled the globe, the do-gooder released a worm called Nachi that infiltrated the same security hole as Blaster. But Nachi wasn’t a Blaster variant, it was a Blaster antidote: It erased copies of Blaster it found on PCs it invaded, then downloaded and installed a Windows update from Microsoft to secure the computer against further Blaster (and Nachi) attacks. Ingenious! There was only one problem: Nachi overloaded networks with traffic, just like Blaster had.” [emphasis added]

Boutin says antidote viruses are a good idea, if written correctly so as not to cause further network issues, and even suggests how they should behave:

”What we need is a final MyDoom variant—let’s call it MyDoom.Omega—that breaches the exact same security holes as versions A through O, yet spreads itself slowly and carefully to prevent traffic jams.”

I admit that fighting viruses with viruses is a sexy idea, and it might work. However, I dislike the idea of them spreading in the usual viral manner by actively searching out and attacking any vulnerable machine they can find. I would prefer the anti-virus to be more reactive than proactive; to sit patiently on an inoculated system, listening for the signature of a specific viral attack, then to launch an attack against the offending machine and inoculate it. The anti-virus would then sit patiently again, on both machines, waiting for the next viral attack. After a number of months of inactivity, the anti-virus should quietly remove itself from the inoculated system to free up the computer resources it had been using.

This behavior might be a bit slower in spreading itself across the internet, but it is a far-sight less aggressive than Nachi and would only target those machines already known to be infected. It would also be self-limiting in life-span. Behaviors that are much easier to defend in the court of public opinion and, perhaps, a court of law.

Server Moving

This server will be physically moving to a new location this week — causing an interruption of service. I had hoped to avoid the interruption by setting up a new server and slowly migrating data and services to it. Unfortunately, the timing hasn’t worked out for the new server, so we must move this server instead.

All services (email, www, etc) and domains hosted on the server will experience an outage beginning Tuesday afternoon/evening and ranging from several hours to a couple of days, depending on how long it takes the server’s new address to propagate throughout the web.

I apologize for the inconvenience this may cause.

A couple of weeks after this move is complete, the new server — faster, more memory, more disk, better backups — should finally be ready to go. Migrating to it should be a much smoother transition than this week’s move.

Update:
The server will get moved on Thursday, instead of Tuesday.

Blue Light Special

Recently, I came across “Optical Storage Sings the Blues,” from ComputerWorld as well as several other articles which discuss a new family of laser disk technology that can store up to 20GB of data on a single DVD-like disk, or up to 30GB on optical disks housed in protective cartridges. This is 400-600% more capacity than today’s DVD’s! For the most part, this is achieved by switching the infrared laser found in CD & DVD drives with a blue laser — blue light has a shorter wavelength, producing thinner laser beams which can write more data to what is basically the same media.

This should be welcome news to IT departments responsible for archiving strategic company information, such as financial, customer, or product design databases. Today, these archival processes use tapes, which are stored in climate-controlled vaults. But even under controlled conditions, magnetic media has a very limited life-span and the information on archive tapes must be moved to new tapes every couple of years. Depending on a company’s archive requirements — fourteen or more years in some cases — this “refresh” process can become very expensive and time consuming.

To combat this problem, IT shops have begun to use CD’s and DVD’s for some archives. But these disks have only a tiny fraction of the storage capacity of modern data tapes. And in some industries, such as mechanical and electronic engineering, design databases can be 10-20 gigabytes or larger, making CD and DVD media impractical. Although blue storage disks are still much smaller than today’s 80-320GB tapes, they are just large enough to be practical for many long-term archival requirements.

This technology is expensive today — around $3000 a drive and $40 per disk — but it has already started appearing in IT shops. Sony, one of a few manufactures, says they shipped about 60,000 drives world-wide last year. This is only a drop in the bucket compared with the 200 million CD and DVD drives shipped during the same time-frame. As the technology becomes more widely used in the industry, it’s price will start to come down.

I expect that in three to five years, these drives should be within the consumer price point of today’s CD and DVD drives — opening new possibilities in the movie and home computing market. Imagine having the entire multi-year run of all five Star Trek series and movies, along with full commentary from cast members, directors, and special-effects artists on a single disk! Being able to backup the 250GB hard drive in my PC on fewer than 4 dozen disks might be nice too.

Email Policy for Zip Files

It has always been our policy to block and quarantine emails that contain Windows executables in order to help prevent email viruses, or worms, from propagating through the fox.phoenix.az.us domain. The recommended method of emailing executables has been to archive/compress them and send the zip file instead.

Unfortunately, this is no longer acceptable. Email viruses are making increasing use of compressed (zip) files to spread themselves across the Internet. Until further notice, emails bearing zip files will now also be blocked.

SpamAssassin Works!

The anti-spam software SpamAssassin™ has now been fully implemented, tuned, and running at fox.phoenix.az.us for the last month. The results have been an overwhelming success! In the last month, we’ve quarantined 98% of all incoming spam messages and have had less than a 1% false positive rate.

VIRUS ALERT: “Sobig.F”

Excerpts of “New Computer Virus Clogs E-Mail Inboxes” by Riva Richmond from WashingtonPost.com:

A new strain of one of the most virulent e-mail viruses ever spread quickly worldwide Tuesday morning, causing fresh annoyance to users worn out by last week’s outbreak of the Blaster worm.

The new virus, named “Sobig.F” by computer security companies, attacks Windows users via e-mail and file-sharing networks. It also deposits a Trojan horse, or hacker back door, that can be used to turn victims’ PCs into senders of spam e-mail.

. . .

The e-mail message that carries Sobig.F has the subject line “Re: Details” and the message “Please see attached file for details.” If a recipient clicks on the attachment, which can have multiple names ending in the .pif file extension, the computer will be infected.

The virus will then send itself out to names found in the victim’s address book and will use one of these names to forge a return address. As such, the infected party may not quickly learn of the infection, while an innocent party may get the blame for helping to propagate it.

Like all the other Sobig viruses, this version is programmed to self-destruct after two weeks, in this case on Sept. 10.

Excerpt of “New Fast-Spreading Sobig Worm Adds to ‘Worm Week’” by Elinor Mills Abreu from Reuters:

Sobig.F, a variant of an older worm, began spreading on Monday in Europe and has infected an estimated tens of thousands of Windows-based computers, said Patrick Hinojosa, chief technology officer at Panda Software, based in Madrid.

It arrives in e-mail and includes a variety of subject lines, including “Your details,” “Thank you!,” “Your application” and “Wicked screensaver.” It has caused some corporate e-mail systems to grind to a halt, according to Sophos Inc.

When the .pif or .scr attachment is opened, Sobig.F infects the computer and sends itself on to other victims using a random e-mail address from the address book.

It also prepares the computer to receive orders and tries to download files from the Internet, said Hinojosa. It was unknown exactly what files they were, he said.

If the infected computer is on a shared network, the worm tries to copy itself to the other computers on that network.

The worm is programmed to stop spreading on Sept. 10.

Worm Avenger?

Excerpt from “New Worms On Cyber-Prowl” (AP) from CBS News:

The worm known as both Nachi and Welchia wreaked havoc Tuesday with Air Canada’s airline reservation systems, creating long lines at the Vancouver airport as weary travelers were forced to check in manually.

Nachi/Welchia also popped up in various nooks and crannies in the United States, including Kentucky, where it interfered with state government computers which handle motor vehicle registration, Medicaid, food stamps, and child support.

Nachi/Welchia targets the same Windows computer users as does LovSan/MBlaster. But this worm has a peculiar Internet avenger-type behavior: it seeks to take control of your computer, delete LovSan/Mblaster if it is present, install the Microsoft patch to protect against LovSan/MBlaster, and then reboot your computer (which is part of the patch installation process).

“This new worm doesn’t destroy the PC or do anything real harmful, but it starts sending out scans across the network,” says Rodney Murphy, of the Kentucky Governor’s Office for Technology, adding that the scans clog phone lines and can cause serious delays. “It can degrade the speed of a workstation to the point of being no different than shutting a PC down.”

BOFH ?

I’ve just come off of a very difficult working weekend. We consolidated approximately 2.5 terabytes of data from two file servers into one. For the uninitiated, thats an awful lot of disk. Fortunately, one of our other sites loaned us a shelf of disks that greatly assisted the process, and with ndmpcopy — newly available in the lastest OS release for these file-servers — we were able to do a majority of the data moving with the old hardware still in place and the new hardware stacked, neatly, on a couple of nearby wire storage shelves. At some point Sunday night — it’s all a blur — we rearranged the hardware, placing the new equipment in the racks and stacking the one system with remaining data on the floor, cabled and running.

Unfortunately, not everything went according to plan. The old file servers just couldn’t move the data fast enough so the move took MUCH longer than originally expected and planned for. Monday morning, and all the impatient users, found us with just over a half-terabyte of data still to move. Not all were upset at getting to go home early.

Fortunately, with the new hardware configuration, I was able to get the job finished by this morning, although I spent the rest of today fighting the expected “Where the hell did you put my data!?!” fires.

One thing I discovered through all this was that nobody reads my emails. In the past, I’d heard complaints that I wasn’t communicating enough with the users when I was planning changes. So for this change, I tried to ensure EVERYONE was informed. First, I worked with the management of each group I support to select a date (weekend) everyone was okay with. Then, every other day, for the week and a half before our scheduled shutdown time, I sent out emails to EVERYONE, informing them of the outage date & time, how long were were expecting to be down, what the impact to them would be, and that they needed to be logged off of their systems NO LATER THAN 5pm on Friday. In addition, I separately emailed the managers and their office administrators asking they forward the information on to the rest of their groups.

Friday afternoon rolls around and, confident that everyone would be logged off at 5pm, I push a job out to all workstations and servers to cause them to shutdown and poweroff at 5:30pm. It worked beautifully. At 5:30, the computer room and surrounding offices became enveloped in calming and serene silence — which was all to soon disturbed by sounds of people running back and forth, screaming “The server crashed!” “My workstation just died!” “AaaaIIIIeeeeee!!” “What happend to my $#%@ job!?!” including the poor soul off in a distant cublical who simply screamed “Noooooooo!!”.

After explaining for the third time what was happening, and no, they wouldn’t be able to do anything until Monday (or so we thought at the time), I started asking why they were still logged in. Didn’t they get my emails? Nearly to a man, they all responded with “Yeah, but I rarely read those.”

Interestingly, management had left early.

Crashed!

Sunday morning, I discovered the house network server had crashed — it’s hard-disk had failed. I spent the rest of the day rebuilding it. Email, web proxy, vpn services … most everything has been recreated except the print queues. I’ll get to those tonight.

Grandma’s PC

Found the problem with Grandma’s PC. The UPS batteries were fully discharged. Apparently it had started making all these noises after last Tuesday’s valley-wide power glitch, which had caused power outages ranging from less than a second to over an hour, depending on the part of the valley you were at. It appears the UPS went on battery power during this time, completely drained them, and never quite recovered. I left everything turned off and let the UPS recharge for about a half-hour and it appears to have gotten over the recharge-hump — Everything seems to be back to normal again.