Stanford Report Online



Stanford Report, August 12, 2003

ITSS urges updating security patches to prevent spread of malicious code

The hacking of 2,500 Stanford computers last week continues to create numerous difficulties for the university’s information technology support personnel. The virus and a new worm continue to infect machines at a decreased rate, but PC users on campus can avoid infection by implementing preventive security measures.

If you’re reading this article on a computer running Microsoft Windows NT, 2000, XP, or 2003 operating systems, apply all security patches (available for free download at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp)

Home computers that dial into Stanford or connect via DSL and laptops connected to the campus network are also at risk and should be patched. Computers running Windows 98 and 95 or Macintosh operating systems are not affected, according to the Department of Information Technology Systems and Services (ITSS).

Sandy Senti, executive director of technology, strategy and support, estimates that at least 30 percent of campus PC users have not installed the security patch. "There is a real urgency for installing the security patch if people haven’t already done so because we continue to see new flavors of this [vulnerability],” Senti said. "Although the IT community has quickly come together to repair infected machines, prevention is still the best medicine."

The vulnerability, RPC Buffer Overflow, allows hackers to take control of the machines, clearing the way for all sorts of mischief -- from stealing personal information to engaging in distributed denial of service attacks, which occur when hundreds or thousands of computers are used to clog traffic to a particular website, said Cedric Bennett, director of information security services.

A new worm also exploits the Windows security vulnerability. The worm deposits code that allows it to spread to other computers and also attempts denial of service attacks. The worm has affected at least 400 machines on the Stanford network.

Security updates protect users and can save hours of work for university computer support personnel. According to ITSS, 800 infected machines have been rebuilt, patched and reconnected to network. Each machine takes up to four hours to rebuild. Another 1,200 compromised machines have been disconnected from the Stanford network, which means users of these computers are unable to check e-mail or perform other tasks that require networking while they are rebuilt by an ITSS SWAT team. "It’s quite a laborious process,” Senti said.

Computer users may find it difficult to determine whether a machine has been infected because the virus deposits lines of code deep within the operating system. One indication of the virus is the disappearance of the virus protection icon from the desktop, Senti said. ITSS repeatedly scans the network for infected machines and notifies the local service support person in each department.

It may take weeks to clean the bad code off every one of the infected computers, Bennett said. "In terms of lost time, it's expensive," he added. "This is a pretty serious attack."

Bennett also predicted that such skillfully created "exploits," as he calls them, will increase. "I believe that what we're seeing in last several months, if you go back to Slammer and Bugbear.B" -- the software worm and virus that became epidemic in early February and June, respectively, of this year -- "is an escalation of the sophistication and intensity of Internet attacks," he said. "The Internet is a great facility -- a great resource -- but it carries some dangers. I believe this is a signal that we have to become just a bit more active in trying to prevent these kinds of attacks."

Bennett said he and other members of ITSS suspect that the university computers were probably infected by a laptop (or laptops) brought in from the outside and then connected to the Stanford University Network (SUNet). It is unlikely that the laptops' owners would have known their machines were infected, he added.

More technical information about this vulnerability can be found at http://securecomputing.stanford.edu/alerts/windows-rpc-16-jul2003.html.