‘Worm that ate the Internet’

The SPU network was just one of many disrupted by the Internet worm that wreaked havoc on systems worldwide this past weekend. Popularly known as the "Sapphire" or the "W32 /SQL Slammer," and referred to by Executive Director of Computer and Information Services (CIS) Dave Tindall as "the worm that ate the Internet," this virus began infecting the university network as early as 9:30 p.m. Friday.

Tindall said all the computers on campus were affected in some way.

"It affected all computers to some extent, as all networking was shut down for the better part of two days," he said.

He added that all systems were shut down as a precaution, but that not all were susceptible to the virus.

"As to how many SPU systems were vulnerable to the attack, I’d say somewhere in the hundreds," he said.

Tindall said the virus most likely entered through the school’s online learning site, Blackboard. Though CIS pulled the plug on this entry point to prevent the virus from infiltrating, some damage had already been done. "We shut down Blackboard early Saturday morning, but by the first few minutes of the outbreak, the infection had already begun," said Tindall.

Viruses such as these are called "worms" and are characterized by a deceptive, quick-spreading nature, according to Tindall. Its epidemic-like quality "owes to its predisposition to send out thousands of probes a second, thus infecting many Internet channels simultaneously," the Associated Press reported. The worm, unlike other viruses, infects systems through networks rather than through e-mail.

Of the estimated tens of thousands of computers infected worldwide, Tindall said, "three to four hundred thousand were infected at the very beginning of the outbreak."

Another wily aspect of the worm is its ability to disappear and then re-manifest again. "The infection was such that if you reboot your computer, the worm goes away, and you think it’s gone," Tindall said. "But if you turn it back on (without protection), it is still vulnerable to attack."

Such protection was made available this past summer in the form of a preventative patch. This precaution, as well as further information about the susceptibility of the networks, was posted by Microsoft as early as July 24.

Although CIS was aware of this option, Tindall said that when the patch was released, it did not seem like a vital purchase.

"The patches come out weekly. It’s unreasonable to think that any individual could even keep up," Tindall said.

According to Tindall, it is not CIS’s policy to buy each individual patch that comes out, but to do a quarterly evaluation and then purchase a Microsoft Service Pack. Microsoft Service Packs come out every six months and feature a variety of corrective methods for technology.

The benefit of these packs is that they are "more heavily tested, damage less and break less, functionally."

As a result of CIS’s policy, Tindall said, "We did have a period of time where our technology was not the latest and greatest."

In addition to this acknowledgement, Tindall said that "CIS was not alone in thinking that the purchase of this single patch, designed to prevent one problem … was not worth the complexity and difficulty it took to install."

Regarding the updates Microsoft sends out notifying people of new merchandise, Tindall said "The updates are weekly and a little complicated, not as user-friendly as they could be."

The decision not to buy the patch was a common one, according to the Associated Press: "Microsoft had made software updates available to patch the vulnerability in its SQL Server 2000 software-used mostly by businesses and governments-but many system administrators had yet to install them when the attack hit Sunday."

Although it did not purchase the precautionary patch, CIS did take quick preventative measures after the fact to make sure the virus was eradicated from the SPU network.

Tindall and staff came in over the weekend to "clean up all central services," he said. A power outage was scheduled on Sunday between 1 p.m. and 2 p.m. on campus in an attempt to circumvent the virus. Power returned to the campus by 4 p.m. A memo went out from Manny Mourtzanos at 12:41 p.m. telling students about the power outage and warning them to save their computer work before it occurred. However, since Blackboard is maintained by an outside vendor, the software needed to prevent the virus in Blackboard was incompatible with that needed for the rest of the system. In fact, if CIS had installed the patch, made available last week, the network would have been inaccessible because the patch conflicts with Blackboard’s service, Tindall said.

Instead, a separate patch, known as a "hot fix," was applied to correct Blackboard’s specific vulnerability.

Tindall said that many programs used at SPU were targets for the outbreak. "Programs that were vulnerable are in widespread use here. (Susceptible systems) such as Visual Studio.Net are a requirement for Computer Science and Electrical Engineering majors. We’ve sold at least 500 of them this year."

A full list of vulnerable programs included Microsoft SQL Server 2000, Microsoft SQL Server Desktop Engine, Microsoft Visual Studio.Net and Microsoft Office XP Developer Edition.

Students whose computers had these programs installed were told in the e-mail to disconnect their computers from the campus network at the risk of infecting other computers.

Over the last few days, computer owners without an anti-virus program were contacted by CIS to come in and purchase one. This is just a precaution, Tindall said. "Just for network sanity, we need people to try and protect this resource."

Tindall said CIS will be evaluating their procedures internally in light of this incident. "In retrospect, we had information that could have protected the network from a particular problem. We postponed this because if we decided to apply every patch that comes out to every one of our 35 servers, people would be entirely dedicated to applying the patch of the day, every day."

Currently, said Tindall, "We take a moderate approach. I would say we are more (proactive) in applying patches than most IT services."

Tindall also said the service-pack option is designed to respect students.

"With every patch that’s purchased, the system has been rebooted and e-mail is shut down. If we did this with every patch, students would be pretty annoyed. The idea is, instead of having 100 disruptions, you have two."

Tindall said that things like this are bound to happen.

"We have seen our crop of viruses. … We have stopped quite a few … but they can still get into campus."

"We’re always stuck with some minimal risk. It’s like Russian Roulette."

As to how the technological epidemic affected students, Tindall said that "The lasting effect is that the Internet is a wild, unruly thing, and that bad things can happen if you don’t pay attention. That’s not pessimism, that’s reality."

This article was imported from The Falcon’s Records
If you find an error, mistake, or omission due to the import process, please contact us.
Original Metadata about the article can be found below

Title: ‘Worm that ate the Internet’ | Author: Jade Nirvana Ingmire | Section: News | Published Date: 2003-01-29 | Internal ID: 3089