02 January 2002

"Whom unmerciful Disaster
  Followed fast and followed faster."
      - E.A. Poe, The Raven, st. 11

It seldom occurs to me to give vent to my feelings about computers, software applications, and the havoc they generate in our lives, in writing. It's certainly never occurred to me to write about those things in this forum. Until now, that is.

While the rest of the world watched football games and flowery parades yesterday, I sat in front of a personal computer system with a friend whose nerves were frayed. He'd been the unfortunate victim of a hacker's invasion, and the resulting mess took us nearly the whole day to unravel. I found out he was in trouble when on the afternoon of December 31st, my beloved woke me to inform me that he'd received email, and not only was the text of the email garbled, but his personal computer was flashing a message announcing its detection of a virus. I came to my feet in a flash and helped my darling take care of the problem. The virus was a nasty new one, a polymorphing Trojan Horse-style invader that not only steals all the addresses from your email address book, but when it finishes, trashes your computer's operating system applications. It's not user-friendly.

My beloved's computer system has been under my watchful eye since the day it arrived in our house. As a geek of long-standing (I'm talking about more than twenty years in the software business), I know that by the application of some simple, effective preventive maintenance procedures, we could safeguard the system with relatively little effort and cost. To that end, I'd purchased and installed Norton's SystemWorks, and implemented a schedule of routine backup and data storage. I regularly update the virus definitions and pay the pittance the company asks for yearly maintenance. When software patches and OS updates become available, I download and install them. I've taught my darling how to avoid getting the IP address trapped in the spammers' nets, and what to do when anything seems wrong (call me). The email application is commercial quality, and doesn't have great, gaping security holes through which hackers can gain control of the system. My spouse's machine runs clean as a whistle. On the few occasions when viruses have attempted infiltration, the antivirus software generally has pre-empted the strikes, instead quarantining or deleting the offending attachments and emails. This time was no different. By the time I reached the computer, the anti-virus software had taken care of the problem for me, and all I had to do was decide whether or not I wanted to salvage the infected files through an automatic repair option. Since we knew the files were garbage, I made the decision to delete.

After, I cruised online to the Symantec anti-virus center (http://www.sarc.com). I researched the virus that we'd just removed. There was plenty of information about the virus, and explicit, clear instructions for the steps to take to manually remove the virus from one's system. There were descriptions of the virus properties, how to recognize infected emails and attachments, and the "payload" the hackers deliver if you don't get the infection off the system before it executes itself. It was all pretty scary stuff.

The virus was first reported in September. In fact, it's classified as a "Virus or Worm," with at least six known variations. The virus uses email addresses from Windows Book files, Outlook Express Sent items, and Netscape Sent items to propagate itself. When it delivers its payload, the damage is severe, causing system instability on a large scale. This includes overwriting hard drives, erasing CMOS, and flashing the BIOS. Further, because it sends itself off in email, there's a chance it will release confidential information to others in the form of MS-Word documents. A thoroughly nasty bug, this one.

I learned to recognize the virus vehicle (the email). The subject line is "randomly generated text up to 60 characters long." The attachments (these deliver the payload) consist of "one randomly named infected executable, and several randomly selected text or document files " This was consistent with what my beloved and I saw. Our friend's strange email had two attachments -- "camera.exe" and a Word document. The payload takes square aim at "All Windows Program Execution files that are not .DLL files." This means all .EXE, .COM, .BAT, .PIF files -- in a word, the underlying operating system.

The virus also attempts to disable firewall functionality for the user, adds an entry to the "Shell=explore.exe" line in the boot section of the system initialization file (that invokes the virus the next time you boot your system), searches for more Windows system folders (Winnt, Windows, Win95, Win98, Winme, Win2000, Win2k, Winxp), emails an executable attachment to every person in the address book, and occasionally attaches .GIF files to emails (these are where some real fun can begin, since the hackers almost always prefer to send out pornographic images), Here's the kicker, though: the payload overwrites Ntldr.exe and Win.com on all drives with code that causes it to store garbage data in the first sector of the first IDE hard drive, which is what renders a personal computer unusable. Once this last is accomplished, .you're in possession of a $2,000 boat anchor.

The Symantec information ends with this: "Files that cannot be repaired should be deleted. If necessary, restore any deleted files from a clean backup." The hackers' worst enemy is a prepared, well-defended user in possession of both current anti-virus software and a backup.

When we finished ridding my darling's system of the threat, I said we should call and let our friend know his system was breached. We decided we could wait a couple of hours and inform our friend in person of what we'd discovered -- we were going to his house for our annual New Year's Eve get-together dinner party. We thought we might simply mention the issue to him, and he'd be able to take care of the problem the next day, and that would be that.

As it turned out, it wasn't that simple. He told us the person who he'd hired to monitor and maintain his office systems was a "Mac bigot" who hated touching Windows-based systems, and as a result, he didn't do anything with the system unless absolutely forced into it. However, the Windows-based system is the one our friend uses for all his email dispatches, for file transfers and faxes, and for business proposal delivery around the globe. His business is highly specialized, and international. And he's got all the wrong stuff -- an older version of the operating system, the Outlook Express email, and no antivirus protection. His expression was duly alarmed as we described what we'd found, and he asked me if I could help.

I agreed, and we made a date for the following day, which was yesterday. We spent the whole day together. In those seven hours, we revealed seventy-four infected files, three separate viruses, and a hard drive configured for a fast failure at a not-distant point in the future. We identified holes in system security, system configuration errors that affect performance and reliability, and a non-existent backup strategy. We found, too, that a young consultant had been using the system to scan the Web for pornography, and left thousands of nasty images on his disk. This explained, at least, the increase my friend noticed in sexually suggestive spam he'd been receiving. Together, we scanned, disinfected, deleted, and then purchased some tools to prevent a recurrence of the worst events. I plugged the biggest holes, but many still exist.

He's had the computer system two years. In that time, it's never been backed up, and it's never been monitored for performance. It's never had a refresh to the operating system, and it's never had a logging facility for user access. That system was a ticking time-bomb for his business. As it was, we ended the long day by crafting an apology/explanation email, which we sent out to the several hundred people whose addresses were stored on his system. We said, "Please run an antivirus program against your systems as soon as you can -- we are sorry for the inconvenience to you." When it all ended, we agreed I would come back periodically and help him get the system up to snuff over the next several months. With all the work we'd done, we only lost one 30K file -- a self-extracting zip file that couldn't be recovered after the antivirus repair. This was indeed the miracle of the day.

My poor friend. He's been at the mercy of everyone, and didn't really know it. When we parted company, he said, "I'm just trying to run my business, and do the best I can. Why do these people have to make it so hard for me?"

Why, indeed. What a way to start a new year. Excuse me, but I have to stop and back up my system.


No comments: