Via Gar Warner's Blog -
Computer viruses are crippling the Huntsville City Schools. How can you be sure your student (or school) won't be a carrier?
In yesterday's Huntsville Times Steve Campbell reported that computer viruses had nearly shut down the Huntsville City schools. Teachers couldn't use their prepared computer lessons, student attendance could not be tracked, and lunch room accounts could not be accessed because of the virus.
Virus researchers at UAB Computer Forensics have been looking at these types of viruses, called "USB Jumpers", since January and have been amazed that there hasn't been a devastating outbreak earlier.
While many viruses spread via email or by visiting infected webpages, this network spreads by network connections and via "USB Thumb Drives".
When a USB drive is inserted into a computer, the computer scans the drive for an "AutoRun.inf" file. If the AutoRun.inf file is present, the computer does whatever it is told to do.
If a stranger (or a student, in this case) gives you a USB thumb drive and you stick it into the computer, the default setting on any Windows computer is to execute that AutoRun sequence.
The way this family of viruses, which we call "USB Jumpers", works is that they modify the AutoRun.inf file to execute a copy of the virus, which is often present on the thumbdrive as a "hidden file" called "Setup.exe".
Once a computer is infected, every thumb drive inserted into that computer will be updated to also be a USB Jumper. So, if a teacher has students turn in their homework on USB sticks, the first student may give the teacher an infected thumb drive. The teacher then also gathers homework from all of the other students. As each student's thumb drive is inserted into the teacher's computer, it also becomes infected, and can now be used to spread the virus to their home computer or other teachers' computers.
Once a trusted computer on a network is infected, the infection can spread quickly to every other computer on the network, especially if an Administrator logs in to the computer. When someone with "Domain Administrator" privileges logs in to the computer, the virus on that computer now has "Administrator privileges" on the entire network. When the virus realizes it is an Administrator, it attempts to open a "network share" with every other computer on the network. If the share is successful, it will copy itself to the setup routines on the remote computer, and then close the connection.
This is especially devastating! When a computer is first infected, the infection is limited to the local machine and to USB drives inserted into that computer -- but the person who is called from the IT Department to remove the virus will almost certainly log in with "Administrator" access to remove the virus. As soon as that happens, every machine on the network can be infected within a matter of seconds.
-----------------------
I had the pleasure of working along with Gar Warner during my time as a CastleCop PIRT handler.
Good guy.
No comments:
Post a Comment