Worms - Viruses And Internet (Add To Favor)

While each virus or worm appears to pose an individual threat to Lab computers, the real threat is the Internet itself, Computer Protection Program Manager Jim Rothfuss told members of the Computing and Communications Services Advisory Committee (CSAC) at their September meeting.

“The fundamental problem is that the Internet is the threat – the emergency is continuous,” Rothfuss said. “As a result, our protection must be continuous, not just as a response to the crisis of the week.”

As each new worm or virus appears, some of the earlier ones fall off the screen, he said. Such viruses as Code Red, Code Red 2, Nimda, Slammer and others may not be in the news, but they are still out there, scanning for vulnerabilities and attacking whenever the opportunity presents itself.

The recent spread of the SoBig.F worm was the fastest ever, infecting more than a million computers around the world in just a few days. Because of the Lab’s vigilance in maintaining its Virus Wall, only two infections were reported here – out of the 250,000 SoBig.F-infected messages aimed at LBNL.

Once a computer becomes infected, it needs to be taken off the network, have the virus removed, antivirus software updated and the security patches applied. However, because such worms and viruses spread so quickly, if the user attempts to reconnect to a network to download the patches, the machine can get infected again before the patch can be downloaded. To prevent this, the Computer Protection Program has established a procedure called “DHCP Jail,” where vulnerable computers are put in solitary confinement (in other words, cut off from the network), until the vulnerability is fixed. The owner may need to call the Help Desk (x4357) and pay for the Mac/PC Support Group to install patches or have a friend download the patches onto a CD for them.

Such measures are necessary because of the damage an unprotected computer can inflict on other LBNL systems. In the case of the Blaster worm, an infected computer was attached to the Lab network and 76 computers were infected. Subnetworks had to be blocked within the Lab to stop the spread. Cleaning up the cybermess afterward was one of the most costly computer security incidents the Lab has ever had, Rothfuss said.

Enable Automatic Updates: In Windows XP, right-click My Computer, choose Properties, Automatic Updates, and make sure that Keep my computer up to date is checked. (See this months Internet Tips for more on Automatic Updates.) Once a month (preferably just after Microsoft announces its latest security fixes), visit windowsupdate.microsoft.com, let the site scan your system, and then download anything labeled Critical. Every month, no exceptions--got it?

Turn off scripting behaviors in Internet Explorer: Many worms and viruses spread through Web page scripts (commands in the page that push the worm out to anyone who opens it in IE). Other browsers dont have this problem, but if you cant or simply wont change to Opera, Mozilla, or another browser, you must alter IEs scripting settings to block the threat.

In IE, click Tools, Internet Options, Security. Choose the Earth icon under Select a Web content zone, and click Custom Level. The settings in the dialog have three options: Disable, Enable, and Prompt. Enabling everything is asking for trouble, but being prompted every time a script or ActiveX control wants to run will drive you batty. In any event, disable Download unsigned ActiveX controls, Initialize and script ActiveX controls not marked as safe, Active scripting, and Scripting of Java applets (see FIGURE 1 ). Set Java permissions to High Safety.

With scripts disabled, many of your favorite Web sites may not open. Also, your company intranet or Web mail service may require scripting. If so, add the URLs for these sites and services to IEs Trusted Sites list. Open IE and click Tools, Internet Options, Security. Select the Trusted Sites icon, click Sites, and then enter the URLs one at a time. Uncheck Require server verification (https:) for all sites in this zone, and click OK (see FIGURE 2 ).

Control what starts up with Windows: Many worms place a reference to themselves in a portion of the Windows Registry that defines what programs start up with Windows. The TeaTimer applet that comes bundled with Spybot Search & Destroy 1.3 and with WinPatrol can control what gets added to this list. TeaTimer asks you to verify any program that seeks to be added to that list. Spybot and WinPatrol are free, so why not use both?

Use a software and a hardware firewall: If you have broadband Internet service--even if you have Zone Labs free ZoneAlarm or some other software firewall active on your PC--you cant be too safe. Belkin, D-Link, Linksys, and other vendors sell inexpensive broadband gateways that bounce back worm attacks that otherwise would reach your computer.

Andrew Brandt is a senior associate editor for PC World and the author of the monthly Privacy Watch column.