Mason Virus Busters Battle the MyDoom Worm

Posted: February 18, 2004 at 1:00 am, Last Updated: November 30, -0001 at 12:00 am

By Fran Rensbarger

[Editor’s note: This is the first in a series of articles about cyber security at Mason.]

Trojan Horses, zombie networks, and MyDoom worms that scatter around the world in seconds sound like the stuff of myth and legend, but they are all too real and present today. Fortunately, George Mason has a staff of cyber watchdogs who fight back on behalf of the university’s computer users.

The Technology Systems Division (TSD) staff of the Information Technology Unit (ITU) foil most cyber infections before they do serious damage and then repair what damage is done. Randy Anderson, director of Network Engineering and Technology (NET), and Steve Bernard, systems engineer in NET, tell how TSD works its magic.

“Our engineers try to keep ahead of attacks by participating in the information technology security-related discussion groups, monitoring alerts from various watchdog organizations, and generally staying involved with the security community,” says Anderson. “We don’t yet have many automated processes in place to give us early warnings that an attack is in progress, but those are of limited value anyway because by that time it’s too late. The exception would be equipment such as the Webshields and Norton Antivirus, which act to limit the damage by blocking the attack automatically–if they are able.”

Another line of defense is the anti-virus (AV) product vendors, says Bernard. “AV vendors are very good at discovering new viruses quickly and releasing updated signatures. Occasionally, something will affect us before an announcement has been released. When that happens, we gather all available information and respond appropriately while waiting for updates from the AV community.”

Hundreds–maybe thousands–of new malicious software, or malware, programs are released every year, but only a very small percentage attracts mainstream media attention, Bernard says. Large-scale outbreaks of worms and viruses are identified quickly, but completely stopping viruses and worms is nearly impossible.

The university has anti-virus scanning devices that inspect every e-mail that is sent or received through the university’s e-mail servers, but e-mail from non-George Mason e-mail systems has no guarantee of being scanned. Anti-virus signatures are updated at least weekly or more often if new updates are released.

Experience and vigilance are important, as are regular audits and information gathering when it comes to anticipating attacks, Bernard says. The nature of the risk or attack dictates what can be done to prevent or limit the exposure. For example, restricting access to particular computers or ports is sometimes effective. Often, viruses and worms spread through e-mail or P2P file sharing, which require much more complex and costly technologies to protect.

Identifying the attacker is difficult, says Bernard. “Worms and viruses are almost exclusively indiscriminant in their victims, and their creators remain largely anonymous. SPAM distribution, personal information theft, the creation of zombie networks for launching denial of service (DoS) attacks, and illegally distributing copyrighted material are the motivations behind most viruses and worms.”

The ITU is improving its ability to deal with cyber attacks, say Anderson and Bernard. These efforts include a growing staff of dedicated security personnel, increased budgets, and more efficient procedures for dealing with large-scale incidents when they do occur.

Budgets are always a consideration, Bernard says, but security is receiving a great deal of attention. “Technology provides the tools to implement security, but people are the key to making it successful,” he adds.

Next time: How university computer users can help foil virus and worm attacks.

Write to at