The computer worm that caused a brief network outage Friday is only one of a number of viruses the Office of Information Technology is trying to remedy as students return to campus and bring thousands of new computers onto Duke's network. Friday's culprit, the Nachi worm--also known as Welchia or Blaster-D--overloaded Duke's routers by sending out echo requests, or pings, to find active computers to infect. Chris Cramer, the University's information technology security officer, said OIT has temporarily blocked all external ping requests in order to keep the network running.
"Ping has a lot of uses, but since the virus was making use of it, we had no choice but to shut it down," Cramer said. "Last I knew, there were about 350 computers infected on the network, with probably about two-thirds of those in the dorms. The worm was probably putting out several hundred thousand ping requests every minute." Because OIT has not disabled ping requests within Duke's internal network, very little has been affected as far as students are concerned, Cramer said.
Still, he stressed that the ping block is only a temporary measure and infected computers still need to be cleaned up. He added that OIT will allow all ping requests again once the virus has been removed from the majority of infected computers and once traffic from outside Duke's network is reduced, indicating a lower risk of infection. The Nachi worm takes advantage of a security hole in Microsoft Windows 2000 and XP and Microsoft Internet Information Services 5.0--the same vulnerability exploited by the Blaster worm, which affected Windows NT, 2000, XP and Server 2003. Although the Nachi worm seems to have been made with good intentions--to download security patches and remove the Blaster worm from infected computers--computer experts have cautioned that no worm is a good worm.
Cramer said it is a fairly simple process to clean up an infected computer. Over the weekend, OIT started e-mailing students, faculty and staff whose computers have been infected with instructions on how to remove the virus. He said he hopes students, faculty and staff will take responsibility for cleaning up their own computers, adding that computers that continue to cause problems on the network may have to be pulled off-line.
"We took some actions to keep the worm out of the network, but because it spreads automatically, once it's in Duke's network we have to go in and clean up each individual computer," Cramer said. "Cleaning up any given computer should only take 10 to 15 minutes because it's just a matter of downloading the tools needed to clean it up." OIT changed the network registration page students living on campus see when they use Duke's network for the first time in their new rooms. The modified page provides links to download a Microsoft security patch, a worm cleaning tool and the Duke site-liscensed antivirus and personal firewall. Cramer said students should not have to take any additional steps after downloading and installing the antivirus program, which is configured to update itself automatically with the latest virus definitions.
Other problems OIT has been working with include the Blaster worm and the SoBig virus, which infests computers through e-mail as an attachment. Cramer said the Blaster worm, which was created to blast a Microsoft site, turned to blast the registration site instead when students with infected computers tried to connect to the network. Like the Nachi worm, the Blaster worm must be removed from each computer individually.
Cramer said SoBig is currently under control, with fewer than 10 computers carrying the virus as of Saturday. "A lot of students have downloaded McAfee [VirusScan], and we've also run an antivirus on the mail system itself," Cramer said. "We caught over 1.5 million copies of the SoBig virus trying to come into the network, and they were all stripped out by the antivirus program."
Get The Chronicle straight to your inbox
Signup for our weekly newsletter. Cancel at any time.