During the past month, the Lab’s virus wall has been Blaster-ed, hit by a worm that was SoBig, and visited by old acquaintances with such names as Klez, Bugbear and Sluter. Rumors of more nasties to come continued to circulate.

While each virus or worm appears to pose an individual threat to Lab computers, the real threat is the Internet itself, Computer Protection Program Manager Jim Rothfuss told members of the Computing and Communications Services Advisory Committee (CSAC) at their September meeting.

“The fundamental problem is that the Internet is the threat – the emergency is continuous,” Rothfuss said. “As a result, our protection must be continuous, not just as a response to the crisis of the week.”

As each new worm or virus appears, some of the earlier ones fall off the screen, he said. Such viruses as Code Red, Code Red 2, Nimda, Slammer and others may not be in the news, but they are still out there, scanning for vulnerabilities and attacking whenever the opportunity presents itself.

The recent spread of the SoBig.F worm was the fastest ever, infecting more than a million computers around the world in just a few days. Because of the Lab’s vigilance in maintaining its Virus Wall, only two infections were reported here – out of the 250,000 SoBig.F-infected messages aimed at LBNL.

Once a computer becomes infected, it needs to be taken off the network, have the virus removed, antivirus software updated and the security patches applied. However, because such worms and viruses spread so quickly, if the user attempts to reconnect to a network to download the patches, the machine can get infected again before the patch can be downloaded. To prevent this, the Computer Protection Program has established a procedure called “DHCP Jail,” where vulnerable computers are put in solitary confinement (in other words, cut off from the network), until the vulnerability is fixed. The owner may need to call the Help Desk (x4357) and pay for the Mac/PC Support Group to install patches or have a friend download the patches onto a CD for them.

Such measures are necessary because of the damage an unprotected computer can inflict on other LBNL systems. In the case of the Blaster worm, an infected computer was attached to the Lab network and 76 computers were infected. Subnetworks had to be blocked within the Lab to stop the spread. Cleaning up the cybermess afterward was one of the most costly computer security incidents the Lab has ever had, Rothfuss said.

“But again, the story is not about Blaster, it’s about our continuing vulnerability to threats spread via the Internet,” Rothfuss said.