stephanieandmatt.com

  and Kisu, too!

   
   

11/13/2004
      Stephanie's computer had a virus a couple weeks ago, before all this Blaster nonsense. It didn't do any harm, and I was able to remove it relatively easily, but it annoyed me. I had to waste a Saturday morning cleaning it up, and when I found out where it came from, I thought I would try to do something as a Good Internet Citizen. As I wrote to the contact at one of the involved sites, I'm no security expert, but I am in the IT field, and I have dealt with virus attacks in the past at work. I realize that shutting down this exploit will probably not even make a dent in the problem that industry has with this type of malicious activity, but if everyone did what they could, we might stem the tide of these petty annoyances.

The Infection
      I had updated Stephanie's copy of Norton AntiVirus on Friday night before I went to bed, but I didn't scan her drive before powering off. She was already up on Saturday morning when I got up, and when I went into the office, I saw the big blue "You have a virus" message on her screen. She turned her computer on and when she did, the anti-virus program scanned her files and found the virus, so she left it for me to take care of.
      Digging through her computer files, I found that she had been infected with the Backdoor.Coreflood virus. Cleaning the machine was relatively easy, since it's not a real destructive virus, but I wanted to know how she got it. I was under the impression that our firewall was supposed to protect us from most of the riff-raff that seems to be giving the Internet a bad name, so my first thought was that she had opened an infected e-mail attachment. I asked her if she had recently opened any attachments that didn't seem to do anything when opened. She said the only one she got was from one of her friends, but that it had contained what it was supposed to. I figured that wasn't the source.
      So I looked at the information about the infected file. It was dated the previous Sunday, at about 11:45PM. She couldn't remember where she was on the Internet at that time, only that she was browsing art-related sites. I used the Windows Find function to search for files dated Sunday from 11:30 to midnight. I found HTML files (the files that make up a web site) in her browser's cache (temporary storage) from exactly the time that the virus was installed, so I looked at the files using Notepad.
      Luckily, I just took a Web design class, so I knew what I was looking at. After the last line in one of the files, there was a couple lines of code opening a file from another web site. That file, which I also found in the cache, called a Perl script (a little program) if the browser is IE6 without a service pack, which is exactly what Stephanie's computer has. I have no way of seeing what the Perl script does, but if I try to run the code on her computer, BAM! Norton Antivirus jumps in and says that a virus is trying to install itself on the computer. Since Norton stopped the virus, I figured there was no harm in trying the web site, and I got the same result. This was where the virus came from!

Warning
      I sent an e-mail to the contact name on the art website that the original HTML file came from, and to the "webmaster" at the site, explaining what I found and telling them what happened to Stephanie's computer. I probably made a mistake here, since I wrote it as if I were Stephanie, saying that "my husband found the problem, and while I did not fully understand what he's talking about, it sounds like there's a problem." The next day, we received a somewhat snotty, (what I thought was a) very condescending e-mail from the web site:

" Hi,
Viruses come from opening attachments not visiting webpages or no one would visit the web and there would be open panic on cable news. The line you refer to in my html does not exist. The last line is "thank you for visiting" something else must have infected your system... sorry to hear you're having trouble,"


      I was ticked, to say the least! I checked his web site, and the offending code was indeed gone. I tried to shrug it off, figuring that the problem was gone, which was the desired result of the exercise in the first place, and that they were just trying to cover their own behind so that we wouldn't accuse them of harming our computer, but the tone of the message bothered me. So, of course, I had to reply on Monday:

Hi. I had my wife forward your reply to me at work so I could look into it a little deeper.

You are correct that the line I found does not now exist in your HTML, but you are not correct that you cannot get a virus from visiting a web page. According to Microsoft (because the vulnerability is in most versions of IE), their Knowledge Base article here (http://support.microsoft.com/default.aspx?scid=kb;en-us;313675) says:

"A security vulnerability exists because, if an attacker altered the HTML header information in a certain way, it could be possible to make Internet Explorer interpret that an executable (.exe) file was actually a different type of file, one that it is appropriate to open without asking the user for confirmation. This could enable the attacker to create a Web page or HTML e-mail message that, when opened, would automatically run an .exe file on the user's computer."

And according to this message (http://lists.boost.org/MailArchives/boost/msg49943.php) the Boost.org site had the same problem last week that yours did, as it describes almost exactly what I found. The follow-up to that message said:

> I just got off the phone with Interland (the host). All their machines for
> shared hosting got infected this morning; they've had calls coming in from
> customers all day. They "have engineers working on it right now."

> They confirmed that the actual pages on the server's disk are OK, but that
> their server has been compromised to add the offending code.

Just thought you'd like to know.


I never did get a reply to this message.

Results!
      I did, however, receive a reply to one of the other two messages I sent out about this problem. Even though everyone at work that I told about this said that I should just drop it, I e-mailed the contacts on the default pages of the other two sites that contained the bad code. The second one, which actually contained the Perl code that loaded the file, never received the message, because it was returned immediately as having a bad e-mail address. Bad e-mail address as the primary contact for a web site. Yeah, there's nothing shady going on there!
      The other one sent me a very nice reply a week later, that made me feel like I actually did the right thing:

Dear Sir/Madam,
Thank you for telling me about the virus. I called my Internet Service Provider - Interland, and this is what was discovered:
1. xxx.xxx.xxx.xxx is my old URL which was never reassign to anyone and looks very much like my current one, which is xxx.xxx.xxx.xxx

2. Interland tech support will try to fix the problem by deleting all files associated with obsolete URL - xxx.xxx.xxx.xxx

3. You can get in touch with Interland by calling 1-800-xxx-xxxx, ticket number xxxxxx.

I apologize that due to my absence I was unable to take care of the situation at the earlier time.

Regards,


      In the interim, I also realized that I had been feeling guilty for a couple reasons. I never installed the IE service patch on Stephanie's computer, and her virus signatures were a couple weeks old. I never paid much attention to the patch, because I kept reading about how the patches Microsoft was putting out were frequently causing more problems than they were resolving, and it was just sloth that prevented me from updating her anti-virus. I didn't feel so bad about the anti-virus, though, because it turns out that she got the virus four days before Norton released the code to check for it.

      I guess the moral of the story is if you're on the Internet, you had better keep up with the security patches and don't go too long between updates of your virus signatures. Although this bug got past our firewall, I firmly believe a firewall, even a software-based one, is also a smart investment. You can't be too careful nowadays.

      (As a funny side note to this story, when all was said and done, I considered upgrading Stephie's computer from Windows 98 to Windows 2000, figuring that it might be safer. Now that the Blaster worm is attacking Windows 2000 PCs and not Windows 98, it's a good think I put that little upgrade off!)


Here's are some virus- or security-oriented web sites that I use regularly:

Symantec - update your Norton Anti-Virus signatures
McAfee Security - update your McAfee Anti-Virus signatures
CERT Coordination Center - more info about viruses
DataFellows Hoax Site - check this site before forwarding any warning chain e-mails
GRC.com - use "Shields Up" to check how secure your computer is!
Microsoft - download the security patches
SpamNet - Stop the Spam! (I don't use this myself, but I have friends that swear by it.)
Pop-Up Blocker - blocks most pop-ups, and is easy to use, too
Mozilla - an open-source alternative to Internet Explorer, without a lot of the problems that IE has



NOTE: this site was developed in nothing more than HTML and JavaScript. While there are no ads, there are a couple pop-up windows with extra content. You may have problems viewing parts of this site if you are using any kind of pop-up blocker, such as Pop-Up Blocker. I recommend disabling the blocker while viewing Cheyenne's Pages, but make sure you turn it back on before you leave! And refresh the page for more pictures!