http://www.yaledailynews.com/article.asp?AID=31167 BY ROSS GOLDBERG Staff Reporter January 9, 2006 A forged Yale e-mail address has been used to spread a security exploit that infected over one million computers in the last two weeks, including some on the University network. The exploit, which attacks a weakness in the Windows operating system, can allow hackers to remotely control a computer that downloads it. In one version circulating in the United Kingdom, victims are tricked into clicking on a link in an e-mail purportedly sent by a Yale professor. Yale Information Security Officer Morrow Long said the University received about 30 complaints from British citizens, but given that victims of hackers rarely bother to complain, many more were likely infected. "We got some e-mails here from people … who thought we were somehow behind it," Long said. "We weren't happy … that we would have our name dragged through the mud in some major virus attacks." The Yale forgery is one of more than 200 versions of the bug, which takes advantage of a vulnerability in the way computers render Windows Meta File images. Several versions of WMF attacks -- though not the one using the University domain name -- successfully infiltrated about 10 Yale computers and attempted to infect 20 more, Long said. University officials first detected an attack on the network on Dec. 29, but Windows did not release a patch to fix the problem until a week later. Long said that given the exploit's severity, the computers could have been completely destroyed. "It's very critical," he said. "Basically, if somebody clicks on it, it can take over your system and do whatever it wants." Officials are urging students to download the patch with Windows Update to avoid a resurgence as they return to school. The Yale version of the bug is carried in an e-mail from a nonexistent "Professor Robert Gordens." The message announces that the University suffered graffiti damage and broken windows over New Year's, and it asks recipients to click on a link to see if they can "recognise [sic] the culprit's work." The link automatically downloads the exploit to victims' computers. Long said members of the Yale community are frequently sent e-mails with viruses attached from hackers forging the university domain name, but attacks on outsiders are unusual. Computer security experts said Yale may have been chosen due to its international prestige. "What you're trying to do in a social engineering attack is generate trust," said Alan Paller, director of research at the SANS Institute, which provides computer security training and research. "The idea of a university being a sleazy organization just doesn't compute in people's minds." Though no one at Yale has been linked to the WMF attacks in Britain, Paller said he hopes the incident will alert faculty to the dangers of reckless network use, which he said is a chronic problem on university campuses. "Probably the best effect is it will wake your faculty to the idea that they have a role to play here," Paller said. "When they don't keep their systems safe, they put the whole community at risk." Paller said faculty usually resist attempts to secure their networks with Web site restrictions, but Yale Chief Information Officer Philip Long said Yale has introduced netblocks on the primary sites involved in the attacks. Since Jan. 1, administrators have also blocked all e-mails with "Happy New Year" written in the subject line to protect against another version of the exploit. Officials said they expect that the e-mail block likely thwarted a number of innocent e-mails. "We knew it would affect people, but we weighted that against the risk of a lot of people getting infected," Morrow Long said. But Philip Long said administrators were unable to filter data with ".wmf" file extensions -- a step that Paller said was essential but largely ignored by most universities. Yale can take legal action against the hackers who forged its domain name, Morrow Long said, but law enforcement will likely be unable to identify the perpetrators given that the attacks cross several national boundaries. _________________________________ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org
This archive was generated by hypermail 2.1.3 : Mon Jan 09 2006 - 22:40:18 PST