Harvard Scans E-mail For Nuisance Virus

A virus that has crippled campus computer networks across the country has forced University officials to begin filtering e-mails in an unprecedented attempt to keep Harvard’s servers running.

Harvard Arts and Sciences Computer Services is universally deleting incoming e-mails infected with the Sobig.f virus.

The software currently in use to identify and delete e-mails specifically carrying the computer virus netted 36,000 messages in its first nine hours online, according to Coordinator of Residential Computing Kevin S. Davis ’98. All mail sent out by the Sobig virus has a unique, characteristic signature of digits which is easily identifiable by the filtering software.

The solution, which is unusual in that it does not allow users to opt-out of the filtering, is an “emergency” measure, according to Davis.

“This really was the only thing we could do to keep the systems up,” he said.

To provide longer-term protection against the Sobig virus and other e-mail based bugs, HASCS is also testing a new central server-based virus scanning program for e-mail.

Application of this system will only be voluntary. Network users will not be required to utilize it, Davis said.

“The challenge in a university is that it must be an open environment. There are people doing research who need unfettered access,” Davis said. “So this broader scanning will be strictly on opt-in basis.”

Sobig sends e-mails 10 to 20 times the size of a normal message out from infected computers.

Another recent threat to computer networks, the Blaster worm, exploits a hole in Windows 2000 and XP to infect a computer.

Though neither virus deletes material from infected computers, both both multiply and overload networks, causing significant slowdowns.

“The good thing is that they’re both fairly easy to deal with,” Davis said. “The danger is in the derivative versions that are being made.”

While Blaster has been present since the summer school term, Sobig is a relatively new threat, Davis said.

“It’s [Sobig that has] been affecting students already—our mail volume has been significantly higher,” Davis said. “It’s quite good at spreading quickly and leaving behind undesirable software on people’s computers.”

To attack the Blaster worm, HASCS has provided a patch on their website that will fix infected machines by closing the vulnerability that the worm and its variants exploit to attack computers. But Blaster hits systems so quickly that students must install the patch immediately upon connecting to the network, Davis said.

“A brand new machine could be plugged into the network, and within seconds, be infected by the Blaster worm,” he said. “Students should take this as an extremely serious threat. Everyone should go and run this tool.”

While Harvard will not require students to install the patch, HASCS is using posters and flyers to educate students about the necessity of using virus-scanning software, Windows updates and the patch on the HASCS website to prevent infection and repair infected computers.

Since the Blaster worm causes infected computers to successively reboot, Davis said, he does not anticipate hesitation among affected users to use the patch.

“With Blaster, if your machine has it, you’ll know it, and if you get symptoms, it’s pretty clear you have to run this tool,” he said.

As students head back to universities across the country, the viruses have wreaked havoc and caused several campus networks to temporarily shut down.

Concerns about the viruses prompted Brown University to implement a network registration tool which scanned newly connected computers for the appropriate updates and patches, and then directed users to install those that were missing.

About 50 percent return to school with vulnerabilities in their computers, said Connie Sadler, Brown’s information technology security director.

“If you hadn’t updated in the last few days, you were vulnerable,” Sadler said.

The high numbers of students who use laptops—about 80 percent—to move among different networks also greatly increases the chance of spreading viruses, HASCS Director Franklin M. Steen said.

The SpamAssassin software which HASCS made availabe to students and faculty last year also identifies many of the e-mails sent out by the Sobig virus, though it does not delete them, said Steen.

“The SpamAssassin filter identifies a lot of [Sobig e-mails], but students still have to check their spam folders,” Steen said. “The e-mails add up very quickly, and they might fill the inbox and not allow in any more mail.”

Although many students have not yet protected their systems against these current threats, Davis said that most have become more alert about their Internet use.

“Students have gotten a lot more wary and cautious. They’re not using Outlook, and they’re being careful about opening attachments,” he said. “What’s happened is that they’ve caught up to the threats that were present a couple of years ago, but there’s still a lot more to do.”

—Staff Writer Katharine A. Kaplan can be reached at kkaplan@fas.harvard.edu.