About a week ago I had the unmitigated pleasure of heading out to a client to do a routine harddrive swop for their backups to be transferred offsite. This is a weekly thing that gets done to keep their data safe.

As I walked in the door the owner of the company (a financial planning business) asked me to check why they had run through their local bandwidth so quickly.

What I found both horrified and amused me.

Being a registered financial institution this particular client needed to conform to certain legislation regarding their IT policy – hence my weekly trip to swop a harddrive.

All the computers where supposed to have Anti Virus installed – in this case NOD32 by ESET. (I fixed my mispost – thanks to Gert, see comment below.)
All the computers where to be secured behind a firewall.
An audit needed to be done regularly on their computers.

(We had inherited this client from one of our clients recently, and was still in process of getting everything shipshape again, including a maintenance contract that included more than just swopping harddrives – just so you know I was not the one who left the gaping holes described later on in this post…)

Virus Infection

Yes. They were hit by a virus. And not just any virus. A self spreading trojan/worm called Win32/Prolaco, or one of its derivatives.

Within four days it had eaten through FOUR gigabytes of bandwidth worth of sent mail. The Windows 2003 exchange server on the premises had THOUSANDS of mail in the qeue and was pumping out more by the second as I sat there mortified, realising that my Friday, and quite possibly my entire weekend was flushing down the tubes right before my eyes.

What had happened?

That was rather easy to determine. Earlier in the week some of the staff complained about getting mails from strange sources. They forwarded me one of these, apparently from twitter.com that proclaimed that a friend had requested they join.

They did NOT forward me the attachment.

Together with the twitter mail (which it turns out did NOT originate from twitter) they got the usual viagra spam.

I looked through the mail headers and told them that the mail was harmless, and that they should delete the Viagra spam. I then forwarded a request to the company handling their mail (we had not taken that functionality over yet) to try and filter the spam, and provide me with some logs to look through. This has yet to arrive.

During this correspondance a lady complained of receiving Viagra spam from herself. Again I checked through the source, and scanned her Computer for viruses. The mail originated from an IP somewhere in the dodgy side of Europe and the computer was clean.

I also made a point of telling them NOT to click on attachments.

And then someone got a hallmark card.

Apparently computer users are like children. If you tell them NO it means “Let’s try it! I bet the result is really fun and he is just trying to keep the surprise to himself”

A hallmark card was opened, the attachment opened and all hell broke loose. With one example of the virus through the gate it multiplied like a bunny on viagra, cokaine and an odd mixture that is usually described as “Punch” that consists of 2/3 vodka and 1/3 “fuit juice” (read: more alcohol.)

So a virus-cybersex session ensued where the little buggers spread to every possible computer that they could infect.

Via E-mail and Flashdrives.

But HERE is where it got really interesting.

So I fight back.

As I got to work trying to rescue my dangerously threatened free weekend from trashification at the hands of the little monster that was romping through my network I noticed something interesting.

Of the 30 odd computers on the network this was their state.

7 Ran Vista.

The rest Windows XP

20 had working (pre infection) copies of NOD32, of mainly two vairants.

3 had NO antivirus installed whatsoever. None. One of these was a Vista laptop.

7 had versions of NOD where the licenses had expired, and was thus as good as not being installed. None of these machines ran Vista.

The network wasa basically split into two, the first floor of the building ran through one switch in the server room, and the ground floor through another.

The pattern of the infection was very surprising though. It was OS independent – the Vista machines suffered generally as badly as the XP machines. But it was not Antivirus dependant.

None of the machines that had NO antivirus where infected, and of those where the Antivirus had expired only three where infected. Of the machines that had working Antivirus the infection rate was roughly 50/50.

Why was this the case then?

Users are the key here.

As I finished scanning the computer of the lady who usually dealt with me and my IT requirements every Friday I pointed to a group of ladies who sat together across the office from her and asked if she was friends with them. She confirmed that indeed she was.

A light went on.

The infection was limited to an interesting demographic in the company – younger people in junior positions and the ones in lower management were the ones affected. Middle and top management was largely spared infection except for one of the directors who socialised with the junior staff at work.

It was not all of the junior staff either. Only the ones who hung out together had virus problems. Those staff members who generally kept to themselves or were unpopular had absolutely no virus issues.

This leads me to the topic of this post.

Why there is no safe operating system.

Users are naive. If a user perceives a mail or file to be safe they will open it, run it and generally ignore any nag messages that pop up when they do so.

MacOS, Linux (especially the various Ubuntu clones) and Windows can and will fall prey to users who simply click OK, YES and/or enter passwords when prompted.

Sure there are MORE safe and LESS safe operating systems, some make it harder for files to execute – even with permission, and some make it impossible for files to execute without permission.

But users can and WILL give permission.

Lets take Ubuntu as an example. When you click on an executable file you are prompted with a message that asks you if you want to execute it, or simply view its contents. A user, if they trust the person who apparently gave them the file will run the executable. Similarly, a flash drive with an executable file will have the Ubuntu equivalent of the RUN dialogue will appear, and users will click OK.

Summary.

Computer users are sociable creatures, and the thought train that follows when presented with a strange message is: YES I want to run this! After all I know the person who sent it to me.

What they should be asking is: WHY would this person want to run a program on my computer?

Thus: There are NO safe operating systems. Only safe users. And they are few and far between. Educate your users – it will make your life MUCH easier and cause less instances where you watch your well planned weekend piddling down the toilet.

Related posts:

  1. Will Mobile Superdevices Kill Computing As We Know It?