Lab computer systems stop e-mail attacks

Employees can help

"Folks in Network Engineering (CCN-5) have done a great job stopping the Sobig virus and other recent intrusion attempts at the Lab's firewall, but we're still seeing a few instances of employees connecting infected computers to the network or opening attachments and replying to e-mails from unknown senders," Neff said.

E-mails that contain viruses are stopped at the firewall, and Laboratory computer users never see those. But the Sobig virus, which originally appeared early in 2003, has some unique characteristics. Because the Sobig virus is rampant on the Internet, virus checkers outside the Laboratory often strip off infected attachments and then pass on the original email message, sometimes with a warning that a Lab user sent a virus or with wording that a virus was removed.

In the past week, Laboratory users also have seen hundreds of messages that appear to come from other infected users at the Laboratory, but in fact are coming from virus checkers outside the Laboratory.

The Laboratory's own checkers regard all of these uninfected emails as benign and pass them on, but users shouldn't reply to them, said Alex Kent, CCN-5 deputy group leader.

"The Lab community saw a number of these messages, but because they are not dangerous in any way, we are allowing them to get through," Kent said.

Laboratory users are seeing dozens of spoofed e-mails that look like they have bounced back from their own accounts, Kent explained. That's because when the Sobig virus infects systems, it looks for every e-mail address to which or from which the user has ever sent e-mail. It then randomly uses these addresses both as places to infect and as originating (from) addresses. As a result, a Laboratory user's e-mail address could be captured and used as the "from" line when the virus from the outside computer attempts to infect other machines.

"When the message bounces for some reason, the bounce comes back to the Laboratory user as the owner of the address," Kent said. "It's very confusing because it looks like you have a problem but in reality it has nothing to do with you.

"The very few instances in which we've seen infected machines get onto the network have been cases in which users brought laptops or removable media that had been infected at home and then connected them to the yellow network," Kent added.

The Laboratory also has seen recent activity by a new variant of the Blaster worm called Welchia. To stop the spread of this new worm, CCN-5 has stopped ping traffic within some parts of the yellow network and through the firewall, Kent said. Most users should see no effects from this change.

Following the bugbear virus attack in June, the Laboratory banned use of alternative electronic POP and IMAP mail servers outside the Laboratory's network. For more information on the policy go to http://www.lanl.gov/orgs/pa/newsbulletin/2003/06/30/text02.shtml online.

-- Jim Danneskiold

Other Headlines