Anne Arundel is back online after virus hits -- PCTECH

Culprit, identified as Rimbot virus, affects about 2,000 machines 
By Phillip McGowan
Sun Reporter
Originally published March 8, 2007, 10:27 PM EST

An Internet virus that has bedeviled media outlets across the county forced
Anne Arundel County to shut down more than 2,000 computers this week,
sending technicians on a furious race to contain the outbreak and produce
payroll checks for county employees. 

The fast-mutating virus, known as Rinbot, disrupted operations at the Turner
Broadcasting System last week, then attacked computers at the Boston Globe
and almost all of the McClatchy Co.'s 32 newspapers, including the
Minneapolis Star Tribune.

The malicious software, which takes command of PCs and can turn them into
"zombies" that attack other systems or send out millions of spam e-mails,
turned up in Anne Arundel County on Wednesday. 

Officials said technical-support staff began receiving scattered reports
Wednesday morning of PCs that started up slowly and displayed repeating
symbols and numbers where text was supposed to appear. 

Realizing that a virus was on the loose, administrators shut down much of
the county's non-emergency network to keep it from spreading. 

Bill Ryan, the county's information technology officer, said the county was
cleaning up infected computers with software provided by Symantec, the
Cupertino, Calif., security firm that is paid $70,000 a year to protect Anne
Arundel's computers from these kinds of attacks. 

He said some computers began coming online at 11 a.m. Thursday -- about 24
hours after IT workers shut down the system. 

Officials so far have been unable to detect the source of the virus. 

So far, no other governments in the Baltimore area have reported similar
infections. Several, including Howard, Carroll and Harford counties, use the
same corporate Symantec security software. 

Payroll first 

Anne Arundel officials said their technical staff moved first to restore
payroll computers, along with those that perform non-essential recordkeeping
for the police and fire departments. 

But for the better part of two days, hundreds of forms for bills, permits
and document requests that would normally be filled out electronically in
county offices were done by hand. 

"County residents should not have known any difference," said county
spokeswoman Rhonda Wardlaw. "County government employees understand the
reality of what we needed to do to keep government running." 

Ryan said the county's overall network did not crash and at no time was Anne
Arundel's emergency operations system -- with comprises about 2,000
computers -- affected. The county's Web site remained online, too. 

Ryan said his staff is moving cautiously with software fixes to prevent a
mutated form of the virus from being introduced. Asked whether the computers
could be back online Friday, he said: "It's too early for me to say that, in
all honesty." 

Still unresolved is how the virus pierced the county's defenses. Security
experts say the first version, attributed to an unknown hacker with an
apparent grudge against Symantec, appeared last year and targeted a flaw in
the company's security software. 

Patches 

Once Symantic analyzed the virus, it released a "patch" in the spring of
2006 and urged network administrators across the country to install the
software. 

When the virus surfaced again last week in the Turner network, parent of
CNN, and McClatchy newspaper computers, it appeared to target some machines
that had never been patched or that were running old versions of Microsoft
Windows that couldn't be patched. 

"The variations of that we're seeing now still exploit the same
vulnerability against which Symantec provided an update," said Ron O'Brien,
a security analyst for Sophos, a Massachusetts-based network security
company that competes with Symantec. 

Others aren't so sure. Ryan said the county had applied all of Symantec's
patches on time, and a Symantec spokesman said he did not know whether
previous software patches would have protected against this version of the
virus, known as Win32.Rinbot.Y. 

"Thousands of viruses come out every day," said Ryan. "Sometimes there's a
remedy for them; sometimes we don't have a remedy for them, which was the
case." 

Sophos' O'Brien said the virus, which his company calls Delbot, is mutating
rapidly, with seven identified variants this week and five last week. 

Clay Myers, information technology director at McClatchy's Tri- City Herald
in Kennewick, Wash., where the virus struck Feb. 27, said he's still
worried. 

"I've got a bad feeling about what this could do everywhere else," he said.
"We've got strong defenses here, and we had all the most recent updates from
Symantec and everywhere else." 

A few years ago, O'Brien said, most invaders such as Rinbot/ Delbot were
spread through e- mail attachments. When users opened them, thinking they
were looking at a photo or some other document, they were running malicious
programs. 

However, e-mail filters have become so proficient at screening out viruses
that hackers are increasingly luring victims by sending messages with links
to Web pages that automatically transmit virus-laden software to unprotected
computers. 

Mike Grant
Bytware, Inc.
775-851-2900 

http://www.bytware.com

CONFIDENTIALITY NOTICE:  This e-mail message and any attachment to this e-mail 
message contain information that may be privileged and confidential.  This 
e-mail and any attachments are intended solely for the use of the individual or 
entity named above (the recipient) and may not be forwarded to or shared with 
any third party.  If you are not the intended recipient and have received this 
e-mail in error, please notify us by return e-mail or by telephone at 
775-851-2900 and delete this message.  This notice is automatically appended to 
each e-mail message leaving Bytware, Inc.