Virus steals student passwords

Information Technology (IT) reported a serious computer virus that caused computers to do a brute-force password guessing on all Boston College user IDs under the Windows domain controllers.

Infected computers contacted BC command control, which is the system that logs users into the BC Windows domain, and compiled a list of all usernames. Then it went through and attempted to guess the administrator's password, which retains the most control over any computer.

David Escalante, director of policy/security for IT, said guessing the administrative password could be relatively easy since students tend not to use it.

"Many students don't know their administrative passwords to their computers or have an easy password that they just made up when they set up their computers," said Escalante.

Once hacked, the computer can be remotely controlled by an outside user and can log in everything that is typed, including passwords, and send it to other sites.

The network group noticed an unusually high level of activity at 10:30 a.m. last Monday after returning from Thanksgiving break, which prompted the investigation, he said.

IT checked some of these computers with ePO, a recent anti-virus software that students have been installing. No issues were reported surrounding this software. The nature of the virus' attacks was so severe that IT decided to disconnect approximately 100 computers from the BC network despite not knowing what caused the problem and even though some of the computers were in full compliance with BC anti-virus policies.

After examining several of the infected computers, loaned by students, IT determined that a new virus, a derivative of the Agobot family, was the underlying problem. The virus was previously undetected by McAfee and Symantec. IT then obtained emergency pre-release detection signatures from McAfee and sent those signatures to all ePO-protected computers on campus.

"The reason those two [Agobot and SDbot] are the worst is because someone released the source code to both viruses and anyone who gets code can modify it to get around signatures," said Escalante.

The modification of one line of code, he said, could create a completely new version of the virus that could slip under the radar of virus detection programs.

Although this is a new virus, IT believes that 75 percent or more of the infected systems were ones without the latest McAfee software and ePO.

Eliminating the virus was relatively easy for computers that had this latest software installed. These computers were given priority in being reconnected to BC's network.

Prior to disconnecting the infected computers, IT sent out e-mails to the users, giving them about 18 hours to save files they would need to continue working on their laptops.

Many students who brought their computers to IT for analysis were reported to have been clicking on Instant Messenger links in the past several days. It is possible that the virus spread through this mechanism. IT sent out another e-mail to all students with a warning to be careful of links in IMs.

IT is attempting to prevent students from being disconnected from the network since finals week is rapidly approaching.

Nevertheless, any seriously infected computer that is jeopardizing the BC network or other computers on the BC network will be disconnected. When students return to campus in January, infected computers will be aggressively disconnected.

The source of the virus, as well as the perpetrators, could not be identified due to the complications that arise when tracking the virus's origin.

"What we suspect happened is that the computers contacted off campus servers and waited to receive commands," said Escalante. "It then issued commands to computers to get passwords, and since multiple computers were doing it, we would find someone and try to block them, but then find someone else doing it."

IT warns students to be careful of viruses their computers may contract over the winter break. Infected computers brought back with viruses will most likely be re-formatted and given a "clean" installation of Windows, which causes all existing data to be lost.

Asst. news editor Carolyn Mattus contributed to this report.