Undead virus pilfered college servers for more than 10 years

Most viruses have a pretty short life span, in biology as well as computers. But there are always exceptions to the rule. The mysterious “11-day virus” as the local news media are calling it, which I was lucky enough to experience this week, is one example.

But in the world of computers, long-term viruses are extremely rare. Most don’t even make it to the wild because the code they try to exploit has long since been patched or otherwise fixed before they launch.

Those that do successfully make a splash tend to infect a lot of systems quickly, but then the anti-virus companies or Microsoft catches up with them and makes them obsolete. With worldwide honey-pot networks just waiting to report on a new virus threat, the healing process can take mere minutes these days, so not a lot of viruses are given the chance to thrive.

Occasionally, an undead virus will come back to haunt us, as we found out with Stoned.Angelia in 2007.

That was a virus whose biggest accomplishment in the 1990s was finding a dark corner of the Internet to hide so it wouldn’t get completely scrubbed away. Then, about 10 years later, Windows Vista was launched with exactly the same vulnerability that Stoned.Angelia was designed to exploit. Suddenly, it came back to life and infected 100,000 systems before being put down again. And its hideout was never found, so it could still be alive, waiting for some bad bit of programming to set it free once more.

That’s impressive, but what about a virus that has been active and working for over a decade? Strange but true.

Recently the administrators at the City College of San Francisco noticed some discrepancies in their log files. When they checked it out, they discovered that a virus implanted on their systems in 1999 had been stealing bank info from students and staff members and sending transmissions to Russia, China and other countries for more than 10 years, Bank Info Security reported.

Although final numbers may never be known, at least one person on campus did have information stolen by the virus.

OK, it’s a little bit unforgivable that nobody would notice a virus operating for a decade, or even run a scan on systems during that time, but let’s forget about that for a moment. Since they didn’t want to give the virus a gold watch for longtime service, they instead took the server that it infected offline.

They also implemented several security plans, which are basically the kind of things they should have been doing the entire time on their network, such as adding new security hardware and software and dividing up servers based on the tasks they perform to make monitoring for anomalous activity easier.

It’s actually not surprising that a virus could live so long. Unless counterattacked by anti-virus programs, there is no reason to think that a working virus would suddenly disappear on its own. In that sense, it’s no different than the program that controls the traffic lights on your street.

I suspect that the virus at the college may have been put there by someone locally with knowledge of their systems, possibly even an ex-admin or a student aide. That’s why we review a variety of security programs in the GCN Lab that look at everything from mass-induced attacks from the outside to an internal threat from a mole bent on destruction from within.

Incidents like this one should remind everyone that the threats to your data and your productivity are real and multifaceted. Malicious programs never tire, never sleep, and unless found and attacked, never stop working against you.

About the Author

John Breeden II is a freelance technology writer for GCN.

inside gcn

  • cybersecure new york city

    Cybersecurity for smart cities: Changing from reactionary to proactive

Reader Comments

Wed, Feb 1, 2012

This is pretty much impossible. The lab in question has undergone 3 full hardware refreshes in the last 10 years. for a virus to survive that is not going to happen. The facts here are very wrong. Not to mention the company that the school has contracted for network security has been operating on a suspended business license since 2009. Kinda fishy. Also the school doesn't know who is leaking this info as no one but the CTO(who was hired just last year along with the company) and the company USDN.net has the report.

Thu, Jan 19, 2012 sarah.lyne2

This seems to be very interesting and quite informative.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group