Time Bomb May Have Destroyed 800 Norfolk City PCs' Data

krebsonsecurity writes "The City of Norfolk, Virginia is reeling from a massive computer meltdown in which an unidentified family of malicious code destroyed data on nearly 800 computers citywide. The incident is still under investigation, but city officials say the attack may have been the result of a computer time bomb planted in advance by an insider or employee and designed to trigger at a specific date, according to krebsonsecurity.com. 'We don't believe it came in from the Internet. We don't know how it got into our system,' the city's IT director said. 'We speculate it could have been a time bomb waiting until a date or time to trigger. Whatever it was, it essentially destroyed these machines.'"

Just so you get the pronunciation right...

[Overzeetop]

It's Naw-Fuck.

And it's nowhere near as embarrassing as how we pronounce Buena Vista.

Re:Just so you get the pronunciation right...

How do you pronounce Buena Vista?

Re:Just so you get the pronunciation right...

[wintercolby]

Yes, and their Highschool cheer is:
We don't drink! We don't smoke! Norfolk! Norfolk!

Pronounced as specified above.

Re:Just so you get the pronunciation right...

[Overzeetop]

Byoo'-nah Vis'-tah

The locals have taken the whole diphthong pronunciation (when two vowels go walking...) to an extreme.

We also have Staunton, which is pronounced Stan-tun (short a sound).

Re:Just so you get the pronunciation right...

[TXFRATBoy]

How about Buchanan - pronounced Buck-nun Or Botetourt - pronounced BOT--tot

Re:Just so you get the pronunciation right...

it's nowhere near as embarrassing as how we pronounce Buena Vista.

Or even Botetourt County, Virginia [Baht-uh-tot County]

Re:Just so you get the pronunciation right...

[Hatta]

There's a Norfolk here in Nebraska. It's called "nor-fork". And there's a Buena Vista University just across the river in IA. I cringe every time I hear a radio ad for them. Bew-nah Vista. Just awful.

Still if you're going to complain about odd spellings and pronunciations, I'd say the British still take the cake with "Worcestershire".

Re:Just so you get the pronunciation right...

I fail to see the funny part of Byoo'-nah Vis'-tah.

But, maybe that's just me.

Re:Just so you get the pronunciation right...

[Overzeetop]

One of my first interactions in the state after being in California for a couple of years was at a Wendy's drive-though. The attendant was kind enough to tell me "I put you some salt and ketchup in the bag." Is there such a thing as hillbillionics?

Someday I'm going to run for public office, and this thread is going to come back and bit me in the ass. I just know it.

Re:Just so you get the pronunciation right...

[xaxa]

It's Naw-Fuck.

In proper Norfolk... well, I'll let Wikipedia explain: More cutting, perhaps, was the pejorative medical slang term "Normal for Norfolk", referencing the county's supposedly high rate of incest. In truth, Norfolk's incest rate is no higher than the rest of England. The term is now discredited, and its use is discouraged by the profession.

(Sorry, did you want an on-topic comment?)

Re:Just so you get the pronunciation right...

[Coren22]

Maybe true for the English Norfolk, still up in the air for the Virginia Norfolk...

Re:Just so you get the pronunciation right...

[JustOK]

try google street view

Re:Just so you get the pronunciation right...

[xaxa]

We also have Staunton, which is pronounced Stan-tun (short a sound).

With pronunciations like that, I think you're well on the way to pronouncing English place names :-)

Southwark: Su-thuk
Marylebone: Marl-i-bun
Norwich, Norfolk: No-rij, Nor-fuk (short o for both).

Re:Just so you get the pronunciation right...

[AndersOSU]

Nah, it'll be your effete voice, meticulous faggy pronunciation, and vocabulary that contains words like effete.

Re:Just so you get the pronunciation right...

[hardie]

There is a town in northern Maine, Calais, on the Canadian border. Mainers pronounce it exactly like the word 'callous'.

Re:Just so you get the pronunciation right...

[JustOK]

Not that it's pronounced funny (like Nauwigewauk ), but Saint-Louis-du-Ha!Ha! is kinda fun to say

Re:Just so you get the pronunciation right...

[pspahn]

When I first heard Coloradoans pronounce Buena Vista, I immediately wondered why Pueblo wasn't pronounced Pube-low.

Re:Just so you get the pronunciation right...

[xaxa]

Still if you're going to complain about odd spellings and pronunciations, I'd say the British still take the cake with "Worcestershire".

It's reasonably consistent with the other -cester places (which were all Roman towns):
Leicester (Les-ter), Gloucester (Glos-ter), Alcester (Ol-ster), Bicester (Bi-ster), Towcester (Tow-ster). And "Wus-ter-shire", for anyone that's still wondering about Worcestershire (Worcester is the city, Worcestershire the county).

Unfortunately, Cirencester isn't Si-ren-ster, but Si-ren-ses-ter.

Re:Just so you get the pronunciation right...

[xaxa]

Ooops, I forgot to point out that "shire" in a county name is "shur". "The Shire", as in LotR, is pronounced like shy-er.

Re:Just so you get the pronunciation right...

Ah, good 'ole Virginny. I almost laughed out loud when I heard a local pronounce Buena Vista. Then I heard it on the radio and thought "Oh shit, that's how they all talk here..."

--Lynchburg, VA

Re:Just so you get the pronunciation right...

[mister_playboy]

That town's name was mangled due to miscommunication.

http://en.wikipedia.org/wiki/Norfolk,_Nebraska

The original name of the colony was a variant of "North Fork", but accounts differ on the exact name: "Northfork", "Nor'fork", and "Nordfork" are all suggested. The name was submitted to federal postal authorities, and at some point was transmuted to "Norfolk". The pronunciation "Norfork" is still used by many Nebraskans.

They should change the spelling to match the pronunciation.

Re:Just so you get the pronunciation right...

[Dragonslicer]

There is a town in northern Maine, Calais, on the Canadian border. Mainers pronounce it exactly like the word 'callous'.

Yup, it's even worse than how we mess up Presque Isle. Of course, it was always hilarious to listen to people from out of state try to pronounce Orono. Then I moved to Massachusetts, where we have Billerica. Take a guess how that's pronounced around here (hint: you're wrong).

Re:Just so you get the pronunciation right...

[precariousgray]

No, Norfolk isn't in New Jersey.

Re:Just so you get the pronunciation right...

[carrolljim]

Billerica? You mean good old "bricka"? :-)

Re:Just so you get the pronunciation right...

Actually, I've heard it pronounced Nar-Fuck and Nor-Fuck as well in Hampton Roads. It's "fuck"-ing consistent at least. Lets not forget Suh-Fuck, Ass-a-Woman, and Ass-a-Teag as well. Then there's K-pr0n. And, quite frankly, I don't know what to make of Roaches Corner. While not nearly an explicative, the upper class town that sprung up in the 90s is called Pa-Koh-Sen.

Then up in NoVa, there's Man-Asses.

Re:Just so you get the pronunciation right...

[GNious]

First trip to the USA, I went to a burger-place in Mississippi (though, not a Wendy's) and right there and then I started to doubt my English-skills: I did not have the faintest idea what the woman at the till was saying to me! She was surely trying to articulate something, and the people before me had seemingly understood her, but it simply made no sense.
Later during that trip I stayed a couple of days at the Manhattan Hostel, doing Christmas shopping in New York , and came to realize something: English is simply not a common language in the USA.

Re:Just so you get the pronunciation right...

[re_organeyes]

And Suf-Fuck (Suffolk) is not too far down the road.

You really have to love living in Virginia.

Re:Just so you get the pronunciation right...

[dwiget001]

My father was born in Maine, some 67 years ago, but left when he was very young, living in Arizona and Washington and L.A. growing up.

To this day, he still pronounces "almonds" as "amonds".

Re:Just so you get the pronunciation right...

[drinkypoo]

Still if you're going to complain about odd spellings and pronunciations, I'd say the British still take the cake with "Worcestershire".

Hearing Texans pronounce Guadalupe "gwa duh loop" makes me projectile vomit while my eyes roll back in my head. Hearing them call Guacamole "gwok a mole" not to try to be cute, but because they recognize no language other than Texan, causes me to act in a similar fashion.

Re:Just so you get the pronunciation right...

[AlecC]

Cirencester is also pronounces by some Sisister or even Sister

Re:Just so you get the pronunciation right...

You're overdoing it a bit. It's more like somewhere between Nor- and Naw and fck.

People who say it "fuck" are not local. Nor-folk means not local... but to say its Naw either means that they have a very very very deep accent that's only common in the areas with the really old set (like old-timers in Yorktown) or that they're just not from around here.

Re:Just so you get the pronunciation right...

[Arancaytar]

It's Naw-Fuck.

Which coincidentally is close to what they said when they noticed what happened to their computers.

Re:Just so you get the pronunciation right...

Probably obvious but:
  Norfolk = north folk
  Suffolk = south folk
In England, the two counties share a border.

Re:Just so you get the pronunciation right...

[Uggy]

I went to Botetourt Elementary in Gloucester. Now that's a blast from the past.

Re:Just so you get the pronunciation right...

[doctorcisco]

But the pronunciation of the Norfolk in Nebraska has a story behind it ... The original settlers named it "North Fork," after the northern branch of the Platte River. But by the time the name of the town was being registered in Washington, DC, some Virginia-centric bureaucrat wrote the name as "Norfolk," obviously thinking it was named like Norfolk, VA.

However, the locals continued to pronounce the actual original name. And so, "Norfolk, Nebraska" is pronounced "Nor Fork" to this day. Just sometimes, a word can tell quite a tale.

Way too often, I know way too much utterly useless information.

doctorcisco

Re:Just so you get the pronunciation right...

[WeatherGod]

Heh, I remember going to Boston and being told to look up "Wor-ster" on the map. You can imagine my disbelief when -- having asked for the spelling -- beiing shown a road sign with it spelled out.

Re:Just so you get the pronunciation right...

[ewertz]

In Austin TX (of all places) whitey pronounces "Guadalupe" gwah-dah-loop'. Go fig-ur.

Re:Just so you get the pronunciation right...

[mjwalshe]

theres also sterorytype of the norfolk native. "I cant read or write but I can drive a trakter"

Re:Just so you get the pronunciation right...

It's Naw-Fuck.

In proper Norfolk... well, I'll let Wikipedia explain: More cutting, perhaps, was the pejorative medical slang term "Normal for Norfolk", referencing the county's supposedly high rate of incest. In truth, Norfolk's incest rate is no higher than the rest of England. The term is now discredited, and its use is discouraged by the profession.

(Sorry, did you want an on-topic comment?)

Norfolk Virginia, jerk. Not Norfolk England

Re:Just so you get the pronunciation right...

As someone that lives right by Buena Vista (Iowa) I've only head it pronounced Bew-nah Vista I had to ask around till I found a non native to explain it to me.

Re:Just so you get the pronunciation right...

[omarius]

It's the other way 'round--we already know how to pronounce such names, since that's how they've always been said.

Also--"Staunton" is pronounced the way it is because the town was named for the Stanton family (as in Elizabeth Cady) but was spelled wrong on some document somewhere. So it's pronounced as intended but spelled funny.

Furthermore, I'll just leave this here^W cheer:

"We are the girls of Granby High!
We don't drink & we don't smoke!
Norfolk! Norfolk! Norfolk!"

Re:Just so you get the pronunciation right...

[el_gordo101]

You have too many "r"s in there, it's actually pronounced wu-stah.

Re:Just so you get the pronunciation right...

[zmollusc]

..and your shit's all retarded.

Re:Just so you get the pronunciation right...

If your shit is retarded try some laxatives for now and remember to eat more fiber in the future!

Re:Just so you get the pronunciation right...

[WeatherGod]

ah, that must have been messing me up all that time!

Not only that, someone's going to jail

for making bomb threats.

Essentially destroyed?

Whatever it was, it essentially destroyed these machines.

Unless this time bomb was something from the 90's like Win32.CIH and nuked the bios, I doubt that the computers are "essentially destroyed"

You guys have backups, right?

Re:Essentially destroyed?

[CorporateSuit]

Hardly. It's just something that messed with the Win32 folder. This could be fixed by a few temps over the weekend if the city government was half-competent.

Re:Essentially destroyed?

[v1]

if they were running backups, they wouldn't be scratching their heads and behaving completely ignorant of what exactly it was or when it was put in. They obviously lost everything, which I'm sorry but I find some darwinism/justice in that. If you don't even have a backup to look at to see what it was sitting on the hard drive waiting to blow up, you're just beyond help. Maybe better luck next time.

But too many out there simply must learn their lessons the hard way. That will never change.

Re:Essentially destroyed?

[MightyMartian]

We've instituted offsite backups, both over the tubes and physically taking images of our servers (all virtualized of course) offsite to a bank safety deposit box. If, for whatever reason, the whole damned building explodes tomorrow, we've got the data sitting on servers in two other geographically distant locations. But if we can't get to those, we have the VM images, so as long as we can get our hands on a server capable of running Linux KVM, we could be up and running in short order (I estimate 3-4 hours, including host OS installation).

The days when a physical or digital attack can fuck the whole organization are gone. There are enough traditional and newer backup schemes out there that even long downtimes aren't necessary.

Re:Essentially destroyed?

[HockeyPuck]

You must have a pretty small site if all of your data is contained within the .vmdk files and you can restore an entire datacenter (from bare metal) in 3-4 hours (including OS install time).

Re:Essentially destroyed?

[MightyMartian]

It's relatively small, but we're actually backing images up to hard drives, not to tape or over the wire. The files themselves are both backed up to tape, and use DFS and some other mechanisms (like robocopy replication) to our remote servers. In a worst case scenario, I could pretty much drive the 100 miles, grab the remote domain controller and file servers from one of our satellite sites and drop them in the main office. The guys out there might not be happy that they were accessing everything through terminal services, but oh well.

Re:Essentially destroyed?

[Lumpy]

You got it. it's also a great example of how incompetent most City's IT staff are, Hey municipalities... you get what you pay for. How's those $25,000 a year IT staff working out for ya?

Re:Essentially destroyed?

[Em+Ellel]

(I estimate 3-4 hours, including host OS installation).

I've done this in some small VMWare setups: using snapshot feature on FS (LVM works) plus a few very large external drives (those USB to SATA cradles work great), automate a backup of the snapshots of the OS and VM partitions once every X days take the drive offsite and use another one. With 3 drives, you can rotate them and always keep one offsite. What you now have is essentially a fully working drive you can insert into another server and just turn on, no OS install, no fiddling with VMWare install and versions, recovery time is down to essentially the time it takes to get the drive(if you have to use offsite drive) and get new hardware. Best thing is that the costs are that of a few USB drives and a bit of scripting...

-Em

Re:Essentially destroyed?

[MightyMartian]

The basic idea behind storing snapshots is simply to allow faster recovery of operations even in the case of absolute disaster. We still have nightly differential backups, a weekly full backup, plus Server 2003 DFS and some scripted replication (via robocopy) of file servers. Nothing replaces a good backup scheme, a major pain in the ass to develop, and sometimes a pain to maintain. When we formulated the project, the basic notion was "If a fire/meteor/other disaster takes out one of our offices, how can we reduce downtime and data loss to the barest minimum". Rather than relying on a single backup strategy (ie. tape or distributed FS), we adopted a scheme of using multiple strategies. Daily and weekly backups are still important for accidental deletions and corruptions. Quarterly and annual backups are still important for archival purposes, and this is still the area where tape is king. But trying to restore something like a Server 2003 domain controller or Exchange server purely from backup has always been for me a nightmarish prospect, consuming considerable amounts of time. The idea behind virtual guest snapshots on a weekly basis is that I can get these servers up and running ASAP and use weekly and daily backups to refresh everything to get data up to date.

If the tape fails, well the worst is that I lose at most four business days of data, but hopefully not even that with DFS and other replication strategies. But let's take a worst case scenario, that somehow someone breaks into the network, destroys all the data on all domain controllers, the Exchange server and the file servers at all sites (something I don't find terribly likely). I still have the full backups of all files plus the Exchange and AD domain controller images sitting offsite on an external hard drive in a bank vault. I might lose about five days worth the work at the outside, which would be bad, no doubt about it, but certainly not the catastrophe of losing all my data, but that's only in a worst-case scenario.

Re:Essentially destroyed?

[plague3106]

so as long as we can get our hands on a server capable of running Linux KVM

Linux needs a server just to run a kbd-video-mouse box?

Re:Essentially destroyed?

[nabsltd]

You must have a pretty small site if all of your data is contained within the .vmdk files and you can restore an entire datacenter (from bare metal) in 3-4 hours (including OS install time).

If you use any of the various wizards that create an install script based on your actual VM host config, you can usually re-install a host in less than 10 minutes.

Then, if you have a good backup of the actual running config of the host (i.e., the VM database, the virtual disk files, etc.), it's just a matter of getting the data to where it belongs.

For most, the biggest issue would definitely be acquistion of the hardware (the hosts, all the network hardware, SAN, etc.), which would generally take a lot longer than the re-install time.

Re:Essentially destroyed?

[Em+Ellel]

Just to clarify, I was talking about host's file system snapshots (think LVM), and not VMWares's guest snapshots. FS snapshots will let you get a consistent backup of host OS and all the VMs. (if you backup a running VM without a FS snapshot you likely end up with a useless corrupted file)

This way you can grab the off-site backup drive, install it into fresh hardware, turn it on and have a fully functional system in matter of seconds.

And no, it does not replace file-level backups - its just for emergency recovery. (Of course theoretically you can start the backup on a non-networked hardware and get the files you need, but there are better solutions.

-Em

Re:Essentially destroyed?

[MichaelSmith]

But whoever hated them enough to install the timebomb would obviously have sabotaged the backups. Maybe that was what the delay was all about.

Re:Essentially destroyed?

[jim_v2000]

Workstation backups? I didn't know that was something that anyone did.

Re:Essentially destroyed?

[shadowbearer]

It's just something that messed with the Win32 folder.

  So far as they know, at this point.

  I agree that the rest of it could be fixed - although it's likely to be easier to wipe and re-image the systems (if they bothered to build them from images in the first place, that is) than to try and restore the installation.

  But the original problem could lie in the user data files or somewhere else as well, once they restore those and someone clicks on an infected file they are doing it all over again.

SB

Re:Essentially destroyed?

[shadowbearer]

  Not necessarily (although I agree with you).

  That's why competent IT staff do spot checks on the integrity of their backups.

  (Or if you're paranoid enough and have the time, or it's indicated by the mission critical aspects of your data, you verify ALL of them)

SB

Re:Essentially destroyed?

If you are running your ESX all locally and not over slow pipes, VMware's Data Recovery Appliance works great for backing up VM's. The last version I tried would only allow one instance per Virtual Center so remote locations would all have to be backed up back to that single location which did not work for us and it did not seem enterprise ready enough for us but it does work great and it's no cost.

http://www.vmwareinfo.com/2009/08/how-to-install-vmware-data-recovery.html

Re:Essentially destroyed?

[Eskarel]

It's not, except for the insane or people who aren't able or willing to use a reasonable imaging and app distribution system.

It appears that people who didn't RTFA or who work at tiny tiny sites are criticizing these guys without knowing what the hell they're talking about.

No one does workstation backups because it's costly, risky, inefficient, and generally doesn't work. The only way to make it work is to say "put all the documents you need to backup here" and here is better off being a network drive anyway.

Re:Essentially destroyed?

[shinzawai]

VMware Data Recovery is a piece of shit that rarely works the way you want it. Try reading the forums sometime to see how much grief it gives others.

Re:Essentially destroyed?

[ciggieposeur]

Hey municipalities... you get what you pay for. How's those $25,000 a year IT staff working out for ya?

The flaw is that when a government entity pays for higher quality, people then screech about government waste and inefficiency. "I can't believe they're paying $50,000 a year for IT jobs that are really only worth $25,000 a year."

Re:Essentially destroyed?

[hesaigo999ca]

I agree, however sometimes even having backups means diddly squat, especially if the admin was never smart enough to test the backup system's integrity. I worked in one place where we had backups galore, until one day we needed to restore a db, and when we asked for it, it took 2 hours to rummage through to find one backup predating even the installation of our db, we were screwed. The disk failure, made it impossible to recover the mdf and ldf files off the disk, and without having checked that each night the backup image made was ok to use for a restore, we never knew that the backups were not good ones until it was too late.

Sadly, the admin lost his job over this one, and I think left IT altogether.

Re:Essentially destroyed?

[v1]

Sadly, the admin lost his job over this one

I don't feel the least bit sorry for him. If the company relied on him being the expert and taking care of backups and he completely failed at that aspect of his job, that's the price for catastrophic fail in any job position. Something like that doesn't even rate as an accident. Accidents can happen. That's just plain negligence, and considering the severity, gross negligence. Out you go, mind the door...

Re:Essentially destroyed?

[hesaigo999ca]

I agree, but I hate to see people lose their jobs, especially during these times.

Re:Essentially destroyed?

[v1]

You hate to see an incompetent IT person whose negligence causes his company to lose tens of thousands of dollars getting replaced with someone that knows what they're doing and can actually be relied on?

How do you feel about the company that loses all that due to the incompetence of an employee they were trusting with their future?

I don't feel the least bit bad for that person. From a purely selfish perspective I could even be a little happy about it, I can do better than that, and I can use new job opportunities, and that'd be a win-win situation for that company and me. The only loser is, well, the loser. The only real tragedy in that whole story is what had to happen to the company before he got replaced.

Re:Essentially destroyed?

[hesaigo999ca]

>You hate to see an incompetent IT person whose negligence...
That's not what I said, don't twist what I am saying, I said I hate to see ANYBODY lose their job during this time where we are still somewhat in an economic crisis, I agree that many
incompetent workers should get replaced, but they still have families, and they still
need jobs, and anyone losing a job during these hard times are always worse off then
when everybody is happy and making money.

Wait a minute..

[VMaN]

... this is the internet... Isn't the apostrophe in the title supposed to be further to the left? :|

I had to read it twice to confirm it was used correctly.

Re:Wait a minute..

[travdaddy]

... this is the internet... Isn't the apostrophe in the title supposed to be further to the left? :|

So, you're complaining that correct grammar was used?

You're like the opposite of a Grammar Nazi, or an incompetent one!

Re:Wait a minute..

[mcgrew]

Naw, this is the internet. There shouldn't be an apostrophe at all! Worse than that, they didn't even misspell anything. What is this internet coming to? If this keeps up, people may become literate!

Re:Wait a minute..

Reading comprehension. You should have been taught this in the 3rd or 4th grade.

Re:Wait a minute..

[JustOK]

he's a Grammar Libertarian or possibly Grammar Anarchist.

Re:Wait a minute..

I dont know, I think that comics pretty gay

Re:Wait a minute..

[tivoKlr]

Irony comprehension, either you've got it or you don't. Not taught at any level.

Re:Wait a minute..

[Hognoxious]

I'm surprised the apostrophe wasn't in "destroy'd". Why have people started doing that?

Re:Wait a minute..

[mcgrew]

It's annoying to me, but I can see where it could be considered a contraction of sorts; dropping the "e". Stupid as well as ignorant. What gets me is people using an apostrophe in a non-possessive plural, "she get's her eggs early". I usually send those people here.

I live in VA Beach

[bsDaemon]

I live in VA Beach, which is the next city down the road (I live a few blocks from exist 20 264, and down-town Norfolk is exit 13ish), and I work in a security-related position, so we tend to keep up on news like this, but this is the first I'm hearing of it, though it looks to have gone down last week (apparently the boot.ini files were modified between 16:30 and 17:30 on 9 February, and only the computers which rebooted during that time period were affected).

It doesn't sound like the attack was particularly complex or anything, so maybe that's why it isn't exactly "newsworthy" (I also don't watch local TV news, so I don't know if they mentioned it), but still, sucks for them. I hope they have good backup policies.

Re:I live in VA Beach

[sakdoctor]

Bomb! Destroyed! Meltdown!

Judging by the hyperbole, the reason you haven't heard about it, is because the destruction was so great, there were no survivors left to report it.
The blast radius of 800 computers, all exploding at once, would have caused devastation and little radioactivity symbols, the likes of which you've never seen before.

Re:I live in VA Beach

[bsDaemon]

I don't know, I used to play with all disasters turned on in SimCity 2000, and then try and cause them.... shooting the nuclear plant with the microwave beam from the power satellite and stuff. Plenty of radiation symbols when that got done.

Re:I live in VA Beach

[YrWrstNtmr]

(I also don't watch local TV news, so I don't know if they mentioned it)

It was mentioned on the Tuesday (I believe) news.

Re:I live in VA Beach

[idiotnot]

WTKR had it last night at 11, but were kinda sketchy on details. Big emphasis on NO CITIZEN OR EMPLOYEE DATA WAS AFFECTED.

I live in Norfolk; let's just say that the best and brightest aren't working in IT for local governments. Defense companies pay a lot better.

When I worked for another local city, they were still running an ancient 16-bit version of Netware (would have been like 2002).

Re:I live in VA Beach

[Skuld-Chan]

I hope they have good backup policies.

If all they did was fiddle the boot.ini - why not just fix these "destroyed" pc's?

Re:I live in VA Beach

[confused+one]

As someone who lives across the river in Newport News (yes, that's the name of the city), I can tell you that we don't need no destruction to see little radioactivity symbols. We just need to count the ships. (Hint: Norfolk Naval Base and Newport News Shipbuilding).

Re:I live in VA Beach

[coastal984]

WAVY had it on the news, the emphasis was also clearly on "No personal data was stolen". It wasn't a particularly in depth report, however, would you expect normal local network news to give anything other than an "It Happened" glazeover?

Re:I live in VA Beach

[hduff]

There was an article in the Wednesday Virginian-Pilot about an IT problem like this in Virginia Beach, but not Norfolk. BTW, it was VB that was caught in a major audit over MS licenses and wasted my tax money on re-buying additional licenses.

It happened on Patch Tuesday.

[gimmebeer]

I wonder if there is any correlation between the number of PCs that crashed and the number of PCs set to automatically download and install patches...

Re:It happened on Patch Tuesday.

[Chrutil]

I wonder if there is any correlation between the number of PCs that crashed and the number of PCs set to automatically download and install patches

Sounds like it happened on reboot of these machines, which could imply that patch installation is responsible for the timing (if it mandated a reboot), but not necessarily for the cause.

Re:It happened on Patch Tuesday.

[operagost]

Duh. It would figure that their entire IT department didn't read the news about the Microsoft update causing PCs to BSOD on bootup if they had been compromised by a specific malware.

Re:It happened on Patch Tuesday.

[gimmebeer]

This is what I was getting at, I read about this problem but I'm far too lazy to find a link at the moment. It was a known issue with a recent MS patch, but I don't recall whether it would trash the System32 directory or not. I'd venture to say not since it had to do with a specific .dll or something similar being updated.

Re:It happened on Patch Tuesday.

[idontgno]

Linky

Unless you're too lazy to click and read, too.

The specific problem BSODs the machine during any boot (effectively bricking it until fixed). Some of the comments talk about replacing files in the System32 directory with backups. Hmm.... coincidence? Could be.

The story would go from "interesting" to "fascinating" if it turned out that the hundreds of municipal PCs got trashed because they were rootkitted while the Microsoft Patch was being installed (apparently, the root cause of this BSOD problem).

Re:It happened on Patch Tuesday.

"(effectively bricking it until fixed)"

If something is bricked, then it cannot be fixed by definition of the word.

Re:It happened on Patch Tuesday.

I'll bet lots of money that it's a poorly written script.

I've seen several companies run scripts through some automation mechanism, then do a del *.* without setting the current working directory.

Well, the default directory is system32. You can imagine the rest.

Re:It happened on Patch Tuesday.

[idontgno]

I knew some pedanto-troll would say that.

No one cares. "Bricked" means non-responsively broke. Repairable or not.

Get over yourself.

Re:It happened on Patch Tuesday.

I've got this brick I bought from Home Depot. If you repair it, it will be a fully working computer.

Re:It happened on Patch Tuesday.

[mgblst]

Why is your definition better than the original?

And since we can just change definitions of words whenever we want, why can't we just change it back!

Re:It happened on Patch Tuesday.

[quenda]

"Bricked" means non-responsively broke. Repairable or not.

Get over yourself.

Yes Sir, Mr Dumpty!

Re:It happened on Patch Tuesday.

[GaryPatterson]

This one time, a hacker got into my PC and used it to serve up some stolen music. When I tried to kick him, he bricked my machine, but it rebooted okay.

Re:It happened on Patch Tuesday.

[JRHelgeson]

Read this:
http://news.slashdot.org/comments.pl?sid=1553786&cid=31180686

This technique would delete all the files that are not in use, and upon reboot - the machine would be T.O.A.S.T.

-Joel

Sounds like...

... someone has a case of the 2 A.M. Worm.

"How the hell did it get in here?"

It took them a week to notice?

[flaming+error]

> We don't know how it got into our system... We speculate...

As long as we're speculating, may I nominate last week's "Operation Cyber Storm" (http://www.dhs.gov/xnews/releases/press_release_0853.shtm).

A healthy System32 dir is 1.5 GB

[caseih]

At first glance that blows my mind. That's absolutely huge. Then I check my linux box and /usr/lib64 is 1.7 GB.

Re:A healthy System32 dir is 1.5 GB

[characterZer0]

You should use symlinks. My /usr/lib64 is 0k.

Re:A healthy System32 dir is 1.5 GB

[sensei+moreh]

Ubuntu Lucid Lynx Development:
/usr$ du -sm *
836 lib
50 lib32
0 lib64

Fedora Rawhide:
/usr# du -sm *
275 lib
957 lib64

Re:A healthy System32 dir is 1.5 GB

jaunty with some accumulated cruft:

1813024 /usr/lib

of which:

353500 /usr/lib/openoffice
235464 /usr/lib/jvm
96868 /usr/lib/python2.5
94128 /usr/lib/python2.6
53976 /usr/lib/python2.4

Re:A healthy System32 dir is 1.5 GB

At first glance that blows my mind. That's absolutely huge. Then I check my linux box and /usr/lib64 is 1.7 GB.

No, /usr/lib or /usr/lib64 is not "system32" equivalent. Most user software does not install into system32. /lib is closer to system32 and that is only 200M where I'm sitting.

No explaination

[HotNeedleOfInquiry]

As to why they couldn't just boot to linux or a recovery CD and salvage the data....

Re:No explaination

[gurutc]

You're right. This is big enough to spend some money on data recovery. Especially the mechanism so they can identify the perp.

Re:No explaination

[NevarMore]

Because their computers used a CDROM based on a Flahbersen 3401-B chipset and Linux only has drivers for the 3401-A chipset if you set the ARS_BOGGLE compile flag.

In all seriousness, its because there are 800 computers, unspecified if they're servers or desktops, and it takes a LOT of time to recover that many machines. Varying speed depending on if you just need to recover My Documents (which should have been on a network share anyway) or the whole disk or just files requested by users.

Re:No explaination

[jedidiah]

In other words: Those machines really had nothing worth saving anyways.

They could all have been a bunch of VT-220's for all anyone cares.

No, it's not really like that. The same entity that allowed this to happen
can't be bothered to make sure that there wasn't any data lost during the
whole shenanigan. It's corner cutting from top to bottom.

Re:No explaination

[wiredog]

Explanation here.

Re:No explaination

[__aamnbm3774]

...because that sounds ridiculously slow/annoying/complex for 800 PCs.

gotta love the 'token Linux' reply without thinking about their response first.

Re:No explaination

[Lumpy]

That requires skilled IT workers. Hell I can build a linux boot CD or USB drive that will boot up, mount the NTFS partition and copy all *.doc, *.xls, *.ppt, etc files to a waiting fileserver. You could recover all the data on 800 machine in one weekend. add in a simple prompt to ask for the pc name or username for that user and no need to even sort through the files.

Heck if you did your imaging right, the same disk can also start the reimage of the drive from the image repository on the network so It's all automatic. 8 IT grunts and 1 admin working a really long weekend, 2, 12 hour shifts each day.

Re:No explaination

[Darth_brooks]

Sure there was. It was the part about "...784 machines..."

784 x 30 minutes (That's if IT actually has enough people to keep the restores going non stop, AND doesn't have to travel out to the site to do the restore or recovery, AND doesn't account for the user that has 12 years worth of archived e-mail plus 40 gigs of vital contract that simply MUST be stored on their laptop *eyeroll*) == 23,520 minutes, or about 16 days working round the clock, just recovering data.

Its all about triage. The users who played by the rules and stored their stuff on the server are probably getting the good old fashioned 'nuke from orbit' fix and will be back in a couple hours. It's the people who need to boot disc / copy to network / reimage / copy back down that are going to be down for a while. Sadly, there are cases where the user simple has to have local data. We've all got them, and we probably all have nightmares about them losing data.

Re:No explaination

[Eskarel]

It's called lessons learned the hard way.

Basically any site this large will have a policy in place requiring all data to be saved onto a network drive. People of course don't do this, for any number of reasons, some good, some bad.

However, whatever their reasons, generally speaking, IT departments have no real sympathy for people who violate this specific policy and will generally only spend any significant time trying to restore files stored in this way if the person who lost their files is high enough up to cause trouble.

Re:No explaination

I guess some hackers really like their snow days... when it doesn't snow, look out.

Norfolk's IT is fail.

[castironpigeon]

So the data is wiped because the System32 folder is fucked up? Uh-huh... guess they have to throw out all those computers and order new ones. Looks like the data's gone forever.

Re:Norfolk's IT is fail.

[ohmygodatoyrobot]

I thought deleting System32 made your computer faster.

Re:Norfolk's IT is fail.

[Tryle]

Deleting system32 allows you to Tri-Force correctly on /b/ .

Re:Norfolk's IT is fail.

I guess that's what you get for storing your data in System32!

Re:Norfolk's IT is fail.

[Darth_brooks]

Umm, yeah. When the article uses the phrase "Shut Down" in quotes, you can pretty much bet that the reporter got a dumbed down explanation and then dumbed it down even further for their audience.

In this case, it's really easy to sit back and armchair QB, or bullshit about how full of fail the IT department is. But all that does is reinforce that false sense of security most people seem to have here regarding their own systems. Look at the domain admin next to you. Or the group of people that have local admin rights on PC's. Now think about these lines in a batch file:

bootcfg /delete /ID0

del C:\windows\system32\*

Now think of someone pushing that in a batch file into scheduled tasks on a Thursday night. Would you notice? Does your super-duper-uber AV console notify you of new scheduled tasks? You think AV is going to stop a task like that, being run by an admin? here, just for fun, throw this in from of those lines:

Net Stop YOUR_AV_SERVICE_HERE

There are a million and one legitimate ways that this could be done by a rouge admin. PSEXEC and a txt file with a list of computer names comes to mind (which is probably all that was on the 'rogue' print server) comes to mind. Snigger and snort all you want. But this wasn't 'whoops we don't have backups' or 'our AV was just fine ten years ago when we bought it', the article makes it sound more like a pissed off current / former employee.

Either way the city's in a world of pain now, but no where near the world of pain the guy that did this is going to be in. Something like this won't be that hard to figure out. Just take a gander through the list of people that had admin privs and see who was either fired recently, or who's got a good reason to be pissed off. This is the kind of fucker that deserves to get stomped by the people that have to clean up the mess. Thanks asshole. Your super-l33t skills are nothing more than a long inconvenience.

Re:Norfolk's IT is fail.

[flyingfsck]

Damn, with a friendly IT department like that, Norfolk don't need enemy malware.

Even a simple Windows Repair Install would have fixed the machines and kept the data files.

Re:Norfolk's IT is fail.

[murdocj]

Huh? That's like saying the data on Linux system is hosed because your kernel image got zapped. All the data is there, you just re-install the O/S.

Re:Norfolk's IT is fail.

[vlm]

Either way the city's in a world of pain now, but no where near the world of pain the guy that did this is going to be in. Something like this won't be that hard to figure out.

Yes, except that the folks in charge are making desperate efforts to destroy any and all evidence by overwriting, reinstalling, etc, per the article and website.

So, I guarantee a scapegoat has already been determined. In fact, a scapegoat was probably determined before the "incident" occurred, if you know what I mean. The odds that "the guy whom did it" is "the guy that'll be punished/plea bargain" are probably vanishingly low.

Now if the "journalist" was a real journalist, as opposed to a press release rewriter, we'd have an analysis of recent staffing changes in that office. My guess is the "wrong" company got a support contract, or perhaps there are union issues, or perhaps there was an unpopular plan to outsource to India that'll now "unfortunately have to be expedited". Or the IT director's brother or other relative dared to run against the mayor/other local politician. Etc etc etc.

Re:Norfolk's IT is fail.

[jimicus]

Damn, with a friendly IT department like that, Norfolk don't need enemy malware.

Even a simple Windows Repair Install would have fixed the machines and kept the data files.

There are lots of automated mechanisms - both using Microsoft's own Remote Imaging Services and third-party products - for rebuilding an OS and installing all applications very quickly to a bunch of PCs. With everything properly set up, you can go from nothing to every PC built, on the domain and all applications installed in under an hour. If you use multicast, about the only limitation is the speed of the network and how many PCs your technicians can visit to force a PXE boot in a given space of time. (I have consciously excluded any discussion of Intel's vPro technology because I am unfamiliar with it - is it in common use? Would it eliminate the need for technicians to visit the PCs?)

I don't know of any similarly automated mechanisms to repair hosed Windows installations - frankly, it's not the kind of thing you'd consider. You need the imaging method for new PCs and replacing hard disks in existing PCs. Your policy almost certainly bans storing data on the local PC precisely because it's impractical to backup several hundred PCs so you may as well use it for hosed installations as well. In the normal course of things, you'd never anticipate seeing that very often anyway.

Otherwise putting together such a mechanism (which you'd probably have to put together by hand, since I doubt there are very many pre-cooked things you can setup to boot from PXE and attempt a recovery) is simply generating work for yourself.

Re:Norfolk's IT is fail.

Damn, I should give them a call. I will work for exactly 1/10th what ludicrous price their "experts" will charge to recover the data. Give me 20 minutes with each computer, letting me use my own "repair kit" (aka: computer of my own that I jam their hard drive into to mount it as an external drive), and I will "recover" every single piece of data (minus the System32 folder, of course) on that computer onto whatever secondary storage they want it on.

Re:Norfolk's IT is fail.

[u38cg]

There are a million and one legitimate ways that this could be done by a rouge admin.

Dude, I could do that, and I'm not even vermillion :p

Re:Norfolk's IT is fail.

[drinkypoo]

There are a million and one legitimate ways that this could be done by a rouge admin.

Do these guys pilot pink X-wings in the rouge squadron, too?

Re:Norfolk's IT is fail.

But what about the azure admins? Not to much the emerald ones....?

Re:Norfolk's IT is fail.

del C:\windows\system32\* isn't the problem, it's the FIX.

It shows commitment when preparing the system for Ubuntu installation.

Re:Norfolk's IT is fail.

"Rouge admins" ? I guess the colour complements their blue screens.

Dead man's switch?

Could be...

Time Bomb is my favorite

[bigredradio]

I think Time Bomb is the best of all the No-Heroics superheros. http://www.youtube.com/watch?v=JLaXUTdybjc
Oh wait, you were talking about that ....

I bet they just got Religion

So you can just restore from backup right?

Right?

Please don't look at me that way! You do have backups, don't you?

I myself have a RAID 5 and two large external hard drives. Once a week I swap the external on my desk with the one I keep in a bank safe deposit.

But it took the loss of the third drive of my career before I got Religion myself.

Re:I bet they just got Religion

[theJML]

From working in the backup industry for years, I'm sure they have backups, the problem is that they never tried to verify or restore them. but is there really isn't any data there, compression is great when you just "tar cv * > /dev/null" ...

Heck one time I had a guy who was getting Parity Errors decide that the best way to solve them was to just shut off Parity Checking... Ignorance is bliss I suppose.

Seriously I can't count the number of times I tried to help someone restore their backups after a critical loss that turned out to never have actually verified that they worked in the first place. Just as bad as when I worked in a photo shop and someone said they couldn't get their film out... put the camera in the light locked compartment, stuck my hands in, just to find that he had taken 36 'priceless vacation pictures' on the back of the camera body instead of film.

Re:I bet they just got Religion

[jafiwam]

Maybe with tapes this is a reasonable expectation.

However, users and IT folk alike copy files to and from CD, to and from the internet, across networks, from drive to drive, from USB to hard drive and back and they don't run into parity errors.

So it's not unreasonable to assume that software and hardware designed to be backup tools wouldn't fail as often as they do.

When my drives fail, it's almost always VERY OBVIOUS, not some subtle creeping error.

I think most of the time the problem is not data corruption, but lack of planning if the data will be in a usable form or not.

I have Ghost backups for my home PC, and I backup my data using external drives. But I have never gone through the process of learning and doing the recovery on the boot partition because that backup is a last ditch thing. When my drive fails, I will either spend the time to do that, or just say "bah, time for a new computer anyway" and go that route.

Re:I bet they just got Religion

put the camera in the light locked compartment, stuck my hands in, just to find that he had taken 36 'priceless vacation pictures' on the back of the camera body instead of film.

Now, that's what I called a Kodak Moment (TM).

Destroying Evidence

[Reason58]

From the article:

IT specialists for the city found that the system serving as the distribution point for the malware within the city’s network was a print server that handles printing jobs for Norfolk City Hall. However, an exact copy of the malware on that server may never be recovered, as city computer technicians quickly isolated and rebuilt the offending print server. “Obviously, our first reaction was to shut it down and restore services, and at least initially we weren’t concerned about capturing [the malware] or setting it aside,” Cluff said.

Obviously, your reaction was wrong in every way. When a system is compromised you physically unplug it from the network and keep it powered on so that you can run forensics on it. Good work destroying any evidence you might have had about not only who performed this attack, but what weakness in your security they exploited to accomplish it. All that just to get a print server of all things back online as fast as possible.

Re:Destroying Evidence

All that just to get a print server of all things back online as fast as possible.

Hey now, printing and mailing out red light camera bills is a lucrative source of income... I mean safety for the town.

Re:Destroying Evidence

[alen]

this is the government

when i first started working for private industry after working for uncle sam for years, the first thing i noticed was a lack of paper. government employees had mountains of it in every cube and office. the real world had long ago moved to electronic format

Re:Destroying Evidence

[Cassini2]

When I even think some major problem exists with either data on the hard drive, or the hard drive itself, I just replace the hard drive. This permits data recovery of any salvageable data on the old hard drive. It also quarantines the virus infection to the old hard drive.

A new hard drive is worth $50-$100. If you find any important files on the old hard drive, then the new one has paid for itself. Also, it does much to preserve your chain of evidence if the problem requires forensics.

Re:Destroying Evidence

[plague3106]

and meanwhile, while you're doing that, the city offices aren't able to process anything.

Ya, they did it wrong...

Re:Destroying Evidence

[FlyingBishop]

I got news for you, the lack of paper had nothing to do with moving from government to private sector. I'm in the private sector, and my co-workers regularly print out code and spreadsheets (even massive spreadsheets that don't fit on 8 1/2 x 11)

Re:Destroying Evidence

[epp_b]

When a system is compromised you physically unplug it from the network and keep it powered on so that you can run forensics on it.

Isn't the best thing to do image it, rebuild it, get it running, restore the image on duplicate test hardware then do forensics?

Re:Destroying Evidence

[Attila+Dimedici]

The last company I worked for the owners wanted systems back online as fast as possible. Once they were back online, I could troubleshoot to my heart's content to figure out what caused the problem. I suspect that the decision makers in this situation had the same priorities. Computers are there to get work done. Get them back up and working as soon as possible so that people can get work done. Once everybody who relies on those computers can work again, only then do you start trying to figure out what went wrong.
That may not be the best way to do things, but its the way most places in the real world work.

Re:Destroying Evidence

[WrongSizeGlass]

Isn't the best thing to do image it, rebuild it, get it running, restore the image on duplicate test hardware then do forensics?

Based on your question it's pretty obvious you don't watch CSI: Norfolk.

Re:Destroying Evidence

[shadowbearer]

  No shit! At the very least they should have imaged the print server's installation drive before they wiped and reinstalled, (even if they needed the system up as fast as possible.) At least that way they'd have something to run forensics ON, and be able to do it at their leisure rather than a hurry-up job.

  Someone screwed up bad.

SB

This is more common than people think

I have seen time bombs left behind by two types of people when being called in as a consultant to deal with the aftermath:

1: The disgruntled employee. He leaves a hidden file that if not touched in 2-3 weeks will start wreaking havoc. I've even seen modified binaries of tar and such that encrypt the files, so even backups are trashed.

2: Someone wanting to frame another person. I've seen this done by clients of other consultants who do not want to pay the consulting fee. So they put a logic bomb in. The admin that left gets blamed and faces jail time. In this scenario, it is a word against word issue almost always, and juries tend to believe business owners far more than the admin who got railroaded.

Look, if you're the IT guy and this happens

[wiredog]

You just restore the image from a ghost backup without worrying about the data because the data is stored (by policy) on the servers. What? A user ignored that policy? Tough luck for him.

Re:Look, if you're the IT guy and this happens

[Monkeedude1212]

Even if you're a complete dolt and don't lose all of that, you can still recover data with some sophisticated technology. The hard drive might claim its empty but the bits are likely still in their last position. (Ever noticed how clearing the partitions off of your hard drive is instantaneous?)

This is why professionals can still recover a large chunk of data from a hard drive even if you used a drillbit to punch a hole in it. .

Re:Look, if you're the IT guy and this happens

[jimicus]

You just restore the image from a ghost backup without worrying about the data because the data is stored (by policy) on the servers. What? A user ignored that policy? Tough luck for him.

Exactly. No IT department is about to waste much time and effort on recovering data from individual PCs. Yes, you could script much of it but you're still going to have to reimage the things and running that script takes time away from the reimaging process.

If anything, this could be a blessing in disguise - the admin who's been saying for years "Why do we even leave it physically possible to write to the local hard disk on desktop PCs when the policy states clearly that files get stored on the server?" might now be able to enforce this policy.

Re:Look, if you're the IT guy and this happens

[MachDelta]

The hard drive might claim its empty but the bits are likely still in their last position.
This is why professionals can still recover a large chunk of data from a hard drive even if you used a drillbit to punch a hole in it. .

Saywhat?
Methinks you have two thoughts crossed in your head. Deleting a file and physically destroying the disk are very different concepts. Restoring file references is simple enough, but a platter punched full of holes is only partially recoverable at best.

Re:Look, if you're the IT guy and this happens

[Monkeedude1212]

Well thats what I'm saying - a Platter with a single hole in it thats only 5% of the surface area means that 95% of the bits are still there, even if it makes the disc inoperable from a regular standpoint there are methods to read the bits in unconventional methods.

So unless there are multiple holes drilled in, or its shattered, or melted, or had a rare earth magnet rubbed along the surface, recovering data from a damaged platter is not impossible, though sometimes impractical, depending on the data.

You are fail for believing news articles

[Colin+Smith]

You cant take any details from any news articles at face value.
 

Overtime?

[Gonoff]

How many machines can you reimage in a day? Even if you only do one at a time, I imagine you could do 4 or 5 in a working day. If you have an entire office full, ready connected up to the network, you just have to pop in a CD (if you even need one) start the PC and move on. A couple of dozen people could do that lot in a weekends worth of overtime.

Most of the time I spend on rolling out a new PC is delivery, connection and admin. Where's the problem here?

Re:Overtime?

Windows Deployment Services.

You can setup your custom image, deploy from your server, no need for a CD, multicast deployments can be done; yes someone still needs to start the process on the machine but that is able to be done in less time than the CD/DVD takes to boot and with the proper custom image and scripts you don't need to do anything after you tell it what image to install.

Re:Overtime?

How many machines can you reimage in a day? Even if you only do one at a time, I imagine you could do 4 or 5 in a working day. If you have an entire office full, ready connected up to the network, you just have to pop in a CD (if you even need one) start the PC and move on. A couple of dozen people could do that lot in a weekends worth of overtime.

Most of the time I spend on rolling out a new PC is delivery, connection and admin. Where's the problem here?

PXE boot + Multicast in Ghost server. I can do all the computers on the LAN in about 10 minutes.

Re:Overtime?

[BlueScreenOfTOM]

I don't think the point was the downtime or the effort to get the machines back up -- it was how much data was lost, and how important the data was.

Re:Overtime?

[guruevi]

I can reimage hundreds of computers in a few hours. It all depends on their uniformity and operating systems. Windows has to be imaged on similar hardware or they will BSOD even if they have been sysprepped, for Linux and Mac any image will work on any machine (given you have a fairly standard modular kernel and the architecture stays the same).

Re:Overtime?

[Changa_MC]

It wasn't important, or there would have been a backup.

Re:Overtime?

[Datamonstar]

Word. I did this back when I was a temp in oh... '99, 2000'ish on a rather large network. I'm rather sure it would take much less time today.

Re:Overtime?

[imagoon]

Last batch of 25 PC's I imaged were imaged 4 at a time in less than a day. Would have been less had I actually been in the office when they completed. I was out in the office doing other stuff. At the desks would be even easier as I would just network boot them in to the imaging software and let the autoscript take over.

Re:Overtime?

[Lumpy]

I can re-image 60 in a day myself if I stop and talk to people, screw around throwing nerf darts, and riding the electric moped around the office looking for cold pizza.. more if I had more USB sticks or time to make more Boot CD's. I think the network here will eat it's self if I try to re-image 200 or more, the Image server is only 100Bt.

Pop in CD or USB drive, reboot, click yes, go to next one, repeat, go to next one, repeat. DO about 10 go back and walk past them to make sure everything is running, start at 11, repeat.... Really easy. I did 800 machines in a weekend with a team of 5 working 24/7 upgrading from Windows 2000 to XP. It's really easy if the IT department is competent and prepared. Hell even using commercial apps like Deploy center this is really easy. we used a simple linux based setup. I used to have a fully scripted XP install CD, that took a month to craft but would install right on 30 different hardware variations automatically.

WEll unless your IT director is a complete tool that buys a mish mash of gear only 3-4 at a time.
100 dell laptops now 5 are the same model, 30 HP laptops, 20 acers, 60 different desktops. an then he shows up with a batch of new Desktops that he bought at Staples.... Then you are completely hosed. Hopefully the IT director had a clue and they have some semblance of uniformity. Even with 800 machines if there is only 80 different images it's easy to pick the right image file on the server.

Re:Overtime?

[Lumpy]

Not true, I had a XP image that will work across a Lot of variations. you need to have ALL drivers for all variations in the image and have the image as a OEM install image. It add's time but it runs the final driver installs and setup on first reboot.

You can do it, you need the OEM tools. I really hope that Windows 7 can do the same.

Re:Overtime?

[BlueScreenOfTOM]

Sure, assuming the IT group was competent. Given that said IT group immediately re-imaged the machine distributing the "malware" after they discovered it instead of unplugging it and leaving it be for further analysis, I don't feel comfortable jumping to that conclusion.

Re:Overtime?

[nabsltd]

How many machines can you reimage in a day? Even if you only do one at a time, I imagine you could do 4 or 5 in a working day.

It shouldn't take more than 30 minutes to re-image a machine, unless the image is far larger than it really should be.

With a DL DVD-R, you can store about a 15GB image (using compression) along with the bootloader and imaging software. Pop in the disc, boot up and maybe click a few wizard "Next >" buttons.

While one tech starts re-imaging, another can burn extra copies of the imaging DVD-R if there aren't enough to do the job quickly. Then, just hand disks to every employee as they come in and let them re-image their own machine. OK, so that's a little silly, but with 10 or so copies of the disk, it should be possible to re-image over 150 computers a day, even for just one tech. By the 2nd day, you should be up to 30-40 copies of the image DVD-R, and so the whole job shouldn't take more than 3 working days. So, three techs on a 24-hour shift should have you up and running again on 800 machines.

This all assumes no attempt at data recovery.

Re:Overtime?

How many machines can you reimage in a day?

How many network ports do you have?

Use either native PXE boot (or use a boot cd that supports pxe) and image them all at once using a software that supports UDP multicast (or use a custom linux image, Netcat, and DD if all the systems are identical)

Seriously, the only limitations you run into is how many network ports are available, and whether the shop's wiring can support that many units.

If you're doing it by hand, you're doing it wrong.

Re:Overtime?

Even with free open source product like FOG you would not even need to visit those computers physically if they're already registered to system. Just issue general notice to shutdown, pop up a management web page, select all, click re-image. Wake on lan and boot from network does the rest. 2 hours downtime and you're back on business.

Re:Overtime?

[maxwell+demon]

How do you know that there wasn't a backup which just turned out broken?

Re:Overtime?

[mjwx]

Most of the time I spend on rolling out a new PC is delivery, connection and admin. Where's the problem here?

Depends how well your IT is set up. At my old job I could roll a freshly re-imaged laptop out in 45 minutes, on desk and ready to use (SOE only so excluding additional software). My current job is a much smaller operation so all re-imaging is done manually, this takes 3 to 6 hours per machine. If I actually had to re-image on a regular basis I'd set up some kind of system with pre built images but for now its impractical and unnecessary. A poor IT set up will not have rapid deployment systems.

$20 says...

[Pete+Venkman]

Twenty bucks says that they never figure out what happened.

Re:$20 says...

From the article:

IT specialists for the city found that the system serving as the distribution point for the malware within the city’s network was a print server that handles printing jobs for Norfolk City Hall. However, an exact copy of the malware on that server may never be recovered, as city computer technicians quickly isolated and rebuilt the offending print server.
 
“Obviously, our first reaction was to shut it down and restore services, and at least initially we weren’t concerned about capturing [the malware] or setting it aside,” Cluff said.

Re:$20 says...

[djdevon3]

another $20 says something else major happens to IT in the City of Norfolk in the next 10 years (provided the same idiot still works for them who is responsible). This kind of policy is easy to describe: Garbage in, garbage out.

Re:$20 says...

Okay, I'll take you up on that.

They figure it out, I get $20. Otherwise, we wait until never comes around.

Who did it

[DoofusOfDeath]

And then he says to me You Gotta Make them Pay, Baby!

And I said Yeah Baby, I'm the Mad Code that Codes at Midnight!

And he says You're bad, baby! And I said Yeah!!!

Feh.

[Pojut]

If lil' ol' me can spend a few hundred dollars on enough hard drives stuffed into external enclosures the have two complete backups of all ~1.5TB of data in my system, surely a municipal government can spend a few thousand dollars to do it too.

What the hell, who runs systems that important without backups? Management teams named Shirley?

Re:Feh.

[Anita+Coney]

"What the hell, who runs systems that important without backups?"

The government, 'nuff said.

Re:Feh.

[mcgrew]

From TFA:

Cluff said the malicious software appears to have been designed to trash vital operating files in the Windows\System32 folder on the infected machines. Cluff said a healthy, functioning System32 directory weighs in at around 1.5GB, but the computers infected with this as-yet-unidentified malware had their System32 folders chopped down to around a third of that size, rendering them unbootable. Cluff added that city employees are urged to store their data on file servers, which were largely untouched by the attack, but he said employees who ignored that advice and stored important documents on affected desktop computers may have lost those files.

Re:Feh.

In Windows XP the "My documents" and "desktop" directory are not located in the system32 directory. Are they running Windows 98, or do there 1337 users hide all there files in system32 ?

Re:Feh.

Well, that's still crap. I sincerely hope the reporter completely mangled the real story (and that wouldn't surprise me).

If the malware really trashed only contents of the system folder, then there is no real problem in recovering locally stored data files, but it will be a little more work than the typical government IT guy has become accustomed to. Being unbootable is irrelevant as long as the file system is intact - either boot to a BartPE (or whatever) DVD or USB stick and recover the files, or move the hard disks into known good systems and access them as slave drives. Naturally he'd need to scan any recovered data files, preferably with multiple scanners. And on any properly secured Windows system the users aren't running with permissions which would allow them writable access to system folders, so their data isn't there. Even if they're running with full admin rights, it's much more likely their files are stored under My Documents or the Desktop folders.

Oh, and Windows systems can be configured so that the users' data folders reside on Windows servers. It causes trouble for some improperly coded software, but it generally works well. Simpler yet, have management come down hard on the violators, if the office politics are amenable to that approach.

- T

Follow the trail

There was a reason that somebody did this. It was somebody that knew this environment.

Either follow the money or follow the motive. They WILL find the perp.

Norfolk High School Cheer

[ideonexus]

We don't drink!
We don't cuss!
Norfolk! Norfolk! Norfolk!

Really?

[cosm]

"destroyed data on nearly 800 computers citywide".

By corrupting the Windows System32 folder install they lost their own files? Did the malware delete some key file that prevents Window's from hosing the disk and crushing the MFT and/or MBR? I doubt it. The OS installs may be unrecoverable, but the article / spokes people seem to jump the gun by stating such generalizations like "destroyed data" and "essentially destroyed these machines". I imagine that actual "data" of importance is still recoverable via external means, and that a quick reformat will make the machine quite OK again.

Maybe this is good incentive for them to install Linux, now that they have a ~800 machine testbed to work with.

Re:Really?

[Datamonstar]

If it costs them $1 Mil in labor to recover the machines vs. $0.8 Mil to simply replace the machines with new ones, then the machines are "destroyed."

Re:Really?

[cosm]

Perhaps destroyed by an economist or bureaucrats standards.

"simply replace the machines with new ones"

It usually isn't simple. They have to be specifically configured for their usage context, possible configured for the domain, shares, print servers (lol), software installations, blah blah blah. I don't think simply getting new machines is the answer. Why not just use backed-up images and reformat? Purchasing a new machine is hardware cost, and the hardware wasn't destroyed by the virus. And also, purchasing the new machines still doesn't account for the cost of recovering the data, which can't be avoided unless the cost outweighs the gain.

If they don't have images, they don't have backups, the data isn't worth recovering, and it turns out the cost of replacement is just simply cheaper than reformatting the disk on the what are really good machines, well thats excellent fucking use of taxpayer money. Money that could have been saved by backups, or using the shares properly.

Save Time & Money!

[2PAIRofACES]

Just blame Terry Childs. It was a backdoor into a citywide system. Clearly he's responsible. Doubtlessly the D.A. is already concocting a theory involving him having visited the city during a conference, and installing a modem into the network. By phoning a specific number and entering a sequence of numbers from his prison phone, he's brought the network to its knees.

That may be the size of the debugging symbols

If you're not a developer, and you don't install the "-dev" or "-devel" versions of the library packages, you won't have the dwarf2 source code debugging symbols, which can be quite verbose.

Windblows 98 and other parodies

Search the Intertubes for "Windblows" and "Windoze" and enjoy the laughs.

Parroty Interactive had Microshaft Windblows 98.

sort and compress makes small backups

[davidwr]

When you sort the bits first compressed backups are really small.

Re:sort and compress makes small backups

[flyingfsck]

Size doesn't matter. There is infinite storage capacity in /dev/null.

Re:sort and compress makes small backups

[value_added]

Size doesn't matter. There is infinite storage capacity in /dev/null.

Astute observation. For those interested in trying such an approach, note that it's a bitch getting stuff out.

The mark of true intelligence...

The mark of true intelligence is the ability to learn from the mistakes of others. Sad how few people seem to posses it.

Remind me the next time I write malware...

[davidwr]

* Check every few seconds to see if network goes down
* Write a bogus entry in the log files that points to some oddball behavior, like a disk-read error or something
* If network is down freeze screen so it looks like computer just locked up
* Ignore all input
* Wipe key parts of disk so forensic recovery is impossible or at least very difficult
* Wipe key parts of memory so forensic recovery is impossible or at least very difficult
* Wipe key parts of cache so forensic recovery is impossible or at least very difficult
* Force or fake a BSOD screen so a casual user will think his computer crashed and blame any resulting data loss on the crash

Re:Remind me the next time I write malware...

[bored]

Which is why the parents solution is wrong. You should probably force crash dump the machine, pull the HD, swap a new one in, rebuilt the machine and then analyze the pulled hard drive.

That way you have a record of not only what was on the disk, but in memory as well. Of course the NMI or crashdump could be hooked, and set to wipe the memory, but that takes a level of care you have to hope the malware author didn't have.

Re:Remind me the next time I write malware...

[issaqua]

Nah, if one was truly evil it would go like this:

* Silently encrypt disk (without key, your data is a random hash)
    * Ensure persistent key is not able to be backed up.
* Silently return encrypted data to backup programs (more of a challenge, but if you know your environment...)
* After date X, make key volatile and reboot on suspend or loss of network connectivity.

I wonder, would you get a free lair with that?

Cheers,

-I.

Re:Remind me the next time I write malware...

[shadowbearer]

  That's actually what makes me think it was a time bomb of some sort, rather than an actual outside malware infection. Most outside malware infections are of the botnet variety, crashing hundreds of systems to a rebuild state is counter-productive. But some disgruntled employee who wanted to cause a lot of grief to the IT department... hiding your code in a print server makes sense, nobody is likely to look there.

  Of course it sounds like most of the direct evidence is now gone...

SB

And the cover-up

[KDEnut]

Anyone else find it odd that the first thing the IT techs there "quickly isolated and rebuilt the offending print server."?

Sounds to me like they know who it may be and were covering up for a friend.

Re:And the cover-up

[Lumpy]

Like the Stupid IT directory that went websurfing as administrator on the Print server?

dollarsto doughnuts that the whole thing is not a planned attack but simply an idiot move that infected a machine and it spread.

Innocence project

[davidwr]

This sounds like a job for the Innocence Project.

It also sounds like something police and courts need to be made more aware of.

This sounds like the tech industry's equivalent of a divorcing parent accusing the other of child abuse - where the type of abuse doesn't leave scars and the child is too young to give credible evidence, it's 50/50 or less whether justice will prevail.

Oops

[davidwr]

That's a hard lesson to learn.

Now I understand why the desktops weren't backed up properly - their drive content was considered disposable. This is not unreasonable given the above statement.

Re:Oops

[MightyMartian]

That has been something of a constant battle in my case. I was dumb enough to think backing up the Documents folders from the roaming profiles was good enough. Then I discovered just how non-roaming roaming profiles can be, and that the smallest issue can basically make a roaming profile effectively limited to that computer.

So I went to folder redirection, redirecting the whole Documents tree to the file server. Works great, except people save data to their desktops. So I decide "Okay, I'll redirect the Desktop folder" too, except that that makes the computers pretty much useless when the file server goes down. Oh well, it's the only way to guarantee things get backed up, until some people decide to start actually working of flash drives, a flash drive goes dead and someone's project that they'd be working on for a week disappeared.

Finally, at the end of it, and after basically being blamed by staff, I went to my manager, got permission to lay down the law, and at the next regular staff meeting, made up proper policies. The only data that I'll back up is in the Documents and home drive share. Nothing with an extension of "mp3" or "wmv" will get backed up, if they're necessary for work, we'll look at an alternate directory, but it will have quotas on it (hard drive space is cheap, but tape backup space is not). I will not back up the desktop, no critical work should be done on flash drives, if you use them like that, don't even both complaining to me or management.

Re:Oops

[Captain+Splendid]

lay down the law

It's the only way to do it. Why the hell should 99%+ of the company literally make your job take longer, cost more and be more frustrating?

Re:Oops

[MightyMartian]

That's basically what I said to my manager. I explained that people just storing data anywhere they wanted was making my job a nightmare. Our tape backups were often getting dangerously full, which ultimately would mean a pretty expensive upgrade to a new higher capacity tape drive.

So far I've stopped short of strict quotas, but I see a few people don't know how to or don't want to delete email, meaning the Exchange server database is eating more space, which means more space on the tapes.

People often seem to treat their work computers like their home computers. When I first started up DFS, I quickly discovered after some very slow updates that someone had thrown about fifty albums worth the mp3s on their Documents share, meaning that it was being replicated to two other servers and going on the backups. When I confronted them, they said "Well, I like to listen to music", to which I replied, "then burn them to CD, because I'm going to set up a task to just automatically delete the damned things every night if they end up on my server."

Dealing w/ something similar at work

[aztektum]

A similar thing happened where I work (uni campus), although due to config errors, not a timebomb.

400 machines got imaged and we're scrambling to collect drives, install new ones, reimage and then run recovery on the old orig drives.

Microsoft really needs to add the ability to set user profiles on a different partition, as you can w/ UNIX.

Re:Dealing w/ something similar at work

[Itninja]

Microsoft really needs to add the ability to set user profiles on a different partition, as you can w/ UNIX.

Um, they're called 'roaming profiles' and have been around for some time. You can store users' profiles anywhere you want...different drive, or even a remote server.

Re:Dealing w/ something similar at work

[Gunstick]

roaming profiles are the worst way of a solution to this problem. Ever have to wait like 20 minutes to log in just because MSIE puts it's huge webcache into the profile. Oh no no...
Profiles are great, but don't do them the "roaming" way, because that's the rowing way.

Re:Dealing w/ something similar at work

[Albanach]

Microsoft really needs to add the ability to set user profiles on a different partition, as you can w/ UNIX.

I'm not sure what you mean? It's straightforward, if not trivial, to change the profile location. Two minutes with Google will show you how for your version of Windows.

Re:Dealing w/ something similar at work

[Albanach]

roaming profiles are the worst way of a solution to this problem. Ever have to wait like 20 minutes to log in just because MSIE puts it's huge webcache into the profile. Oh no no...

So, because you experienced roaming profiles with an administrator that didn't know how to configure the clients, it's therefore a bad idea?

Firstly, you can limit the cache size. Secondly, you can change the cache location to move it out of the profile.

Roaming profiles aren't necessarily the solution here - though they could be. If, however, you want users to be able to use any one of a number of machines they can work well. Gigabit networking certainly helps.

Re:Dealing w/ something similar at work

[BobMcD]

Roaming Profiles and/or Network Redirection

Magical stuff, supported by GPO's...

Re:Dealing w/ something similar at work

[Brianwa]

I've been a user in a setup like this. It's painful to sit at a shiny brand new (taxpayer bought) workstation and wait for it to load my profile from some old computer in a closet 10 miles away.

Re:Dealing w/ something similar at work

[Itninja]

That problem is caused, not by the concept, but by an admin who does not know what they are doing. If one does it correctly using group policy and such, it works very well.

Re:Dealing w/ something similar at work

[PsychoSlashDot]

roaming profiles are the worst way of a solution to this problem. Ever have to wait like 20 minutes to log in just because MSIE puts it's huge webcache into the profile. Oh no no...
Profiles are great, but don't do them the "roaming" way, because that's the rowing way.

Albanach already hit you with the Cluestick but I'm going to take a swing. Worse than what he pointed out, I'd like to mention that by default IE's cache is NOT in the roaming profile. That means you have to deliberately jack things around to cause what you describe to happen. All that good stuff in C:\docume~1\username\locals~1 doesn't roam. At least not unless you do truly idiotic stuff.

Yes, you can throw a tonne of crap on your desktop and have a slow logon. Yes, you can acquire a few thousand cookies and have a slow logon. Yes, there are a couple other ways in "normal" use to cause slow logon. But what you describe is absolutely, positively, not normal. Just because your admin (or you) broke the feature doesn't mean the feature is broken.

Re:Dealing w/ something similar at work

[aztektum]

Uhm, they also take up a huge amount of server disk space, so the server/admin teams have decided not to implement them. We're a public uni w/ a budget crunch.

Also, this would be useful for more than just enterprise users. When I upgraded from Vista to Win7 @ home I wouldn't have had to copy everything over to a spare disk then BACK over after install. Dur.

Re:Dealing w/ something similar at work

[aztektum]

I mean during the install. Yes you can tell My Docs to reside elsewhere by right clicking, or do reg hacks and other obscure trickery, but I'd like to tell it right from setup "Put my profile here" or point it to a partition that already has my profile on it (from an old install).

Re:Dealing w/ something similar at work

You can put your windows profile anywhere you want... http://smallvoid.com/article/winnt-move-userprofile.html

Re:Dealing w/ something similar at work

[Albanach]

You can do it during the install:

http://support.microsoft.com/kb/236621

Re:Dealing w/ something similar at work

[aztektum]

"This applies to..."

Windows 2000/2003

Have you tried it on WinXP or Win7? I expect it would work for XP, but we're likely moving to 7 as a base soon.

I think Arizona takes the cake

[knarfling]

I think that Arizona, with its odd mix of Indian, Spanish, English and who-knows-what takes the cake with odd spellings and pronunciations.

Ft. Huachuca (Wa-chu-ka)
Mogollon Rim (Mo-gee-yawn)
Tempe (Tem-pee)
Canyon de Chelly (dee-shay)


On the other hand, I spent some time in Pueblo, Colorado where about 1/4 of those born there pronounced it Pee-eb-lo.

Get an incident handler in there

[mikep554]

FTA: "... the city found that the system serving as the distribution point ... was a print server. However, an exact copy of the malware on that server may never be recovered, as city computer technicians quickly isolated and rebuilt the offending print server."

Ok, if I have a single workstation with "AntiVirus 2009", I will probably nuke it without a second thought. If one of my servers has been commandeered to serve as the command and control channel for a worm that just ate 800 of my PCs, I SURE AS HELL AM GOING TO GET A dd OR OTHER FORENSICALLY SOUND IMAGE OF THE MACHINE BEFORE I WIPE IT!!!!!!!!! For crying out loud, they contacted the FBI, but they just destroyed what could have been the single most important piece of evidence! Do they have a Best Buy in Norfolk? For $100 they could have brought the machine up on a clean hard disk and set the existing one aside for forensic examination without wasting the time of taking an image of the drive.

Also, they have no idea how the attack occurred, but they are sure it didn't come from the internet. Any evidence to back that up? It's one thing to say it probably didn't come from the internet because our logs show no traffic to support that possibility. It's ridiculous to make that same statement based on a gut feel.

If this article is accurate, these guys are playing amateur hour IT security. Their first action should have been to contact a qualified incident handler.

Re:Get an incident handler in there

[crack-a-hack]

I agree with you as of the incident handling procedure. Now everyone just go out blaming people probably without knowing the real deal. I am sure nobody will know any information as to where that came from or how it got in, but apparently they were not the only ones hacked. Here is Maryland we also had a couple of companies that did not know if that was related to Windows updates or what, ut were also part of this attack. Obviously this city was not the only organization hacked. Checked this article here: http://www.washingtonpost.com/wp-dyn/content/article/2010/02/17//AR2010021705816.html If you really are as smart as you sound why dont you offer them your consulting expertise. I am sure they are looking to either beef up their security personnel, get rid of them, or establish better/stronger security best pratices. I can see how blown out of proportion the news down there where -as with everyting the media does to get ratings- they probably opened up their mouth to the media too quick. We will never contact the media until a full assessment of damages is done, a penetration test is completed, and the communications department gives the proper authorization to communicate with the media. As far as the sophisticatino of these new blended threats, even large corporation with LOT$$ of Bandwidth ($$) can't even compete with these hackers. I have been in their position before and all I can say is kudos to them for even catching the source with enough time to stop the spread. It could have been worse.

go ahead, call me redundant: i will ask again

is destroyed the right word?

Cover up for the corruption present in Norfolk?

Just saying... I live nearby and it is well accepted the Norfolk, VA has an incredible amount of corruption. My first thought on reading this as a local was, "wow, that's a pretty creative way to cover your tracks..."

More Horrid Pronounciations

[Venner]

Growing up in Ohio, some of the pronunciations for local places are horrible.

The first are mostly just anglicizations. Not awful, but sometimes quaint, odd, and hickish. There are a lot more that I'm forgetting.
Lima - "LYE-muh".
Ravenna - "Ruh-VEN-nuh"
Medina - "Meh-DYE-nuh"
Berlin - "BER-lin' "
Milan - "MYE-lin'
Vienna - "VYE-en-nah"
Bellefontaine - "Bell Fountin' " Ack.

Then they just get really bad and annoying.

Nevada - "Nuh-VAY-duh". Really. And most locals pronounce the state Nuh-vah-da or Nuh-vad-ah, so what gives?
Mantua - "MAN-uh-way." The Italians are laughing and Shakespeare must be turning in his grave.
Versailles - "Vur-SAILS" Ugh.

Re:More Horrid Pronounciations

[rvw14]

Don't forget the large metropolis of New Bremen - "Bree-men"

Re:More Horrid Pronounciations

Common mispronunciations heard in rural Ohio:
worsh, worshington
arn for iron
crick for creek

Re:More Horrid Pronounciations

[Uzuri]

You mean you're going to leave out:

Newark - "Nerk"

I've just come to the conclusion that Ohioans are lazy.

Netware 3 was awsome.

[HornWumpus]

The only Netware that is not a Netmare.

I fully believe a 12+ year uptime.

Bet it's still running strong.

2 was good once it was setup. Genning sys was a netmare however.

Siggie comment

Sarah Palin will not have sex with you.

Awwww....

-Todd

IT Department budget history

[debile]

It would be interesting to see the evolution of the department's budget in the last few years.

It wouldn't surprise me that they got ride if their best assets and replaced them with cheaper guys with less than the required experience just to "reduce operating cost". They may have saved a few dollars during a year or two doing that but the shit had to spread one day...

'if the data will be in a usable form'

[MichaelCrawford]

I was the AC who started this thread, with the two external drives and the safe deposit box.

When I set up my backup system, one of my concerns was that my loved ones might need to restore my backups, should I get hit by a truck someday.

I realized that if my filesystem is a rat's nest when I back it up, then my backups will be rat's nests as well, as would any restored data. So I have spent several months scrupulously organizing all of my filesystems on all of my computers.

That simplifies my backups, and would make it much easier to find what one needed when doing a restore.

My external drives both have ext3 filesystems. But they each have a small FAT32 partition containing installers for Mac OS X and Windows ext3 filesystem drivers. There are three such drivers available for Windows; I included all three.

My backups are not quite yet where they need to be, but they're getting close. I have automated continuous backup of my Subversion repository for instance. Whenever I do a checkin of my own personal code, a post-commit hook backs up my entire repository with the hot-backup.py script, then within three hours a cron job replicates the repository backup to my external drive.

I also need to write up detailed instructions that my survivors could follow, then mail them off to all of my relatives.

Recovering my data would be complex enough that these instructions would have to come right out and tell my mother to get my sister to do it for her. Happily my sister is hip to The Penguin.

Re:'if the data will be in a usable form'

Include instructions as to which volumes should be destroyed.

Your mother doesn't want to see your porn collection. Likely not your sister ether.

Valuable and backup worthy? yes.

Share with dear old mom? no.

no major problems

[DaveGod]

Re-worked summary of TFA:
- All that has been damaged is the System32 folder of user machines.
- 'Destroyed' I imagine is an IT staff trying to dumb down his language to his perception of the level of the reporter's IT knowledge
- Their IT may have done quite well, the only 'damage' is to PCs that were shut down in the 1 hour window between the attack starting and IT containing it
- Employees were supposed to save to the network. The only issue stated is that some staff were breaking the rules and saved things to their own PC.

All they need to do with the affected machines is to boot from a Windows or Linux CD, copy the files to memory stick and throw their standard "new install" image on. No data loss. No network down time. All they're looking at is some hassle for the ~ 18% of users affected and a very busy IT department. Provided the affected users have other machines to work on (or however not losing much productivity) they're not far off having the best scenario any It department can realistically hope for (well, I'd like to say it's reasonable to hope for not having pissed off employees). Sure, no doubt a dozen IT managers can post their "perfect" system, and another dozen IT managers can show how they could destroy it.

How long before the big formatting day?

"There's too much money to be made by having a bot-army" bla bla bla.

I don't believe everyone is money driven. One day you'll meet a non-money driver dark-side cracker who shall write a mega bot. A huge one. And it's going to wipe clean tens of millions of Windows PCs.

Sadly it's going to be a very good day for Microsoft because a lot of persons are going to go buy a new PC but there's going to be some chaos with all that lost data.

It's not going to be 800. It's going to be the equivalent of "rm -rf *" on an entire botnet.

Shall be fun. Will happen.

Under the hood

[akabigbro]

That's what happens when you don't know what is going on under the hood.

GO FOSS!!!

essentially destroyed? Doesn't look like it.

[moxley]

If all this did was modify or delete the system32 directory, then the data is still going to be on the drives and should be easily recoverable - so I wouldn't refer to those machines as "essentially destroyed," - I wouldn't even refer to the data as "destroyed."

All it means is the machine wont boot normally. I know for most users that renders the machine temporarily useless, but even a low level IT tech should be able to recover data or get the system booting again, there are about 5 different ways to do it.

That doesn't change the fact that someone unleashed this on a civic network, but it bothers me when electronic attacks are described in a way that makes them sound much worse than they actually are - because we already have the government looking to use "cyber security" as the next big issue which they'll surely try to tackle via censorship, privacy violations, internet filtering, and wrongheaded laws.

All is fixed

[YrWrstNtmr]

According to the local 6 pm news, all fixed and back online, data intact. Evidently, the affected machines were on a shared network, NOT just the City's.

Some one said it came from the print sever so any

[Joe+The+Dragon]

Some one said it came from the print sever so any will to bet in came form some hole in HP or some other vendor software?

The Time bomb

[brennz]

Came through the rift in Cardiff and drifted all the way to Norfolk.....

Paula Bean was working there?

[140Mandak262Jamuna]

Paula Bean was working there? May be?

punishment if the perp is caught?

[peter303]

There was the guy who locked out administrator privileges in the San Francisco computer system. He recently went on trial in December, but I have not heard a verdict.

Lairs are expensive.

If you need a lair, hold the world's data hostage for One... Hundred... BILLION DOLLARS!

reformat

[luther349]

yes reformatting the machine there total useless now. total loss call the insurance company.

As the cheerleaders says

We don't drink!

We don't smoke!

Norfolk! Norfolk!

Not insightful, and wrong

""Bricked" means non-responsively broke."

No, "bricked", means unfixably broken.

If you use a word incorrectly, don't get all snotty when people point it out. Just pick the right word. "The machines are unbootble" or "The file system was damaged rendering the computer inoperable".

You're a technical person, use the correct technical language. Don't expect us to have to wade through your verbal sloppiness.

It was a rootkit, that BSO'd the 'puters

http://blogs.pcmag.com/securitywatch/2010/02/rootkit_authors_issue_patch_fo.php

  Tuesday February 16, 2010
Rootkit Authors Issue Patch For Critical Bug
Categories:

Malware, Security Software, Software Patches, Top Threat, Windows 7, Windows Vista, Windows XP
Tags:

bsod, ms10-015, patch, rootkit, TDL3, TDSS

According to security vendor Prevx, the authors of the rootkit which was the cause of a large number of unbootable systems which applied the MS10-015 patch issued last week have issued a patch to fix the incompatibility.

The authors of the rootkit, which Prevx names TDL3/TDSS, have been active for months updating it to evade detection and to defend itself against removal. It has many other names from other vendors. The error which caused the BSOD was due to the rootkit hard-coding the address of a particular Windows routine, and this address was moved by MS10-015. The rootkit authors had a fix out before too long, but that wasn't enough to save large numbers of users who couldn't boot their systems.

Let this be a lesson to ALL

[JRHelgeson]

LET THIS BE A LESSON TO ALL YOU SYSTEM ADMINISTRATORS!
whom I have heard saying (repeatedly) - "it is not a critical server, it is only a print server... we can wait to patch it later."
From just the article, I have a pretty good guess as to what or how it happened... or how I could replicate such an event with two commands, and little or no evidence left behind.

A disgruntled citizen comes in to use a public access terminal placed there for citizens to look up public records, and PRINT THEM OUT. This public terminal is locked down - sure, it is also on its own private VLAN, lest anyone plug into the network with their own laptop... heck, lets go one further and say they even bound the mac address to the switch port to make sure that any other network device plugged in wouldn't work (unless they spoofed the mac address).

So, our Disgruntled Citizen Hacker (DCH) takes a bootable USB thumb drive/boot CD and inserts it into the computer and reboots it to Backtrack4 or some other utility - or they simply plug into the network using their own laptop...

Once booted from his device, DCH launches an ancient exploit against the print server that "doesn't contain any sensitive data" according to the SYSADMIN "and can be rebuilt within hours if it ever got infected." - except that DCH isn't all about stealing data, he's all about getting revenge against the cop that gave him that speeding ticket - and HE'S GONNA SHOW YOU!

Once his script kiddie exploit has him sitting at the c:\ prompt, he does a "NET VIEW" and sees that the print server is on the domain, and can see the entire network from its secondary interface that connects it to the internal network. This system administrator has even copied the SYSINTERNALS suite of tools to the hard drive (he even added them to the PATH! -OR- he copies the SYSINTERNALS suite from his boot device) and with one command, DCH gets to work. "PSEXEC \\* DEL c:\boot.ini" and hits enter, the command starts cycling through all the computers on the network -but he screwed up... it is taking much too long to connect to each computer - only to screw up the boot.ini file? Naw, thats too easy to recover from.

CTRL+C

-DCH's Adrenaline is now pumping-

PSEXEC -d \\* DEL *.* /F /Q /S

This time, it runs in disconnected mode.

"Ah yes, much faster." DCH says to himself - except he screwed up again, he forgot to put the "C:\" in front of the *.*, so it is (Q)uietly, yet (F)orcefully deleting all the files listed under the %SystemRoot%\System32 folder and (S)ub-folders (including those files marked as read only), instead of the entire C: drive. Major adrenaline sets in - he's not gonna cancel it this time. He's already committed, it's too late now. That and he's lost his nerve and is visibly shaking as he's feeling the rush.

He retrieves his boot device, reboots the computer, and quietly walks away, trying oh-so-hard to not raise any suspicions as he quietly walks back to his car. "Take THAT..Your Honor." he mumbles to himself as he jams the key into his Honda Civic, it fires up with a roar as the ported exhaust reverberates throughout the parking garage. He revs the engine and squeals the tires as he leaves the ramp - radio blaring.

One hour and 800 computers later the print server is taken offline -and promptly rebuilt- exactly according to the disaster recovery plan. Doesn't matter - even if they did forensically analyze it, the only evidence they'll find is a single error (among thousands of errors) in the event log that was caused by the exploit, of itself signifying nothing conclusive. The admins never did set up event log correlation, so once the server was rebuilt, all bet were off. So, our DCH walks away, scot free.

But wait! Did he really?

Check the courthouse cameras. On Tuesday, Feb. 9, sitting down at 4:07pm you'll see the DCH take his seat at the public terminal. He looks around and cannot believe that the stupid IT depar

Nope: Nancy

[drainbramage]

The teams name was NcGill.
They called themselves Lill.
But everyone knew them as Nancy.