Why You Should Never Shut Down Your API Servers (unless you absolutely have to)

The ongoing global Ransomeware cyber attack has “hit 200,000 victims in at least 150 countries” according to Europe’s cross-border police agency, Europol:

Europol Director Rob Wainwright said the global reach of the attack was “unprecedented” and “pretty indiscriminate,” affecting everything from hospitals and schools to auto giants.

“We’ve never seen anything like this,” he told Britain’s ITV, adding that the FBI was assisting in trying to identify the culprits.

“At the moment we are in the face of an escalating threat and the numbers are going up. I’m worried about how the numbers will continue to grow when people go to work and turn their machines on Monday morning.”

This last sentence is a key point: turning on computers is a security risk. Why? Because one of the most common methods of infecting computers with viruses is via boot sector viruses.

So, what are “boot sector viruses”?

Boot sector viruses infect or substitute their own code for either the DOS boot sector or the Master Boot Record (MBR) of a PC. The MBR is a small program that runs every time the computer starts up. It controls the boot sequence and determines which partition the computer boots from. The MBR generally resides on the first sector of the hard disk.

Since the MBR executes every time a computer is started, a boot sector virus is extremely dangerous. Once the boot code on the drive is infected, the virus will be loaded into memory on every startup. From memory, the boot virus can spread to every disk that the system reads. Boot sector viruses are typically very difficult to remove, as most antivirus programs cannot clean the MBR while Windows is running.

So this is the problem: an invasive application that is not detected by your anti-virus software places a file onto your API server while that server is accomplishing its normal processing. The file placed onto your system has no effect on the server’s current operations, so you notice no change.

The new virus will surely be quickly detected by the Internet community, and anti-virus companies will develop a solution as soon as they possibly can. But, this may take days or even weeks or months if the new virus is particularly unassailable.

By what method might you ensure that this new virus doesn’t bring down your APIs? Don’t shut them down.

If the boot sector virus has penetrated your servers, then it has placed new or altered files on your API server that will be activated only when your servers are next booted. Yes, your API site has been compromised, but your servers won’t react to the compromise until the next time they are booted.

Meanwhile, the anti-virus companies are working on a solution that will remove the virus files, either in real time or upon your next boot. Hence, if your servers continue running until the anti-virus software update is downloaded onto your servers, the virus will have no impact on your API’s performance — even though your servers were indeed compromised.

My point: never shut down your API servers, unless you absolutely have to…

–Kevin Farnham