A Microsoft Windows vulnerability, spam e-mail messages
and human frailty combined in recent weeks to produce a flood of
new internet worm attacks, according to experts at leading
antivirus and e-mail security companies.
Symantec counted four major worm infections in
August alone, making it one of the busiest months for antivirus
suppliers in recent memory.
"Taken all together, this has been a more intense week, in terms
of virus activity, than any we've seen," said Chris Belthoff,
senior security analyst at antivirus company Sophos.
That activity included the appearance of W32.Blaster on
11 August, a virulent worm that exploited a flaw in the Windows
implementation of the Remote Procedure Call protocol, which enables
client and server applications to communicate across networks.
The worm spread worldwide in a matter of hours, infecting
hundreds of thousands of Windows machines before the outbreak began
to wane, according to Internet Security Systems
A survey of 1,100 organisations by TruSecure found that almost
21% were infected by the worm, with 15% of corporations worldwide
recording a "moderate" or "major" impact on operations by
Blaster.
Marc Maiffret, chief hacking officer at eEye Digital Security,
believed the impact among home users, who are generally less
well-protected than organisations, is even greater.
As Blaster waned, new worms emerged to exploit the same
vulnerability including W32.Welchia, also known as Nachi, which
attempted to patch Windows systems with the RPC vulnerability.
At the same time, Sobig.F began bombarding e-mail accounts
around the world, prompting new infections, warnings from antivirus
companies and hurried updates of antivirus software.
E-mail filtering company MessageLabs intercepted 10 times the
normal number of e-mail viruses in the 24 hours after Sobig.F
appeared and has intercepted more than three million copies of the
virus so far, according to CTO Mark Sunner.
But Belthoff was sure the recent spate of large outbreaks do
not herald the arrival of a new and more dangerous generation of
viruses, as did the appearance of the Code Red and NIMDA worms in
2001, or the SQL Slammer worm in January.
"I think it's an intersection of a couple things," Belthoff
said. "Blaster and Welchia/Nachi are all opportunistic worms.
They're all based on this Windows vulnerability. Blaster didn't
take any in-depth skill to write."
In the case of Sobig, improvements in that worm's ability to
send out copies of itself in e-mail messages meant that even a
small number of infected machines could generate massive amounts of
infected e-mail traffic.
MessageLabs researchers believe that there is a link between the
Sobig author and the spamming community and that machines that are
compromised by Sobig are being used as distribution stations for
spam e-mail, Sunner said.
About 66% of all the e-mail messages MessageLabs intercepts come
from such machines, commonly referred to as "open proxies". Sunner
said the increase in spam traffic corresponds closely to the
appearance of worms like Sobig.
The intense media attention given to the worm outbreaks may have
also stimulated virus and worm writers.
"Virus writers get recognised and that encourages them and
others to repeat their actions," Neel Mehta, a research engineer at
ISS X-Force.
While experts tend to agree on the myriad of causes for the new
worms, there is less agreement about what to do to stop them in the
future.
Most agree that software companies need to do a better job of
weeding out glaring security holes, while companies should be more
conscientious in applying software patches as they become
available.
"You need balance with the software vendors. They need to build
more stable code, but IT departments need to take patching more
seriously and make it part of their overall security plan,"
Belthoff said.
Corporate IT security personnel should also do a better job
educating employees about proper etiquette for opening or
forwarding suspicious e-mail messages.
"If your end-user population is educated in the work
environment, e-mail worms shouldn't be a problem at all," Belthoff
said.
But others disagree, saying that part of the blame lies with
antivirus technology companies, which still require their customers
to apply software patches and updates to be protected against new
threats.
"Traditional antivirus protection is very reactive in nature.
Antivirus vendors don't know about a new virus until their
switchboards start to light up with calls from their customers,
then it's a race against time," Sunner said.
Virus writers like the author of Sobig are increasingly savvy
and look to exploit that, he added. "They're trying to get a virus
out there for a short period of time and exploit that window of
time using a mass propagation tool like e-mail."
More security vulnerabilities like the RPC vulnerability are
inevitable, as are new worms to exploit them, experts believe.
Even more troubling, the time span between when vulnerabilities
are disclosed and when worms and viruses that exploit them appear
is likely to close even more.
It took six months for the SQL Server vulnerability to be turned
into the SQL Slammer worm. The Windows RPC vulnerability was
exploited in just three weeks.
"There is more awareness of vulnerabilities and more motivation
to go ahead and write malicious code, because of the attention
previous worms have gotten," Mehta said.
Paul Roberts writes for IDG News Service