The technique of automatic software distribution relies on a user rolling out preconfigured software, which may contain unpatched code.
IT directors may believe they have seen the last of Blaster, but it is far too easy for one unpatched PC to allow the virus to wreak havoc again. In spite of using electronic software distribution technology, Paul Simmonds, global information security director at chemicals firm ICI, said some new PCs were still being infected. "Old worms and viruses are hard to kill," he said.
Simmonds said ICI experienced small flare-ups when new PCs were installed on the network. Although the automated software distribution tool from IBM installed in the system was designed to download security patches automatically when a new PC booted, Simmonds said that in the case of Blaster, new machines were being infected before the patch had been applied. To overcome this problem, ICI reconfigured its global network to block Blaster.
Strict control of a PC roll-out programme is essential. Simmonds said, "IT staff sometimes install PCs without completely following the instructions." Patching newly built PCs is an obvious first step, but users should also pay attention to the software distribution itself.
Gerhard Eschelbeck, chief technology officer at network security company Qualsys, said, "It is critical that software distributions are well maintained and updated when new vulnerabilities are uncovered. Otherwise, new systems are being built with old flaws and security vulnerabilities will persist."
Eschelbeck said that, to improve the process, every system should be audited for security flaws and configuration and installation errors before it is brought online and on a continuous basis thereafter.
Richard Brain, technical director at independent security specialist Procheckup, said users should update their standard PC configurations every six to 12 months to take new patches into account.
Brain said users should keep an eye on network bandwidth to see whether machines have become infected. "It is quite common for users to complain the network is running slow, when, in fact, their machine has been infected," he said.
The issue of old worms being resurrected is not limited to new PCs receiving unpatched software through automated distribution. Simmonds said IT chiefs need to be aware of staff coming back to work after a holiday or maternity leave. He said IT staff could easily miss updating a PC that had been switched off for any length of time.
Unauthorised installation of software was another area of risk according to Simmonds. Users in offices around the world could easily install a boxed (unpatched) copy of Windows onto a corporate PC.
This was first published in November 2003