Blaster variant could alter internet security tactics

A "Good Samaritan" variant of last week's Blaster worm has sparked speculation that the worm could pave the way for a new breed...

A "Good Samaritan" variant of last week's Blaster worm has sparked speculation that the worm could pave the way for a new breed of proactive security on the internet. But, in the meantime, users whose PCs have been infected with the variant have spent the past 48 hours frantically updating systems and vetting laptops.

The variant searches for Windows 2000 and XP machines which have not been updated with the Microsoft patch needed to prevent Blaster. It then downloads the appropriate patch before replicating.

However, the worm has a downside - it increases the amount of traffic on computer networks, which can cause users major problems.

One question being asked now is whether the software industry should develop this idea of producing a worm to patch unpatched PCs automatically, or prompt users that their machines may be affected by a security issue.

David Emm, marketing manager responsible for Avert (Anti-virus emergency response team) at Network Associates, said security companies were unlikely to release a worm. But he did not rule out the prospect of some kind of software tool that could automatically check systems for unpatched software.

Jonathan Wignall, chairman of independent pressure group the Data and Network Security Council, said that any company creating a worm would break the law in most countries.

Asides from the legality of releasing a worm to counter an attack, Wignall believed that anybody contemplating using this approach to tackle unpatched systems would face a number of practical limitations, such as how a “good worm” could keep pace with the original one.

Another problem with using a worm to stop a worm, according to Wignall, was that users risk being targeted by viruses claiming to be legitimate software patches. One such virus that claims to be a Microsoft patch is now spamming end users' e-mail accounts.

In spite of the worm writer's apparently good intentions, the variant of Blaster proved disruptive and users needed to update their anti-virus software to prevent infection.

At one blue-chip firm infected by the variant, 20 IT staff worked overnight to rid PCs of the new Blaster, at a cost estimated at £1000 (assuming staff are paid £50 per hour). But this estimate does not include taxi fares to take staff home and any additional overtime work that was required.

According to an IT manager at the company, while some machines were fixed overnight, many needed the second service pack for Windows 2000 (SP2) and Stinger 2, a new version of Network Associates' Stinger utility, which was not made available until late yesterday evening.

As end-users began work this morning, the IT manager said, some PCs had still not been upgraded to Windows SP2. At the time of writing, laptop users who had taken their machines home yesterday, were being asked to call technical support to update the relevant software before they connected to the company network.

The IT manager added that Virtual Private Network access to the company network was disabled, preventing remote workers from connecting to corporate systems.

What do you think?

Should software suppliers create their own worms to combat security threats on the internet? Tell us in an e-mail >> reserves the right to edit and publish answers on the website. Please state if your answer is not for publication.

Read more on IT architecture