The latest worm to torment Internet users underscores the limitations of getting patches in place.
In just 24 hours, "MSBlast" exploded onto more than 120,000 computers around the world, in spite of what some experts say was a less-than-spectacular programming job. A big part of the problem was that inattentive home users, and overbooked IT staffs, hadn't been able to put a patch in place, even though Microsoft had made it available in July. The Web will be watching over the weekend to see if Microsoft can dodge a denial-of-service attack expected to be launched by the worm.
Sobig-F, the latest variant of the Sobig worm, was first detected live in big spreading on Monday, Aug. 18, and appears to have originated in the U.S.
The less malicious Welchia worm also has been creeping across networks.
A mass-mailing worm that can also spread via network shares, Sobig-F arrives via email, posing as a PIF or SCR file.
The subject lines used include: 'Re: That movie', 'Re: Wicked screensaver', 'Re: Approved' and 'Your details'.
The worm is programmed to stop working on Sep. 10, which security experts think may indicate that the worm’s creator is testing out different aspects of the worm to use in future malicious attacks.
The Sobig family of worms has caused major problems for IT managers.
Five versions of Sobig have been released already this year.
Though less harmful than Sobig-F, the Welchia worm is sneaking into systems via the DCOM RPC vulnerability in some versions of Microsoft's Windows operating systems.
Welchia propagates through TCP port 80 on Microsoft IIS 5.0 systems that have not patched the Microsoft Windows WebDav (ntdll.dll) Buffer Overflow Vulnerability.
Welchia looks for the existence of the Msblast.exe file dropped by the W32.Blaster.Worm and deletes it from an affected system and is capable of crippling a large corporate network even if the DCOM/RPC patch is deployed.
Symantec on Tuesday upgraded the W32.Welchia.Worm from a Level 2 to a Level 4 threat and reported "severe disruptions" on the internal networks of large enterprises caused by ICMP flooding.
A spokesman for Microsoft said the patch for the Welchia worm and its variants has been available for over a month, and was updated last week, while urging companies to stay vigilant about updating their systems and patches regularly.
Sobig-F in it`s current form (Late Aug.) may not be very malicious, but as it do spread easily, the next version(s) may be more destructive and use more than one spreading method.
Indeed, it tracked more than one million occurrences of the virus over a twenty-four hour period. Surpassing the rate of the previous fastest ever (Lovebug). MessageLabs estimates that as many as one in seventeen emails sent in the world could currently be affected by the virus. This could rise to a staggering ration of 1:15.
Paul Woods, Chief Information Security Analyst at Sophos, pointed out a number of factors that make this sixth-generation version of SoBig so virulent. First, it now takes advantage of SMTP multi-threading to more efficiently process its emailing duties - instead of dealing with 100 addresses (for example) one by, it will process them in bulk.
Second, the virus writers have actually corrected some bugs in their code. Before, the infected attachments sometimes had their filename extensions truncated, .zip files became .zi, for example. This meant that a proportion of users who may have activated the attachment would have been frustrated by Windows' inability to recognise the attachment. This has now been fixed, increasing the likelihood of its spread.
SoBig first appeared back in January 2003. And still by June, Sobig-E was causing problems to computer systems around the world - Sobig, so long lasting .
To keep IT departments busy, there is another virus on the block, but one currently operating at a much smaller scale. Be aware of Dumaru-A, which is just beginning its life. This email worm, which carries its own SMTP engine to spread itself further, attempts to infect all executables on an infected computer with copies of itself.
The message appears to be sent from '"Microsoft" ' and has a subject line of 'Use this patch immediately !'. The attached file is patch.exe. More info on Dumaru-A can be found on the Sophos website.
OLD PROBLEMS
Many people is forgetting facts fast, so they are not protected against old vira as Bugbear. We have seen a raise in detection of Bugbear and similiar older vira lately.
Network operators: Worm still squirming and may increase in
spreading
Earlier reports that network traffic caused by the MSBlast worm
dropped 30 percent to 40 percent may not mean that the worm is slowing, a major
provider of network services says.
August 15, 2003
Microsoft kills Net address to foil worm
The software
giant eliminates the Windowsupdate.com address that the self -propagating
MSBlast worm was set to attack.
August 15, 2003
Squashing the next worm
Another worm, another epidemic. Can companies
find ways to halt the spread of self-propagating code?
August 15, 2003
Cleanup dampens Blaster worm
The MSBlast worm's infection rate is
slowing as people and businesses disinfect compromised computers, say antivirus
companies--though not everyone agrees it's all over yet.
August 14, 2003
Microsoft prepares to be Blasted
The giant hopes to be ready when
hundreds of thousands of computers infected with the MSBlast worm start pelting
its Windows Update service with data requests on midnight Friday.
August 13,
2003
Users race against worm, variants
As the "MSBlast" worm spreads to
about 2,500 new computers per hour, antivirus firms say a new variant has been
released and that patching is crucial.
August 13, 2003
Slapdash monster roams the Net
The latest threat to hit the Internet
is a compilation of programs cobbled together to do a single job: spread far and
wide.
August 13, 2003
Worm's spread shows holes in patch system
"MSBlast" supports the view
that patches, while necessary to increase the security of specific computers,
can't be relied upon to protect large networks.
August 12, 2003
IT hustle mutes impact
The "MSBlast" worm is forcing information
technology staffs to work overtime, but the damage to systems and networks seems
to be somewhat contained, at least in the working world.
August 12, 2003
'MSBlast' widespread but slowing
update The worm infects as many as
120,000 computers in 24 hours, but its pace drops off because of poor
programming, security researchers say Tuesday.
August 12, 2003
Viruses, hackers hit a third of Net users
Almost one in every three
surfers in the United States has been hit by either a computer virus or a hacker
in the past two years, a new survey says.
August 12, 2003
Here we go again
perspectives CNET News.com's Charles Cooper says that
after two decades' worth of Swiss cheese software security, the world's biggest
supplier of operating system software has run out of excuses.
August 12, 2003
Flaw in Windows worm tips off defenders
update The fast-spreading
"MSBlast" worm seems to be crashing as many Windows computers as it's
infecting--a sign that administrators need to patch their systems.
August 11,
2003
Windows worm starts its spread
A worm that takes advantage of what
some security experts have called the most widespread Windows flaw ever has
started spreading, fulfilling the predictions of many researchers.
August 11,
2003
previous coverage
Patchwork security
special report Software makers
routinely release "fixes" designed to plug holes and reassure worried customers,
but these antidotes are often ignored.
January 24, 2001
Waiting for the worm to turn up
reporter's notebook Security researchers
gathered in Las Vegas for two hacking conferences are focusing on the Internet
and whether a feared worm will appear.
August 1, 2003
Microsoft warns of critical Windows flaw
The software giant issues a patch
to plug a critical security hole that could let an attacker take control of
computers running almost any version of Windows.
July 16, 2003
How it works,
how to fix it
Because not everyone has patched their
systems yet, the aggressive "MSBlast" worm--which rated a 7 on the CNET Virus
Meter--continues to work its way around the Internet. For more information on
the worm and to get the patch, go to one of these sites: CNET Reviews (how the
worm works)
CNET Reviews (how to remove the worm)
Windows Update
Microsoft Download Center
CNET's Download.com
Headings found:
Worm masquerades as note from IT staff
Hackers huddle in the
desert
Attack bot exploits Windows flaw
U.S. says Windows vulnerable to
attack
Hacker code could unleash Windows worm
Code to exploit Cisco flaw
may pose risk
Twin flaws have security pros worried
Sobig spawns a recipe
for secret spam
IE flaw could unearth worm
IRC group decrypts Fizzer
commands
Worms boost cyberattack stats for 2003
Code Red offshoot packs
mild punch
Recent worms punish bad passwords
Deloder slowly worms its way
on Net
Decoding the lessons of Slammer
LovGate.C worm's got a hold on
PCs
'Slammer' attacks may become way of life for Net
Counting the cost of
Slammer
Asia fingered as Slammer's birthplace
Worm exposes apathy,
Microsoft flaws
One message burried in the code of the worm is pointing at
Microsoft:
"billy gates why do you make this possible? Stop making money and
fix your software!!"
Unlike the common mass-mailing viruses that spread by hitching a ride on e-mail messages, Internet worms don't attach themselves to files and don't need user intervention to spread.
The MSBlast worm infects other computers by trying to connect to 20 different Internet addresses at the same time using methods identical to those of an exploit program refined by security researchers and hackers on the Internet. That program, known as dcom.c, attempts to use a vulnerability in a widely used component of the operating system that allows other computers to ask Windows systems to perform an action or service. Microsoft issued a warning about the flaw on July 16.
The component, known as the remote procedure call (RPC) process, facilitates activities such as sharing files and allowing others to use a computer's printer. By sending too much data to the RPC process, an attacker can cause the system to grant full access to its resources.
"Because they ripped off the exploit, the worm ended up looking just like hackers trying to break into computers," said Marc Maiffret, chief hacking officer for security software maker eEye Digital Security. "I think that people would have discovered the attack even sooner if it acted like a real worm."
How it works
Just like a hacker manually attacking a server, MSBlast
installs a file-sharing program known as the Trivial File Transfer Protocol
(TFTP) server and runs the program to download the MSBlast code to the
compromised computer. But the way the worm causes the victim's computer to
download the file is very inefficient, Maiffret said.
Moreover, even though MSBlast can detect whether a machine is already infected, it has to compromise the machine again before it can check. It also adds a registry key to ensure that the worm is restarted when the host computer is rebooted.
To infect other computers, the worm causes its host to scan for computers with the RPC vulnerability. Forty percent of the time, the program will scan the network to which it is attached, while 60 percent of the time, the worm will try a random network. Because the scanning process is not completely random, the worm will likely cause a lot of excess traffic on its local network.
The worm contains two messages in its code. One is a "greet"--an underground programmer greeting--to another person, which could be a lead for law enforcement agencies that pursue the worm's author. The greet reads, "I just want to say LOVE YOU SAN!!"
The other message is addressed to Microsoft founder Bill Gates: "billy gates
why do you make this possible?" it says. "Stop making money and fix your
software!!"
The company pointed out that another service exists for customers to get patches.
"We are working diligently to make sure that we are going to handle the increase in traffic from the worm," said Stephen Toulouse, security program manager for Microsoft's security response center, adding that customers can also download patches from the Microsoft Download Center.
Microsoft confirmed that it is working with law enforcement to find the person or group who released the worm.
MSBlast's first attack will last until the end of the year, said security researchers, adding that the coding of the worm will cause it to continue the attack in the latter half of each month for the first six months of 2004.
Maiffret said he expects the Saturday attack will fizzle.
"I don't think Windows Update is going down," he said. "Microsoft is usually good on the network side of things."
This week's MSBlast outbreak is raising old questions about the effectiveness of software patches that are intended to secure computers.
Patchwork security Software "fixes" are routinely available but
widely ignored.
The worm has infected at least 120,000 computers and has caused
internal disruptions for many companies and Internet service providers.
The University of Florida, for instance, has had hundreds of systems infected due to a compromised PC connected to its network via a dial-up line. The incident happened despite a broad initiative by the school to lock down its systems with patches, said Jordan Wiens, a network security engineer for the university.
"It's simply not as easy (to patch) as people would like, given the resources of many small departments," Wiens said.
Microsoft confirmed that it is working with law enforcement to find the person or group who released the worm.
Microsoft has attempted to step up user education and automation to convince more consumers and enterprise customers to update their systems with the latest patch for this security flaw. However, the efforts have still left many PC users in the dark about their computer's insecurities.
The CERT Coordination Center has found that as many as 1.4 million unique Internet addresses appear to be the sources of infections on the network. The number is likely inflated by dial-up and broadband users that receive a different address every time they connect to their provider's network.
Security firm Symantec offered a more conservative number, based on its intrusion detection network. It found that more than 120,000 computers appear to have been infected in the past 36 hours.
The lesson: Patching can't be relied on to keep computers secure.
"There is no one single answer," said Stephen Toulouse, security program manager at Microsoft. "We encourage defense-in-depth, but we also encourage customers to deploy the patch."
A defense-in-depth strategy calls for companies to not only secure the servers and network devices connected to the Internet, but to also secure their internal networks. In the past, a strategy of so-called perimeter security has been more common. Because holes in security are always a possibility--and usually a given- -building redundancies into a corporate network could make the difference between a single breach and massive infection.
Patching is only one facet of a corporate security strategy and should be considered fallible as best, said Gerhard Eschelbeck, chief technology officer for vulnerability assessment firm Qualys. Only about 50 percent of Windows computers have had the patch applied in the last month, a typical half-life, a Qualys study found.
"We are already seeing the number of systems that are vulnerable on the Internet trailing down," he said.
In a study announced in July, Qualys found that half of all vulnerable systems are patched in the first month after a fix is available.
Home users typically patch their systems least often, said Jack Bates, network engineer for regional ISP BrightNet Oklahoma. He estimated that as much as 20 percent of BrightNet's user base had been infected.
"Home users do not actively keep up with Windows Update," he said. "Some are not even aware that it exists."
Instead of relying on its clients to patch their systems, BrightNet has blocked traffic to the vulnerable software addresses, or ports, and e-mail alerts will be sent to infected users. "This will require extensive man-hours of our personal as well as our customer's time," he said.
Intrusion detection systems have spotted PCs the worm compromised on the networks of most major consumer Internet providers, including America Online, AT&T, Comcast, Cox Communications, SBC Communications and Verizon Communications. It's unlikely that the ISPs' systems have been infected by the worm, but a large number of clients that connect to those providers may have been compromised.
While businesses usually know of software flaws and the need to patch their systems, they don't always have time. Companies often do not patch their systems immediately, because they need time to test the fixes, said Brian Burns, manager of security operations for network device maker NetScreen.
"Microsoft patches don't receive enough QA (quality assurance) as they should," he said. "There have been times that a patch has been applied, and then the administrator has to spend hours rolling it back, because it has crashed the machine."
Microsoft has focused on providing tools for companies to further automate their management of patches. The company's Software Update Services allows companies to maintain a central service of patches internally and update systems depending on the patch's importance, a computer's level of exposure to threats on the Internet and how critical the system is.
Until companies start thinking about network security when designing their infrastructure, patching will be a difficult task, Qualys' Eschelbeck said.
"For the next four years, we are going to be stuck where we are now, because we have to pay for the sins of the past," he said.
Another problem with software patches is that they sometimes modify business applications in unexpected ways, said Rick Beers, director of supply chain technology at Corning, a $3 billion manufacturing company based in Corning, New York.
That calls for a better explanation from technology makers of what might be unintended consequences of installing patches. "Other than a magic technology solution, the only solution is much more thorough documentation from the vendor, " Beers said.
By midafternoon Monday, the worm had infected at least 7,000 computers in a matter of hours, according to data provided by security company Symantec. Still, security experts stressed that the program had several flaws that had slowed its spread.
"You are not going to see the rapid uptake of Slammer. However, it could easily be as large as Code Red," said Symantec's senior director of engineering, Alfred Huger, referring to the lightning-fast Slammer worm, which hit Microsoft SQL servers in January, and the Code Red worm, which gobbled up servers in July 2001.
The Code Red worm spread slowly at first, then quickly, after someone
modified the program to fix a flaw in its code. Huger said it was likely that an
online vandal would take on the task of modifying MSBlast as well.
"I think there is a really strong chance that this will be modified and re -released, if not today, then this week," Huger said. "It's very simple to unpack and very simple to modify."
The introduction of the MSBlast worm ends nearly a month of speculation over when a programmer would commit the obvious crime of writing a worm to take advantage of a vulnerability in a widely used feature of Microsoft Windows. The worm pieces together code to exploit the most recent major flaw in Windows with publicly available tools, such as the Trivial File Transfer Protocol (TFTP) server.
The worm is also known as W32.Blaster and W32/LuvSan.
(Please se a more
complete listing on the first page.)GO BACK
Denial of service in the forecast
The worm could turn out to be quite an
irksome bug for Microsoft. It reinforces the notion that despite the software
giant's 18-month-old Trustworthy Computing initiative, Microsoft software still
has security issues. And it also aims to attack the company's network directly.
Starting on Aug. 16, every computer infected with MBlast will start flooding
Microsoft's Windows Update service with legitimate-looking connection requests.
The denial-of-service attack could slow down, and even halt access to, the
primary way Microsoft customers receive updates for their computers.
MSBlast's first attack will last until the end of the year, security researchers said, adding that the coding of the worm will cause it to continue the attack in the latter half of each month for the first six months of 2004.
The worm attacks Windows computers via a flaw in a component of the operating system that allows other computers to ask Windows systems to perform an action or service. Microsoft warned about the flaw July 16. The component, known as the remote procedure call (RPC) process, facilitates activities such as sharing files and allowing others to use a computer's printer. By sending too much data to the RPC process, an attacker can cause the system to grant full access to its resources.
MSBlast installs the TFTP server and runs the program to download the MSBlast code to the compromised server. But the way the worm causes a compromised computer to download the file is very inefficient, Maiffret said. Moreover, although MSBlast can detect whether a machine is already infected, it has to compromise the machine again before it can check.
Starting with a random Internet address, the worm sequentially scans for computers with the vulnerability. Because the scanning process is not completely random, the worm will likely cause a lot of excess traffic on the network. It also adds a registry key to ensure that the worm is restarted when the host computer is rebooted.
Experts have feared that a worm created to take advantage of the Microsoft flaw could have an effect similar to that of the Slammer worm that downed corporate networks in January.
That worm spread to corporate networks worldwide, causing databases to go down, bank teller machines to stop working and some airline flights to be canceled. Six months earlier, a researcher had released code that exploited the major Microsoft SQL vulnerability used by the worm to spread.
Much of the damage caused by Slammer was due to the high volume of traffic that it caused. MSBlast's slower infection rate will likely mean that it will not cause as much damage.
Security experts and network administrators continue to analyze the worm and patch their networks. Microsoft Windows users can update their operating systems through the company's Windows Update service. More information about the flaw and work-arounds are available in the advisory posted on Microsoft's site.
Here we go again!
Here's how the day went: E-mail was the first to go in the morning. Then the
phone--a voice-over-Internet protocol system that uses Windows Server software-
-went down. Just to complete the hat trick, Microsoft Word's cut and paste
feature conked out without any explanation.
Misery loves company and I was
not alone. For the umpteenth time in recent memory, companies around the globe
were sent scrambling to catch up with an Internet worm that penetrated a
security hole in Microsoft Windows. As that noted computer scientist Lawrence
(Yogi) Berra surely remarked on a similar occasion, it was deja vu all over
again.
Recall that more than a year ago, Microsoft made a big production of its determination to put this issue to bed. After getting repeatedly hammered for shipping versions of the Windows operating systems that were vulnerable to nasty hacks, the company let it be known that it had had enough. In January 2002, Bill Gates sent out a well-publicized company memo elevating security to the top of Microsoft's priority list.
But such is the burden of being a monopolist whose software dominates the world. Companies here and abroad expect this stuff to be bulletproof, not a perennial work-in-progress. Since when should a company receive kudos for fixing something it should have taken care of years ago?
Microsoft has argued that this is hard stuff to master. No doubt. But is it much more complicated than airline engineering or bridge construction?
Funny thing about expectations. Travelers getting onto planes expect to debark in one piece. When people drive across a bridge, they do so confident about exiting safely on the other bank. If the plane or bridge dumps out halfway, I doubt surviving family members would be consoled by the promise that Version 1.1 will take care of the glitches.
People's lives don't usually ride on the security of operating system software, but a work force reduced to twiddling its thumbs waiting for the IS department to repair a worm's damage doesn't make for a pretty picture.
To its credit, Microsoft did issue a patch for this latest worm after it was uncovered by a group of Polish hackers and independent security consultants a couple of weeks ago. However, I'd do a hard stop right there. After two decades' worth of Swiss cheese software security, the world's biggest supplier of operating system software has run out of excuses.
If this were the exception rather than the rule, I would agree that the customer should be held responsible for making sure the latest fixes were downloaded onto a company's computers. But after two decades' worth of Swiss cheese software security, the world's biggest supplier of operating system software has run out of excuses. It took scientists less time to map the human genome
Businesses, which rely on the assumption that Microsoft operating systems will stand up to attacks, might have assumed the statute of limitations on making lousy software ran out with the last of the Internet sock puppets. Users should be so lucky.