August: A Real Can of Worms

A widespread and dangerous Microsoft Windows vulnerability, spam e-mail messages, and human frailty have combined in recent weeks to produce a flood of new Internet worm attacks, say experts at leading antivirus and e-mail security companies.

August alone saw four major worm infections, according to antivirus company Symantec. As a result, it is one of the busiest months for antivirus vendors in recent memory.

Wormy Month

"Taken all together, this has been a more intense week, in terms of virus activity, than any we've seen," says Chris Belthoff, senior security analyst at antivirus company Sophos.

That activity includes the August 11 appearance of W32.Blaster, a virulent new Internet worm. It exploits a flaw in the Windows implementation of the Remote Procedure Call protocol, which enables client and server applications to communicate across networks.

The worm spread worldwide in a matter of hours, infecting hundreds of thousands of Windows machines before the outbreak began to wane, according to Internet Security Systems.

A survey of 1100 organizations by TruSecure found that almost 21 percent were infected by the worm. Also, 15 percent of corporations worldwide report a "moderate" or "major" impact on operations by Blaster.

The impact among home users, who are generally less well-protected than organizations, is probably even greater, says Marc Maiffret, chief hacking officer at eEye Digital Security.

As Blaster waned, new worms emerged that exploited the same vulnerability. Among those is W32.Welchia, also known as Nachi, which tried to patch Windows systems with the RPC vulnerability.

At the same time, a new version of the Sobig worm, Sobig.F, began bombarding e-mail accounts around the world. It is prompting new infections, warnings from antivirus companies, and hurried updates of antivirus software.

Simple Stuff

E-mail filtering company MessageLabs intercepted ten times the normal number of e-mail viruses in the 24 hours after Sobig.F appeared and has intercepted over three million copies of the virus so far, according to Mark Sunner, chief technology officer.

But the recent spate of large outbreaks don't herald the arrival of a new and more dangerous generation of viruses. They're not breakthroughs like the Code Red and Nimda worms in 2001, or the SQL Slammer worm in January, according to Belthoff.

"I think it's an intersection of a couple things," Belthoff says. He calls Blaster and the Welchia/Nachi "opportunistic worms."

"They're all based on this Windows (RPC) vulnerability. Blaster didn't take any in-depth skill to write," he says.

In the case of the new Sobig worm, improvements in that worm's capability to send out copies of itself in e-mail messages means even a small number of infected machines can generate massive amounts of infected e-mail traffic, according to Sunner.

MessageLabs researchers believe a link exists between the Sobig author and the spamming community. Machines compromised by Sobig may be being used as distribution stations for spam e-mail, Sunner says.

Sixty six percent of the e-mail messages MessageLabs intercepts come from such machines, commonly referred to as "open proxies." And the increase in spam traffic corresponds closely to the appearance of worms like Sobig, Sunner says.

Multiple Causes

The intense media attention given to the worm outbreaks may have also stimulated virus and worm writers, according to Neel Mehta, a research engineer at ISS X-Force.

"Virus writers get recognized and that encourages them and others to repeat their actions," he says.

While experts tend to agree on the myriad of causes for the new worms, there is less agreement about how to stop them in the future.

Most agree Microsoft and other software companies need to do a better job of weeding out glaring security holes like the RPC vulnerability. Also, companies should be more diligent about promptly applying software patches as they become available.

Vendors "need to build more stable code, but IT departments need to take patching more seriously and make it part of their overall security plan," Belthoff says. He also suggests tech support staff could do a better job of educating employees about opening or forwarding suspicious e-mail messages.

"If your end-user population is educated in the work environment, (e-mail worms) shouldn't be a problem at all," Belthoff adds.

Vigilance Urged

Others disagree, saying part of the blame lies with antivirus technology companies. The vendors still require customers to apply software patches and updates to be protected against new threats.

"Traditional antivirus protection is very reactive in nature. Antivirus vendors don't know about a new virus until their switchboards start to light up with calls from their customers, and then it's a race against time," Sunner says.

Virus-writers like the author of Sobig are increasingly savvy and look to exploit that, he adds.

"They're trying to get a virus out there for a short period of time and exploit that window of time using a mass propagation tool like e-mail," Sunner says.

More security vulnerabilities like the RPC vulnerability are inevitable, as are new worms to exploit them, according to experts.

Even more troubling, the window of time between when vulnerabilities are disclosed and when worms and viruses that exploit them appear is likely to close even more.

It took six months for the SQL Server vulnerability to be turned into the SQL Slammer worm. The Windows RPC vulnerability was exploited in just three weeks.

"There is more awareness of vulnerabilities and more motivation to go ahead and write malicious code, because of the attention previous worms have gotten," Mehta says.