Opportunism, spam behind worms

A widespread and dangerous Microsoft Corp. Windows vulnerability, spam e-mail messages and human frailty combined in recent weeks to produce a flood of new Internet worm attacks, according to experts at leading antivirus and e-mail security companies.

August saw four major worm infections alone, according to antivirus company Symantec Corp., making it one of the busiest months for antivirus vendors in recent memory.

“Taken all together, this has been a more intense week, in terms of virus activity, than any we’ve seen,” said Chris Belthoff, senior security analyst at antivirus company Sophos PLC.

That activity included the appearance of W32.Blaster on Aug. 11, a virulent new Internet worm that exploited a flaw in the Windows implementation of the Remote Procedure Call (RPC) protocol, which enables client and server applications to communicate across networks.

The worm spread worldwide in a matter of hours, infecting hundreds of thousands of Windows machines before the outbreak began to wane, according to Internet Security Systems Inc. (ISS).

A survey of 1,100 organizations by TruSecure Corp. found that almost 21 per cent were infected by the worm, with 15 per cent of corporations worldwide recording a “moderate” or “major” impact on operations by Blaster.

As Blaster waned, new worms emerged that exploited the same vulnerability including W32.Welchia, also known as Nachi, which attempted to patch Windows systems with the RPC vulnerability. (See “Blaster a bust…,” page 1). At the same time, a new version of the Sobig worm, Sobig.F, began bombarding e-mail accounts around the world, prompting new infections, warnings from antivirus companies and hurried updates of antivirus software.

E-mail filtering company MessageLabs Ltd. of New York City intercepted 10 times the normal number of e-mail viruses in the 24 hours after Sobig.F appeared and has intercepted over three million copies of the virus so far, according to CTO Mark Sunner.

But the recent spate of large outbreaks don’t herald the arrival of a new and more dangerous generation of viruses, as did the appearance of the Code Red and NIMDA worms in 2001, or the SQL Slammer worm in January, according to Belthoff.

While experts tend to agree on the myriad causes for the new worms, there is less agreement about what to do to stop them in the future.

Most agree that software companies such as Microsoft need to do a better job of weeding out glaring security holes like the RPC vulnerability, while businesses should be better about promptly applying software patches as they become available.