I don't know when, but I'm sure the Internet is going to get slammed again," predicts Jeff Brewer, lead security analyst with business-support and data-processing company Fiserv Inc. Brewer's fears are well founded and widely shared.

Last summer and fall, companies took a one-two punch from Code Red and Nimda, which introduced a new type of Internet attack sometimes called a blended threat. Both worms spread by exploiting vulnerabilities in Microsoft's Internet Information Services. Nimda, for example, infected hundreds of thousands of networks by moving through E-mail, Web browsing, and files shared across networks (see story, "Nimda's Biography").

Code Red and Nimda cost businesses worldwide $3 billion in lost productivity and to test, clean, and deploy patches to computer systems, according to research firm Computer Economics. Each infected hundreds of thousands of systems worldwide. On July 19, 2001, more than 359,000 computers were infected with the Code Red worm in less than 14 hours, and at the height of its spread, there were 2,000 new infections each minute, says the Cooperative Association for Internet Data Analysis, a collaborative of research, government, and commercial businesses.

Nimda and Code Red were the most recent and "successful" blended threats, or a malicious application that uses the same methods to spread as an ordinary virus or worm but blends the capability to spread through, or attack, security vulnerabilities commonly found in applications and operating systems; a virus needs to be a script or macro, or attach itself to an executable file, while worms often spread through memory and disk space. A blended threat may attempt to infect by having the properties of a mass E-mail virus and also by attempting to find software that hasn't been updated to plug a security hole, to infect or attack that operating system or application.

Once a blended threat gets into a desktop or server, the destruction is limited only by the imagination of its creator. For example, it can destroy or manipulate files. Or, it can leave back doors, secret ways to get back into a system left by the programmer; Trojan horses, programs that appear to be benign but aren't; and zombies, small programs that can be awakened later to turn the infected system into one of many systems used to launch distributed denial-of-service attacks that overload a server with information requests. Blended threats create "virtual hackers" by automating the ways hackers break into systems.

Fiserv has increased the number of E-mail file attachments it blocks, doubled its software-vulnerability scanning, and re-evaluated how often it patches its servers, lead security analyst Brewer says

Like Brewer, most security administrators fear The Next Big Hit-and for good reason. Future blended-threat attacks are bound to occur, it's just a matter of when, says Roger Thompson, director of malicious code research for TruSecure Corp, a security vendor. "Nimda was listed as version .5 by its author, so it's reasonable to expect a version 1.0," he says. Not only that, but the remnants of Code Red and Nimda still linger throughout the Internet.

SecurityFocus, which monitors security events across 9,000 data points located in 140 countries with its Aris Threat Management System, estimates that more than 20,000 systems are infected with Code Red. "The likelihood is very high" that a distributed denial-of-service attack could be launched from these infected systems toward any Web site or server, says Mario Van Velzen, Aris threat analyst manager. Because these machines are infected, he says, attackers can easily collect a list of infected IP addresses and use that list to "seed his or her own attacks. ... A well-orchestrated attack would be devastating to the target of the attack, and potentially many intermediate points, and would add a severe strain to the infrastructure."

The effects of such attacks are staggering: A successful virus strike costs individual businesses from $100,000 to $1 million in cleanup and related costs, according to ICSA Labs, a security research and certification organization, in its annual Virus Prevalence Survey 2001. To minimize the costs of virus attacks, blended threats or otherwise, companies have implemented new security tactics in the past six months and security vendors are developing tools to help businesses better defend themselves against this new class of threat.

"Blended threats are a continuation of the evolution of malicious code," says Vincent Weafer, director of Symantec Corp.'s Antivirus Research Center. He and other experts predict such attacks will continue to evolve, although they're not sure exactly what course the attacks will take. Software security holes that don't appear to pose a threat toward businesses at first glance-such as those on home PCs-may make a perfect platform for virus writers to strike their next toxic hit, says Carey Nachenberg, chief architect of Symantec's security response.

Nachenberg envisions a blended threat ripping through millions of instant-messaging applications and turning each infected system into a launching pad for a distributed denial-of-service attack. For example, a zombie in an infected system can be awakened and used to send numerous bogus requests to a Web site or server-so many that the server can't keep up and the site becomes unreachable. "Such a threat could literally stop B-to-B commerce," Nachenberg predicts. But a distributed denial-of-service attack isn't the only doomsday scenario. "Imagine a worm that destroyed Excel spreadsheets, or turned every 1 to a 0. When these hit, they won't affect just individual users but entire sectors of the economy."

How likely could a blended threat leverage infecting millions of IM users to launch an effective distributed denial-of- service attack? Even if 90% of users patched vulnerabilities in their IM software-and that's a generous estimate-that would leave roughly 2 million systems that could be hijacked into performing a potentially devastating denial-of-service attack.

A successful cybervandal wouldn't even need that high a success rate to launch an overwhelming attack. "One million zombies would be horrendous. Imagine trying to go to all of the ISPs in the world and asking them to shut down the machines attacking certain Web sites," Nachenberg says. "This is one of our biggest fears. The scope is huge."

So far, businesses have avoided disaster. Luckily, hackers didn't write recent hybrid threats Code Red, Code Red 2, and Nimda to do damage to critical data. Although Nimda and Code Red tore through IT systems, they didn't attack data. And a tactical flaw in Code Red's programming kept it from successfully denying access to the White House's official Web site, www.whitehouse. gov, with a distributed denial-of-service attack, as the author had hoped. But what's to stop the next successful blended threat from destroying or encrypting data, or launching a bandwidth-choking denial-of-service attack? Nothing at all.

By using multiple ways to spread and targeting existing software vulnerabilities, these types of attacks have been successful at initially bypassing traditional antivirus, firewall, and intrusion-detection protection. IT managers who hope to defend their systems from these types of attacks have started implementing more defensive security postures and policies.

They're targeting several areas by supplementing conventional security applications and more aggressively scanning their networks for new and unrepaired software vulnerabilities that made Code Red and Nimda possible. Many have decided to block script and executable extensions, including .exe, .vbs, and .scr, at the E-mail gateway. They're also disabling unused services on their servers, and many are starting to increase employee security awareness in areas such as E-mail viruses and the importance of keeping their notebook computers protected with antivirus and personal firewalls when logging on to the Internet from remote locations.

Since last fall, Fiserv, in Brookfield, Wis., has increased the number of E-mail file attachments it blocks, doubled up on software vulnerability scanning, and re-evaluated how often it patches servers. "We now have quality control," Brewer says. "We have one person hardening the systems and another following up to check that it's been done. We can't afford any missed systems."

Following the Code Red and Nimda attacks, a large paper-products producer that asked not to be identified also enhanced its strategy toward fighting malicious code, according to the company's senior security manager. The company's communications among internal security staff, IT, the CERT Coordination Center, and software vendors had broken down. New procedures are now in place for whom to contact, when, and for what reasons. The company also further automated the way it deploys patches and has started scanning its internal networks for new vulnerabilities on a monthly basis, a process done only sporadically in the past.

Before the Code Red and Nimda attacks, the paper company steadily deployed security patches for external, Internet-facing systems. The staff found more than 150 internal systems vulnerable to Nimda. "We identified these systems quickly and patched them. We had people running around fixing things, but that's what we pay them for," the company's security manager says. Despite those efforts, Nimda still infected the company, but "we had no business impact whatsoever," he says. The additional efforts still are not enough to put security staff at ease. "Nimda type attacks will get more frequent, more complicated," he says.

Amid the gloom, there's some hope that the next blended threat strikes won't be as devastating. Many companies appear to have learned from the Code Red and Nimda attacks. Many businesses had hardened their Internet-facing servers, but were lax patching internal desktops and servers because these weren't thought to be at high risk from an Internet-based attack. "After Code Red, everyone got serious about patching systems on the inside of their networks," says Leo Cronin, senior director of information security with information provider and publisher LexisNexis Group in Miamisburg, Ohio.

Both Nimda and Code Red took great advantage of this weak security plan. They preyed on notebook-computer users who were unknowingly infected when they logged on to the Internet from home or on the road. When they later logged their notebooks on to the internal company network, the worms tore through the weaker internal systems with ease.

Risk-mitigation advice from TruSecure, including blocking unnecessary and dangerous attachments, scanning to find vulnerabilities in the network and applications, and appropriate patching of systems, made Nimda "a nonevent. If you implement best practices, you'll mitigate 80% of your risk," Cronin says.

Although companies such as the paper-products manufacturer and Fiserv avoided damage from the blended threats, many companies paid their share of the $3 billion cost of the attacks. A large metals processor on the East Coast took a hit from Code Red, which strangled the internal bandwidth of its networks. The external system was able to fend off the blended threat, but one of the company's contractors became infected. When the contractor connected to the metals processor's internal systems, Code Red found vulnerable systems, and servers were instantly infected. "We were watching the firewall and it was 'Wow! Where is all this traffic coming from?'" says the company's chief security officer, who wished to remain anonymous.

"After that, management started to make the investments we needed to secure our networks," the chief security officer says. But maybe not enough, he says, adding that he's been unable to bring information security to a level he's comfortable with because of a lack of staff. That may be improving, as the company recently decided to outsource some of its security management. "Now we're outsourcing intrusion detection and firewall management. We haven't had intrusion detection until now. Fact is, the threats are coming in faster than we can deal internally," he admits.

And like most other companies, the metals processor has bolstered its efforts to fend off blended-threat attacks with increased employee security training on the basics and quarterly vulnerability assessment testing. "A year ago, we weren't doing this stuff," the chief security officer says.

Still, not everyone has gotten the message. Nearly 10 months after Code Red struck and eight months since the first signs of Nimda, thousands of machines still remain infected, with new infections occurring each month. "Once these worms are out there, they become a permanent part of the environment," says Russ Cooper, surgeon general for TruSecure. Security analysts aren't sure why so many systems are still getting infected, although most agree that the infections are from new Internet servers or systems that don't contain updated software patches for Microsoft Internet Information Services servers or Internet Explorer.

Despite the greater threats to desktop systems, many businesses are wary of deploying desktop firewalls companywide. Desktop firewalls represent yet another security application to manage, meaning increased costs.

Deploying personal firewalls on each desktop is expensive and "another management nightmare" says Doug Shew, project leader for Affinity Health Systems, a health-care company in Menasha, Wis. Fiserv's Brewer voices a similar opinion. Many companies also are deploying application firewalls from companies such as Harris, Okena, and Sanctum (see "Hackers Sneak Through Open Doors In Applications," Feb. 25, 2002).

The ever-morphing virus and worm threat can be costly, Shew says. He's been relying on Network Associates Inc.'s ePolicy Orchestrator to manage the McAfee antivirus software across the company's 2,500 desktops. The tool's ability to help them centrally manage antivirus polices and update virus definitions-and ensure those updates are successful-has reduced costs and increased security, he says. "It greatly reduces our overhead," he says, adding that it stops about 20 potential virus attacks every day.

Blended threats, with their sophisticated potential to simultaneously hit E-mail, desktops, and Web- and internally facing servers, require sophisticated tools to help correlate security-related information from intrusion-detection systems, antivirus software, firewalls, routers, and servers spread across the network. Such security-management software has been available for some time from smaller vendors such as e-Security Inc. and netForensics Inc., as well as from established network systems-management vendors such as IBM's Tivoli Systems unit and BMC Software Inc., but it has yet to gain widespread adoption. "Many of these tools are still maturing. We don't think they are anywhere near being able to tie in hundreds of firewalls and IDS systems to make sense of data. Most are consolidated event managers," says John Pescatore, a security analyst with Gartner. "If you look at what the managed security service providers are doing, they are building their own. That should tell you something," he says about off-the-shelf security management consoles.

To help ease the security software-management burden, vendors such as Network Associates' McAfee and Internet Security Systems Inc. are announcing increased integration of their intrusion detection, personal firewall, and virus protection software. Last month, McAfee released Desktop Firewall 7.5 and says it now can also be centrally managed through ePolicy Orchestrator. Internet Security Systems also says its security-management console, RealSecure SiteProtector, now unifies the management of its network, server, and desktop intrusion-detection systems. Internet Security Systems says it will soon expand SiteProtector to not only manage its own products but also security applications from other vendors, including CheckPoint Software Systems, Cisco Systems, Nokia, and Sun Microsystems.

Affinity's Shew says he welcomes the news and that the ability to manage desktop firewalls via ePolicy Orchestrator could help to reduce costs.

The threat posed by blended threats won't disappear until overall software quality improves and software vendors ship software with fewer security holes. Until then, companies will need to invest in layered security, including increased segmented internal networks to mitigate the spread of malicious code within their network perimeters; filter content entering over the Web and through their E-mail gateways; keep their antivirus software, firewall, and intrusion-detection software current; and remain forever vigilant about scanning their networks and applications for vulnerabilities that leave them susceptible to attack.

"Someone's going to find another vulnerability to exploit," Brewer says. "We're doing all we can to stay ahead of the curve; it's just that the curve is always right behind us."

Photo of Brewer by Stan Kaady