On the surface, the so-called Zotob worm, also known as Bozori, doesn't appear to be much different from earlier Internet worms such as Blaster or Sasser. Like those, Zotob exploits a known software vulnerability to spread among machines. But the latest malware didn't have the same kind of far-reaching impact. "We've seen no telltale signs of an epidemic on the Internet," says David Emm, a senior technology consultant for the Moscow-based Kaspersky Lab Inc., via E-mail. "We've had no reports of infection from individual users."
The worm's spread was mostly confined to localized "explosions" inside business IT environments, where Microsoft's Windows 2000 operating system--the target of the attack--is more prevalent than on home PCs. "These organizations, typically made up of 'small internets' behind heavily defended Internet gateways, have experienced infection," Emm says. The outbreak portends a change in scenarios in which businesses are at increased risk of internal infection while the Internet itself avoids much of the impact.
That's good news in the sense that improvements in PC security have contributed to the decreased effectiveness and appeal of mass attacks. The bad news is that stronger defenses shift the focus to weaker links, including techniques designed to dupe people. "There's no doubt that social engineering plays a huge role in the success of these attacks," says Shane Coursen, senior technology consultant with Kaspersky.
Zotob grabbed the business community's attention because it was so unexpected. Companies have gotten better at virus protection, and there haven't been any huge disruptions in a couple of years. According to InformationWeek Research's annual security survey, a majority of companies have deployed virus-detection software and network firewalls, and nearly half have intrusion-detection systems in place.
"Organizations have been secured behind their 'impenetrable' firewalls, filtering all E-mails and stripping all executable content," Emm writes. "Businesses felt secure and confident that no attack could reach them. The blow from the inside was all the worse for being totally unexpected."
But there remain weak spots, to be sure. Our survey finds that only about a third of companies have intrusion-prevention systems or products to help them manage security events. And
the typical office worker may be oblivious to what can go wrong. Only one in five survey respondents say their companies provide security training to PC users.