Worm Wave Rolls On

Users seek an end to the torrent of infections plaguing the Internet, but security vendors and analysts say there's no silver bullet or comprehensive patch--and new variants keep on coming.
While hackers bicker back and forth, all users want is an end to the torrent of worms that's ravaged the Internet this week.

While it's not difficult to stymie one worm, it's a different story when that one becomes a tsunami that just keeps coming, security analysts said Thursday as they offered advice. Unfortunately, said Ken Dunham, director of malicious code research at iDefense, "there's no single magic bullet and no comprehensive patch against all of these new worms."

Chris Potter, an analyst at PricewaterhouseCoopers in the United Kingdom, agreed. "Anti-virus software alone doesn't solve the problem."

That's not surprising, what with the sheer number of worms that have struck in the last seven days: 16 by Network Associates' count, including 9 Bagles, 4 Netskys, 2 MyDooms, and 1 Hiton.

Because all of these worms deliver their payloads disguised as file attachments to E-mail messages, the oldest advice remains the best. "First and most important--and this is a social engineering aspect that's a little hard to master--don't open or execute unexpected E-mail attachments," Brian Foster, product manager for Symantec's anti-virus group, said during a Web conference Wednesday.

But as the dramatic spread of some of these worms shows, not everyone heeds the advice. The problem is that worms hijack addresses from infected machines to propagate, leaving the next victim to believe that the message comes from someone he or she knows, and it, and its attachment, can be trusted.


"If you're not expecting an attachment from somebody, be wary of opening [it]," Foster said.

Another practice that can prevent infection is to block specific file types at the gateway, and/or set companywide policies on the E-mail clients deployed on workstations.

"These E-mail-borne threats can be blocked by applying polices across the company," Alfred Huger, senior director of engineering at Symantec's virus watch group, said Thursday. As an example, he noted that the more recent versions of Microsoft Outlook--by default all those since Outlook 2000 Service Release 1--let administrators lock out specific file attachments types from arriving or being accessed by employees.

"You should roll out the security updates for Outlook that prevent access to file attachment types like .exe, .scr, and .pif," said Huger. "You should implement that policy across the board, then allow only those specific people who require access to a particular file type to receive them."

Links to Outlook's security update, as well as information about Outlook's and Outlook Express 6's attachment blocking features, can be found on Microsoft's Web site.

Blocking some file types--.exe, .bat, .scr, and .pif--is standard in most organizations because they've been used by prior worms and viruses to wreak havoc. But the .zip file format, used to compress large or multiple files for archiving and/or faster delivery via E-mail, is one that many companies still allow through the gateway.

And by the statistics of this week's wave of worms, that's potentially hazardous. Of the 16 worms discovered since last Friday, 13 include, or may include, .zip attachments.

But security experts are mixed when it comes to labeling .zip as a threat that should be banned from business.

"To deal with this many worms, companies may need to block more file extensions," said Vincent Gullotto, VP at McAfee's Avert virus-research team. He recommended blocking .pif attachments, for instance--seven of the week's 16 worms may use that extension--"but I think .zip is still relatively safe."

Chris Belthoff, a senior security analyst at anti-virus firm Sophos, strongly disagreed. "Some of these worms are taking an interesting new tactic; they're deliberately trying to get by gateway scanning by password-protecting the .zip file attachments," he said. "Zip files are not to be trusted, period."

A third strategy that may limit exposure is to update anti-virus software definitions more frequently when multiple worms pop up in a 24-hour span.

This tactic, which Symantec's Huger said was already being used by most businesses--"For most of our commercial customers, decreased time between updates is already a best practice," he said--plays best to the consumer crowd, which is notorious for neglecting virus updates.

Symantec's Foster said other best practices that can help during security stresses--as well as those weeks when worms aren't so prominent on the Internet and in the news include turning off unnecessary file sharing (some of the recent worms can also spread via network sharing) and isolating infected machines as quickly as possible.

Editor's Choice
Brian T. Horowitz, Contributing Reporter
Samuel Greengard, Contributing Reporter
Nathan Eddy, Freelance Writer
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Cynthia Harvey, Freelance Journalist, InformationWeek
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing