Network News

X My Profile
View More Activity

As the Worm Turns

Since Sunday, when Security Fix first warned readers about the emergence of the Zotob worm, nearly a dozen variants have emerged, each slightly more dangerous or sneaky than the one before. Yesterday, it came to light that many companies, including several prominent news outlets, had fairly extensive infections by the worm and its brethren. This should be a surprise to no one, and these threats can be expected to continue to affect companies and individuals for several weeks -- if not months and years.

There are a number of reasons for this: First off, patching flaws of this nature in large enterprises takes time, and Microsoft just released a patch for this particular problem one week ago. Also, patching across shared networks often is far more complicated than simply telling each desktop Windows machine to head over to Microsoft Update and download the latest fixes. Software updates have a funny way of breaking custom-built software applications, and most big businesses have plenty of custom -- or at least specially tweaked -- applications that've been trashed in the past by an ill-tested security patch. So network administrators (particularly those at certain government organizations) like to take the time to make sure patches don't break or otherwise interfere with existing applications before deploying them.

Second, Zotob and his pals fall under the heading of network worms, which means they can spread to vulnerable (unpatched) computers without any action on the part of the computer user, other than getting online. Network worms are fairly easy for companies to thwart when they're coming from the outside: Most big Internet service providers filter the type of traffic they generate, and most companies don't (or shouldn't) allow such traffic to flow into or out of their network. But even a single infected computer that joins an internal network -- through an infected laptop an employee brings in from home, for instance -- can jinx all of the unpatched machines on that network. Network worms can also sneak around firewalls and other defenses by arriving as e-mail attachments that launch their infectious code when opened by the recipient.

Thirdly, the bad guys know all of the above, and will continue to try to use this and other recently disclosed flaws to launch targeted attacks against companies.

Finally, network worms almost never entirely go away. That's because for the foreseeable future, people will continue to blithely come online with new Windows computers that do not have the latest patches installed. Most of the accounts I've seen so far of the Zotob family seem to indicate they are not spreading all that quickly. That is probably because ISPs generally no longer allow this traffic to flow between networks.

However, this whole situation reminds me of when the Blaster worm first struck back in August 2003 and we asked everyone for their best estimates of how many Windows computers had been infected by Blaster and its subsequent variants. The answers that came back almost invariably were in the low hundreds of thousands, and that may have been accurate at the time. Fast forward about five months to when Microsoft released its Blaster removal tool. A few months after that, the company acknowledged that its tool had removed the virus from more than 8 million Windows PCs.

I wonder if Microsoft will get around to offering another $250,000 reward for the head of the virus author(s) who released the latest worm. Consider the three cases in which Microsoft offered such a bounty:  For weeks after the Mydoom and Blaster worms first surfaced, online crooks used them to steal personal information and to commandeer millions of Windows machines for use as spam relays, online attack "zombies," that sort of thing.

But it wasn't until after a virus copycat tweaked the worms to directly threaten or embarrass Microsoft in some way that the company put up the reward money. The author of the original Blaster worm -- who coordinated an attempt to take down the Microsoft site that serves up security patches -- remains at large. The individual(s) behind the Mydoom.b worm, who attacked Microsoft and another software company -- SCO Group -- also have never been found. Microsoft also offered an outstanding bounty for whomever was behind two versions of the Sobig virus, which were crafted so that they appeared to have been distributed from within Microsoft.

(Though it had not initially offered a reward for information leading to the arrest of the Sasser worm writer, Microsoft said earlier this year that it would split a $250,000 bounty between a pair of German teens who turned in a classmate who later admitted authoring the thing.)

By Brian Krebs  |  August 17, 2005; 1:40 PM ET
Categories:  From the Bunker  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: A Media Worm?
Next: Latest Worms Duke It Out

Comments

I would like to say, that my computer has been running slower than usual for the past few days. I do not know if it has anything to do with these viruses, but please may you help me.

Posted by: John | August 17, 2005 11:28 AM | Report abuse

Posted by: Xavier Ashe | August 17, 2005 11:38 AM | Report abuse

Sure, I can help. Replace the hard drive and install Linux. Forget microsoft. Or buy an apple macintosh !

Posted by: Rick | August 17, 2005 11:38 AM | Report abuse

Blah blah blah....use Linux instead...blah blah blah Macintosh..

Sorry, but I prefer being productive.

Posted by: JQ | August 17, 2005 11:46 AM | Report abuse

If theses companies had the Microsoft built-in firewall turned on, then this would not have been a problem. If the firewall conflicts with resources, then system managers should have select ports open with a scope for particular machines set.

I find it ridiculous that people are being hit with this worm, particularly after waht we saw happen with the Blaster virus awhile back.

--
Anon @ iSchool

Posted by: What about Windows Firewall? | August 17, 2005 11:47 AM | Report abuse

When is Microsoft going to start being held liable for introducing products as secure when they are fully aware of the defects they have in them?

Posted by: Paul | August 17, 2005 11:48 AM | Report abuse

And perhaps upgrading all of those Windows 2000 PCs to a current operating system would be a good thing to do.

Either that or install similar security software that the vendor (MS) opted to include into the system, since that probably means it is important.

Given the patch management that exists from companies like hfnetcheck and such, it just seems irresponsible on the part of any IS administration to let things like this happen.

same anon person...

Posted by: Follow-up to last post | August 17, 2005 11:51 AM | Report abuse

All the more reason to NEVER EVER UNDER ANY CIRCUMSTANCES use a Microsoft Box for a web server. I dont ever think I have ever heard of a Linux box getting a worm and rebooting. Guess they learned the hard way.

Posted by: stormkrow | August 17, 2005 11:52 AM | Report abuse

If you run the format C: command in a dos prompt your computer should speed up significantly.
[Editor's note: Don't do this. It's a joke.]

Posted by: Phil McCrack | August 17, 2005 11:53 AM | Report abuse

$250K bounty on school children! Im sure thats morally right.

If a school child can bring your company communications to a stand still, invest in a different platform.

Sun Solaris , Apple Macintosh , Novell Suse Linux all offer much much better virus protection.

Posted by: adam | August 17, 2005 11:57 AM | Report abuse

arent we linux user appreciate linux, at least we dont have to worry much about being affect by such worm that set out to target Microsoft. so yea, definitely switch to linux if possible.

Posted by: cam | August 17, 2005 12:00 PM | Report abuse

you can see why China didn't go and put microsoft on its computers now.

CEOs and other business leaders - if you want to do long term business with the worlds fastest growing economy, do not get tricked by sales pitches.

Posted by: anon | August 17, 2005 12:00 PM | Report abuse

> And perhaps upgrading all of those
> Windows 2000 PCs to a current
> operating system would be a good
> thing to do.

Didn't you RTFA? It says that companies have lots of in-house apps that will break with a security patch, let alone an OS upgrade.

Companies and their IT staff are too cheap to keep up with the latest systems. Any company that does the right thing will get punished by Wall Street, so the larger companies are the worst in keeping up-to-date.

Posted by: Petey | August 17, 2005 12:02 PM | Report abuse

Is it only me that finds the timing a little coincidental? Microsoft begins the update and patch blocking for systems that confirm they are genuine MS products and the next big virus is out?

Posted by: Obvious | August 17, 2005 12:05 PM | Report abuse

Maybe all of those network shops should not have ripped out NetWare !!

Posted by: PHL-CAW | August 17, 2005 12:06 PM | Report abuse

No offense, but he probably picked up the viruses by downloading "free" software.

Avoid free software if you don't completely trust and know the source!

Posted by: Rick | August 17, 2005 12:07 PM | Report abuse

MS spent far more that $250,000 trying to get people to install the security patch long before blaster was ever released. The they spent over $10,000,000 helping people recover their PCs, those same people that didn't install the fix in the first place.

Next, they delayed Longhorn, putting their developers back onto WinXP to tighten down security to prevent this in the future.

Only the foolish can believe that MS had to be embarrassed before they produce the $250K wanted poster, like this article suggest. They probably spent more that that just advertising the reward. This was just one step of many to tighten total computer security.

On a different subject, has anyone noticed that all the big players now release their security patches on the day after Microsoft's Security patches?

-rwg

Posted by: rwgreene | August 17, 2005 12:18 PM | Report abuse

Use a Mac, be more productive. Avoid viruses, crappy software engineering, and the worst coding on the planet by refusing to use Microsofts shoddy goods.

Posted by: Wisdo | August 17, 2005 12:22 PM | Report abuse

This worm, like almost all other bits of malware, is easy to avoid unless you're hopelessly careless, or utterly retarded. But sure, if you're too stupid to install and use a hardware firewall, and other good security measures, avoid Windows. The rest of us will continue being productive without having to freak out after the fact.

Posted by: x | August 17, 2005 12:27 PM | Report abuse

The problem is that MS expects its users to be very computer savvy. That's the wrong stance. The MS software is designed for the wrong audience. If you needed to know as much about a car as you need to know about MS Windows in order to safely use it, you'd be walking a lot more. Continuing, if your car needed as many fixes for your car as Windows does to keep it safe, you'd be suing the car dealer under a lemon-law statute.

Posted by: Jeff | August 17, 2005 12:30 PM | Report abuse

I would like to respond to John: Please do yourself a favor and buy an Apple computer or install any flavor of Linux that you choose.

I have been virus free for 6 years now using OS X and Linux... So long Microsoft

Posted by: kerminatorx | August 17, 2005 12:32 PM | Report abuse

Windows is by far the best operating system out there, why else would it have so many viruses/worms/trojans? If it wasn't the best, it would have zero viruses (like OS X)but instead it has over 65,000.

Posted by: jo jo the dancer | August 17, 2005 12:50 PM | Report abuse

Nice article. Not only did I get info on the latest worm, but I must have also killed a tree as well. I foolishly printed your story and 22 pages later, most of which are blank, I got the story.

Posted by: Robert Maloney | August 17, 2005 1:04 PM | Report abuse

John: slow performance may be a side-effect of the current worm chewing up network resources.


And while 90% of the windoze boxes in my office are toast, all my *nix boxen are running happily.

microsoft the "best" Os becasue it has flaws?

love that logic.

Posted by: frijole | August 17, 2005 1:05 PM | Report abuse

Some of you are missing the point here. The worm attacks Windows 2000 machines and they do not come with any firewall from Microsoft.

Furthermore, the comment about prefering productivity does not compute, and I would bet that the user has not tried any of the alternatives.

The amount of productivity lost over this one incident will exceed the cost of all of the patching activity ever expended on HP-UX, Solaris, BSD, Linux, OS-X, MacOS, etc., take your pick, from their inception until now. My personal experience is with HP-UX and Solaris. No worms here.

No one ever needed network plug and play in the first place, it was just another Microsoft service looking for a worm or virus to use it.

Anyone who runs Windows of any kind on a server of any kind and still has a job should be thankful.

Posted by: Gandalf | August 17, 2005 1:09 PM | Report abuse

If I am not on a network do I really have to worry about this virus?

Posted by: John | August 17, 2005 1:14 PM | Report abuse

Are these variants really decreasingly dangerous?

Read this sentence again:

Since Sunday, when Security Fix first warned readers about the emergence of the Zotob worm, nearly a dozen variants have emerged, each slightly more dangerous or sneaky than the next.

Posted by: Grammarian | August 17, 2005 1:17 PM | Report abuse

Microsoft gets alot of flack but here's the reality... Microsoft is a big target. Nobody likes him (especially the hackers) and they control alot of data. People don't go after Linux because that's only going to get you into a couple percent of the computers out there. I'm skeptical whether or not any OS can truly be secure. Linux has had many, many security problems and they've (generally) been patched quickly. The problem there is that you have to keep up with an enormous number of patches (all of which can have unintended consequences that are impossible to fix without a very knowledgable programmer).

I have an economics degree and I was able to be a competent IS guy for a National Bank because we used windows. I was smart about things and kept laptops off the network as well as employing a firewall and proxy mail server. The only problem we ever had was the Anna Kournikova email (spread by, of course, my boss).

Posted by: Is Linux really that secure? | August 17, 2005 1:25 PM | Report abuse

Re: WORMS

If you get a worm take your worm and go fishing, because your a rookie and shouldn't be online in the first place.
Virus authors should be hung by their worm for all the little people they hurt!

Posted by: Supplanter | August 17, 2005 1:33 PM | Report abuse


Re: WORMS

If you get a worm take your worm and go fishing, because your a rookie and shouldn't be online in the first place.
Virus authors should be hung by their worm for all the little people they hurt!

Posted by: Supplanter | August 17, 2005 1:37 PM | Report abuse

Whoa! Thanks Grammarian. I have updated and fixed that.

Posted by: Bk | August 17, 2005 1:45 PM | Report abuse

We started our patching on Friday afternoon. Because we saw the proof of concept code come out. We were completely protected by the time the worm came out.

If we can patch 22,000 windows boxes in less than 24 hours then I am trying to figure out what is with CNN and the other folks.

Anyway we are protected and happy. Sitting back and watching.

Posted by: IT_GUY_CISSP | August 17, 2005 1:46 PM | Report abuse

Saying an OS (Mac, Unix, Linux,etc)as virus free is beyond the point. One uses a computer as a tool, and people uses the best tool at the most cost efficient way for the task at hand. Windows is more popular, so there are more hackers trying for maximum effect. If there was a prize, say $500,000, to hack a Unix version, you can bet that somebody would try hard. Please go to the security sites and see for yourself how many patches are posted for Unix. If you have millions line code, you have plenty of holes to exploit, Windows or not.

Posted by: JDR | August 17, 2005 1:52 PM | Report abuse

ALL I HAVE TO SAY IS GIVE CREDIT TO THE CREATORS.... :) LOVE YOU ALWAYS, BY THE WAY CAN YOU ALSO DESTROY SONY, I MEAN BREAK THEIR CODE FOR PSP, 128 TO BE EXACT. :) micro-soft, get it.. micro-soft. heheh lol.

Posted by: HEHHHE | August 17, 2005 1:59 PM | Report abuse

By some accounts, Windows has more than 90,000 viruses. If the Mac OS had viruses in proportion to their marketshare, there would be more than 2000 viruses. Instead there are none. 0. Linux likewise has significantly fewer viruses than its marketshare would lead one to believe. Admittedly, the smaller market share probably contributes to the fewer number of viruses, but there should be at least 1 for the Mac OS that is self-propigatinging. There should be more than a few dozen for Linux. With millions of OS X users, there should be at least 1 person trying to write a virus for Mac OS X. Either that one person is stupid, or it is much harder to do on the Mac OS.

Posted by: Frankh | August 17, 2005 2:00 PM | Report abuse

Well maybe some of these guys will get tired of using the most popular target of these problems and accept that for businesses Linux/Unix is better for them. I can only imagine how much time and money they spend on microslop patching and fixing problems. Cost wise Ill go linux. Another Geek named Bill but not gates.

Posted by: Another Geek | August 17, 2005 2:39 PM | Report abuse

Its hard to polish a tird ---

Posted by: Jay --Texas | August 17, 2005 2:39 PM | Report abuse

JQ, if you wanted to be productive, you'd use a Mac. Back when my family members used Windows, they were always calling with this question and that problem. Now they nearly all use Macs and no one ever calls me for help. And, they don't spend their days downloading lousy, buggy, OS patches.

Macs are a smaller target for virus writers becaue they have a smaller installed base. But they are also a much smaller target because writing a virus or worm is much harder, and they are likely to be much easier to clean out without reinstalling the whole computer - and that is why windows users sometimes knowingly live with infected, slow machines.

Posted by: JT | August 17, 2005 2:39 PM | Report abuse

When IBM stopped supporting OS-2 and most of us had to switch to Windows, companies nearly went out of business spending so much time chasing Windows buggs and rebooting systems. OS-2 was so stable and bug free we had boxes which ran for a full year without locking up. Gates gave us just the opposite.

Posted by: Clem | August 17, 2005 2:57 PM | Report abuse

buy a mac, buy a max... bah you people.

why not....just install osX on your x86 hardware. I suggest you do some research as people have been doing it for over a week now.

Wank, another work/virus. Who cares. Take your old crappy P166 machine, install *nix or FBSD on it and put it in front of your windows machine. Free-- and done.

Posted by: meh | August 17, 2005 3:34 PM | Report abuse

No matter how many worms and viruses come out, people are still Microsoft sheep and will continue to use Microsoft products.

NightOwl

Posted by: NightOwl | August 17, 2005 3:39 PM | Report abuse

The other way for a whole lot of folks to stop introducing viruses and worms into the Windows world is to stop using a user ID that has administrative privelages. I have worked on the IBM mainframes for quite a while, and one of the keys to preventing accidental or intentional damage to files and systems that matter, is making sure that users don't have a whole lot more power than they are aware of and know what to do with. Hit the nail with the appropriate size hammer, you know...

Windows NT/2000 and above have some real solid security, built to let you isolate users and processes and priveleges. It's not so much an issue of Microsoft (or Linux, or Mac, or anything else's holes - they all have soft spots); it's the issue of people guarding the bank vault with a chipmunk, instead of a doberman.

Don't log on with Administrator access. Don't run your browser with only light security for internet sites. Don't run services with "Local System" authority. Tie things down appropriately, and darn few bugs will stand a chance in your computer.

Posted by: eek | August 17, 2005 3:39 PM | Report abuse

Responding to Jeff who says "The problem is that MS expects its users to be very computer savvy" -- no actually the problem is Microsoft is trying to be the computer for the average "don't know" person. Did you ever notice how you have to click the ADVANCED tab/button on 3 different screens before you get to anything powerful in Windows? Wow... must be reallllly advanced to administer... say User Groups??

Microsoft intentially dumbs it down, but that's what makes it so darn hard to stop up all the gaps. They link everything to everything to make it more user-friendly (your printer and your hard drives are linked to your firewall via UPnP so you can share them... DOH...) You have to be a genius to reverse-engineer it all to understand how to secure it -- if that's even POSSIBLE.

Linux is certainly not for computer newbies, but I sure love it. Macs are the best at mediating the newbie / nerd gap, IMHO.

Posted by: Jon | August 17, 2005 3:57 PM | Report abuse

Those who question the productivity of Macs obviously haven't used them. It has native Microsoft Office (generally accepted as superior to its Windows version), all the major graphic and desktop publishing applications (except, thankfully, Publisher) and a really broad suite of other applications (OmniGraffle, for example, is a fantastic diagram tool).

And, if you really want your Mac to catch a virus, you can always install Virtual PC. ;)

And, if you still believe it's not a workable engineering/design/etc. workstation, go to the next IETF meeting in Vancouver and count Powerbooks.

Posted by: Timothy | August 17, 2005 4:48 PM | Report abuse

I wouldn't say that the author was an uknown person. I would say that he can't be arrested apparently, because we have no extradition treaty with his country. He does have a few compatriots in this country, and I wouldn't want to be in their shoes.

Have a nice day.

Posted by: freecode | August 17, 2005 6:33 PM | Report abuse

OSX/Linux harder to write viruses on? I dont think so - maybe for worms but definately not viruses, which at their most basic form can just be a file that infects others when run. The reason these OS's are not infested with viruses is that there is very little incentive to write code to infest such a small percentage of PCs. However, if (when) OSX or Linux becomes more popular than MS Windows, you'll see a rapid increase in the number of viruses written for these OS's.

Posted by: logician | August 18, 2005 3:29 PM | Report abuse

"Blah blah blah....use Linux instead...blah blah blah Macintosh..

Sorry, but I prefer being productive."

At what? Developing virus patches? Rebooting?

As far as I know there are only two known ways to avoid viruses on windows PCs; either disconnect them or leave them off.

Or you might try a Soroban computer. I haven't heard anyone complain about viruses on them.
http://www.cut-the-knot.org/Curriculum/Arithmetic/Soroban.shtml

Posted by: Roger Wehage | August 19, 2005 9:28 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company