Worm Work

Worms generally work this way: Once a computer has been infected by one of these evil programs, the worm uses the infected computer to search for ways to reproduce itself. It does this by causing the infected computer to send out signals looking for other computers to infect. It will send these out by the thousands and tens of thousands, and eventually it will find a machine vulnerable to its attentions. It then infects that machine, and that machine begins to send out probes.

The infection process exploits various defects in the computer's operating system. Microsoft and other OS publishers look for these vulnerabilities and hope to find them before someone else does. Often they succeed and send out the fix before the worm or virus can be released into the wild. In the case of the Blaster and Nachi worms that made the rounds in August, the remedy for the Windows defect had been known and circulated for several weeks (see http://www.microsoft.com/security/antivirus/nachi.asp for more details; Cisco has instructions for blocking some of the side effects using their routers at http://www.cisco.com/warp/public/707/advisory.html), but many computers including all the Navy computers in the Pentagon hadn't had the fix applied, and were not only infected but began to infect other machines.

SoBig.F would send out virus replicates whether or not your system was running Outlook. You had to pull the network cord to stop it. As Brian Bilbrey puts it, friends don't let friends click on attachments…

As a result, many of the government's computers and many, many others owned by both individuals and businesses large and small were infected: The worm was known, the remedy was known, but the government's computer experts consultants in many cases either couldn't be bothered or just hadn't got around to applying the fix. The result was chaos, of course.

A Thing of Shreds and Patches

That's Microsoft's version of the story. The other side is that Microsoft sends out dozens of patches and updates, some critical and some trivial. It's no bother for someone like me simply to tell all the computers on my LAN automatically to seek out and download those updates, then tell me they're ready to install at my convenience. Microsoft uses the "drizzle" system for these downloads, sending them at times when nothing much is going on with my LAN and not using up much of my bandwidth, and I hardly notice this activity. If one of those patches breaks something (it has never happened here but it could) it would be annoying but no disaster: I back up everything important, and incidents like that are grist for the column.

For a system administrator responsible for hundreds or thousands of desktop systems this flood of patches and updates can be a nightmare: Not only must the patches be applied to each desktop, but the system must be tested. Administrators worry about this a lot because simply accepting every patch can cause a disaster too. There are some new products coming out to help with generalized protection against some of these Windows exploits such as Cisco's Security Agent, but the basic problem of testing/patching/updating still remains.

On the gripping hand, some management companies such as the consultants who handle the Pentagon's non secure desktop systems should have known what they were in for when they bid on the job. They're getting paid a lot of money to keep those systems going. That involves installing critical security updates, and it's a bit late to plead that they didn't know Microsoft Windows code had a number of security vulnerabilities, or that Microsoft was frantically trying to fix them and would be sending out floods of patches.

Since last year there have been weekly and often daily security updates to the Windows operating system. This is in large part because Microsoft was persuaded to take this security matter seriously and diligently to search for holes and vulnerabilities, and their programmers and consultants found a lot of them well before anyone exploited them in the wild. In my judgment this is greatly to Microsoft's credit, even if it did make life difficult for systems administrators. Better a lot of deleted work than a full system shutdown. The consultants who do the Pentagon desktop management failed utterly in the SoBig.F, Blaster, and Nachi worm attacks. This was a known vulnerability with a known fix which had been successfully applied to millions of systems before Blaster, Nachi, and SoBig.F struck, and still most of the Pentagon (and a lot of the government in general, including the Departments of Justice and Commerce) was without desktops for several days.

It's hard to estimate the cost of that shutdown. On the one hand, about 30,000 professionals were unable to do much professional work. On the other, some used that time to catch up on less urgent tasks that had been accumulating for months. Some took vacation time. It happened in summer during the silly season anyway. It could have been a lot worse.

What we can do is take this as a warning. Were I an intelligence officer of an unfriendly foreign power I would be studying the incident with a view to developing new tactics to use against the United States. There is increasing evidence that the effects of Blaster and Nachi played a role in the slowness of the power grid operator responses to the recent North American cascading power outages. A targeted attack could potentially do much more real world damage.

As a result of all this, UNIX based systems such as Linux and Apple machines running the FreeBSD derived OS/X are beginning to look more attractive to many. While there are some who say that those systems are just as vulnerable as Microsoft based systems, but that Microsoft is merely a more attractive target for miscreants due to its market share, there's a bit more to it than that.

*NIX systems are actually more attractive platforms for compromise; if a bad actor can hack his way into a machine running Linux or Solaris or any of a dozen UNIX variants, he has a much more powerful system which can be used to launch DoS attacks, snoop for passwords on the local network, etc. And out of the box, many *NIX systems are in fact vulnerable to compromise if left running using their default settings. However, in most *NIX systems, the system administrator can actually see everything running on the system, and can shut down or modify the operation of potentially vulnerable services. Whether or not he does so is another story, but the capability is certainly there, and that isn't always the case with Windows.

Another factor which makes Windows a more attractive target is the number of pervasive programming methods and APIs which are integrated into the OS itself and which can't be disabled by the user. These features are designed to provide cool scripting methods to allow applications to play well together and do lots of things automatically, but the simple fact is that they weren't designed with security in mind, and when coupled with other, unpatched vulnerabilities, they can spell trouble. Visual Basic for Applications (VBA), ActiveX, Windows Scripting Host, etc. all offer this type of functionality, but with a cost, as we've seen.

These pervasive APIs aren't generally found in *NIX based OSes; a notable exception to this is AppleScript, which because it's both well designed and is sitting on top of the FreeBSD derived OS/X, simply can't break out of its context and wreak havoc at the superuser level on Apple systems.

My friend Roland Dobbins is a networking security professional and a *NIX advocate of more than 20 years standing, and has been Microsoft OS free since 1999. He uses Slackware Linux and Sun Solaris for his server systems, but has switched over to Apple as his primary desktop and laptop provider, because, as he puts it, Apple provides the power of UNIX without the administrative overhead. He keeps urging me to check out Apple's PowerBook laptops So does Peter Glaskowsky of Microprocessor Reports. It looks as if I'll have to do that.

Finally, if you have any suspicion that your system was infected recently by either Sobig.F or the W32Blaster worm, go to http://www.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html and http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html and follow instructions. For SoBig.F there's a test and cleanup program you can download and run. For W32Blaster things are a bit more complicated, but the procedure is spelled out in detail. I am told it works fine. None of my machines were infected, and although I do a lot of silly things so you don't have to, infecting one of my systems so that I can test detection and removal tools isn't one of them.

Why Not Wait?

In the best scenarios, Microsoft or some other good guy finds security holes before hackers find ways to exploit them. A fix is written and tested, then published. Since there are no wild viruses able to exploit those holes, why be in a hurry to apply the fix?




------------------

View the Byte Magazine homepage (http://www.byte.com/)

Big thanks to Steve Bilderman over at F*uckedgaijin.com for posting this up. Great stuff.

Alas, once the security hole and its fix are published, the almost inevitable result is that some clever hacker will try to exploit that hole, in hopes that a lot of people won't have applied the fix yet. They're often right, too.

If you apply all the updates and patches as they come out you may introduce instabilities into your big network. If you don't, you will almost surely be inviting invasion by worms. In my opinion you're better off installing the security fixes, but it's a judgment call.

Worm Bait

Note that before a machine can be infected, the evil worm must find the computer. A good router makes your computer invisible to the worm, so even those who hadn't applied the published operating system security fix weren't infected. That being the case, how did the government's machines, all safely behind firewalls, get infected? I'll get to that later. For the moment let's stay with "stealthing" your system.

This "stealthing" of your system can also be done in software, and firewall programs like ZoneAlarm, Black Ice, and Norton Internet Security accomplish it fairly well. They're easy enough to set up, and once that's done by all reports they're secure enough, so it may just be more paranoia on my part, but I don't trust them.

Two of Pournelle's Laws state: Hardware is faster than software; and one user, at least one CPU. Putting the firewall job off onto a router is efficient and very much in keeping with that philosophy. Perhaps more importantly, as a general rule, any program running on a computer can be bypassed by someone smart enough to get around it; this is often known as tunneling. It's not easy and I don't know of any automated tunneling software, but that doesn't mean someone isn't writing that program right now.

Note also that a router protects all the machines behind its firewall; software firewalls in general protect only the machine they are running on. Now this isn't quite true: if you have multiple systems accessing the Internet through one computer running Windows XP and Internet sharing, and the "master" computer is running a good firewall program, all the machines are protected as well as the "master" system.

In my case I use the router as a border firewall, and only a couple of critical machines inside my LAN have individual protection. That works for me, but there is a major drawback to having one border firewall router as opposed to individual firewalls on each internal system: The border router can't protect a machine from infections that begin inside the firewall. If someone connects an infected laptop to the LAN, it may, and probably will, infect every machine in that Local Area Net. This can also happen if someone's machine is infected by opening infected e mail. That's what happened to the Navy.

Even in that case routers are still useful because worms generally direct outgoing traffic to unusual ports, so a properly configured border router/firewall provides some help by discarding outbound packets generated by the worm.

Sir, You Have Worms

Although the August worms and viruses never affected me, they hit a number of friends and associates. The usual symptom would be that the machine slowed to a crawl, but a look at the modem or router lights indicating Internet connectivity would show them blinking frantically: The machine was sending thousands and thousands of packets out to the Internet. Physically disconnecting the machine from the Internet would usually bring it back under control so that you could remove the infection provided that you had the programs to remove it.

Calling various tech support outfits, such as your cable modem or other Internet Service Provider would get the helpful advice that you should download certain Symantec or McAfee programs and run them. The problem was that if you connected your machine to the Internet to download the programs to fix the problem, the machine would take off on its mad quest to infect the universe. Some users were still able to download the fixes. Others couldn't.

If you couldn't download the fix you could scrub the machine and reinstall everything. That wouldn't be fun. A better choice would be to find an uninfected machine, download the remedies, and put those onto either a CD or a floppy. Several of my friends spent a couple of days making house calls with medicinal floppies.

None of the infected systems I know about were protected by routers, with the exception of the Navy desktops which were hit through internal infections. The moral of this story is, if you have a high speed Internet connection, get a router. You may then think about using software firewall protection on your individual systems, but get the router first.

Virus and Worms

The difference between a virus and a worm isn't always clear, but it usually involves methods of infection. Worms are sent out "broadcast," and look for computers to infect. If a worm finds a vulnerable system, it can infect it without any cooperation (such as opening an infected attachment) from the user. However, if your system is properly hidden behind a firewall, the worm can't find you, and if it can't see you it can't attack you.

A virus, on the other hand, usually comes in the form of an e mail. Those are also "broadcast" but not in the same way as the worm: If the virus sender hits on your e mail address, your router isn't going to protect you. You'll get the e mail.

No router can protect you from a virus delivered as an e mail attachment, and if someone is foolish enough to open that infected attachment, the computer will be infected. Worse, the infection may not be a simple virus: The infection may in fact turn your computer into a zombie transmission system for worms, and since your computer is inside your firewall, the worm may get to all the other computers on your Local Area Network (LAN) even if that worm is one that your firewall would have blocked had it come from outside. A virus that can mutate into a worm (has a worm infection as its payload) would be rare, but there has been at least one, and I expect to see more of them.

Virus spreaders are getting more ingenious all the time, but some can be pretty stupid. One of the latest tricks is to send e mail purporting to be from Microsoft, and warning you to update your security software. They way to do that, it says (in bad English that couldn't possibly have come from Microsoft), is to run the program in the attachment. Of course that program is a virus. Another method is to tell you that the details are in the attachment. Open the attachment and you've had it.

Another trick is to send you e mail from a system administrator, telling you that the e mail you tried to send was rejected. The details are in the attachment; just open it to find out. And once again, wham. You've had it.

Or consider this scenario. A computer belonging to someone who has you in his address book is infected. It generates infected e mails faking you as the return address and sends them to everyone in the infected system's address book. Those go to systems protected with anti virus (AV) software that sees this message has a virus. It then sends you a virus warning message and thoughtfully attaches a copy of the intact virus! Open that attachment and once again, you've had it. One would think that AV software smart enough to detect the virus would also eliminate it rather than sending it back across the Internet.

PR agencies seem to be the worst offenders here. It's astonishing how many infected "virus warnings" I get as mail "returned" from PR agencies to whom I have never sent a message in my life. These companies must have an annual competition to see who can install the worst AV software in existence. Then they all install that, and start a new contest.

Anti Virus Software

Norton and other anti virus programs, if kept up to date, will be able to prevent infected attachments from getting to the user provided that the virus is already known. I often get spam virus exhortations with their attachments entirely removed by Norton. Norton Anti Virus is pretty good and I recommend it for general peace of mind. It runs on the systems I use to deal with mail.

Having said that, let me emphasize that anti virus programs, even when frequently updated, are never enough to insure security. Virus writers are ingenious: Often a virus will be loose for hours, and sometimes days, before it is found and analyzed and the means of detecting it are put into the anti virus software; and even then it can be many hours to many days before everyone gets around to updating their anti virus software. During all that time the virus is floating around the Internet, and people are getting infected. Some people update their AV software weekly. I know of some who only do it monthly or when reminded to do so. This is a dangerous practice.

The moral of this story is, update your AV software early and often. It's easy enough to check daily, and that's not too often. And despite having updated anti virus software, hide behind a stealthing router/firewall, and don't open unexpected mail attachments.