Defending Against Worm Wave Tough Task

While hackers bicker back and forth, all users want is an end to the torrent of worms that's clobbered the Internet this week.

While it's not difficult to stymie one worm, it's a different story when that one becomes a legion, a tsunami that just keeps coming, said security analysts Thursday as they offered up advice on how to handle waves like this week's.

Unfortunately, said Ken Dunham, the director of malicious code research at iDefense, "there's no single magic bullet and no comprehensive patch against all of these new worms."

Chris Potter, an analyst at PricewaterhouseCoopers in the U.K., agreed. "Anti-virus software alone doesn't solve the problem."

That's not surprising, what with the sheer number of worms that have struck in the last seven days: 16 by Network Associates' count, including 9 Bagles, 4 Netskys, 2 MyDooms, and 1 lonely Hiton.Because all of these worms deliver their payloads disguised as file attachments to e-mail messages, the oldest advice remains the best. "First and most important -- and this is a social engineering aspect that's a little hard to master -- don't open or execute unexpected e-mail attachments," said Brian Foster, the product manager for Symantec's anti-virus group in a Web conference Wednesday.

That works, of course, but as the dramatic spread of some of these worms shows, not everyone heeds the advice. The problem is that worms hijack addresses from infected machines to propagate, leaving the next victim to believe that the message comes from someone he or she knows, and it, and its attachment, can be trusted.

Wrong.

"If you're not expecting an attachment from somebody, be wary of opening [it]," Foster said.

Another practice that can prevent infection is to block specific file types at the gateway, and/or set enterprise-wide policies on the e-mail clients deployed on workstations."These e-mail-borne threats can be blocked by applying polices across the company," said Alfred Huger, senior director of engineering with Symantec's virus watch group, on Thursday. As an example, he noted that the more recent versions of Microsoft Outlook -- by default all those since Outlook 2000 Service Release 1 (SR1) -- allow administrators to lock out specific file attachments types from arriving, or being accessed by employees.

"You should roll out the security updates for Outlook that prevent access to file attachment types like .exe, .scr, and .pif," said Huger. "You should implement that policy across the board, then allow only those specific people who require access to a particular file type to receive them."

Links to Outlook's security update, as well as information about Outlook's and Outlook Express 6's attachment blocking features, can be found on the Microsoft Web site.

Blocking some file types -- .exe, .bat, .scr, and .pif -- is standard in most organizations because they've been used by prior worms and viruses to wreak havoc. But the .zip file format, used to compress large or multiple files for archiving and/or faster delivery via e-mail, is one that many companies still allow through the gateway.

And by the statistics of this week's wave of worms, that's potentially hazardous. Of the 16 worms discovered since last Friday, 13 include (or may include, since some worms randomly assign a list of file extensions to their payloads) .zip attachments.Security experts, however, were mixed when it came to labeling .zip as a threat that should be banned from business.

"To deal with this many worms, companies may need to block more file extensions," said Vincent Gullotto, vice president of McAfee's AVERT virus research team. He recommended blocking .pif attachments, for instance -- 7 of the week's 16 worms may use that extension -- "but I think .zip is still relatively safe."

Chris Belthoff, a senior security analyst with anti-virus firm Sophos, strongly disagreed. "Some of these worms are taking an interesting new tactic; they're deliberately trying to get by gateway scanning by password-protecting the .zip file attachments. Zip files are not to be trusted, period," he said.

A third strategy that may limit exposure is to update anti-virus software definitions more frequently when multiple worms pop up in a 24-hour span.

This tactic, which Symantec's Huger said was already being used by most enterprises -- "For most of our commercial customers, decreased time between updates is already a best practice," he said -- plays best to the consumer crowd, which is notorious for neglecting virus updates.Other best practices that can help during security stresses -- as well as those weeks when worms aren't so prominent on the Net and in the news -- said Symantec's Foster, is to turn off unnecessary file sharing (some of the recent worms can also spread via network sharing) and isolate ASAP any machines infected.

But during weeks like this one, everyone's feeling the stress, which leads to a bit of a blame game.

"It's overwhelming anti-virus companies," said iDefense's Dunham. "They have to find signatures that work and roll them out and then the client has to roll the signatures throughout the organization. That whole process takes time," which is in short supply when a worm blitz strikes.

Sophos' Belthoff conceded that time is tight. "Hackers innovate to disburse their code, and we adapt to detect their new tricks. This is an escalated war, and yes, the reaction time is shortened substantially."

"We need to somehow embrace other techniques," retorted Dunham. "Perhaps a quick signature for network-exposed servers, such as e-mail servers. Something that companies can apply manually if necessary, a quick work-around that will work in a pinch.""The problem isn't the number of breakouts," argued Huger, "but the number of machines that need to be protected."

And there are lots of machines to protect when a worm wave breaks.