Why Network Adminstrators Failed Protecting Against Zotob

For much of this week we've been tracking the proliferation of the Win32.Peabot—a worm that also goes by the name of Zotob. This attack, like many others, came after the disclosure of an exposure in current versions of Windows that continues to suggest a cause and effect pattern of 'patch-release virus attack.'

This worm has hit a number of high profile sites but, so far, only unpatched Windows 2000 systems have been reported as damaged. This is because the extra work needed to attack an unpatched Windows XP system has delayed, if not prevented, a variant that will attack Windows XP based systems. This suggests, that at the very least, systems with this newer version have a longer grace period before they can be attacked.

Currently the working theory is that the organizations under attack have not protected themselves against laptop computers that, in attacks like this, perform the role of carriers and physically bypass the perimeter security in place in the company to infect other, normally well protected, computers. As with most worms of this type a properly configured firewall will stop the current generation of virus variants cold if the firewall is allowed to perform its function.

What is somewhat scary about this virus incident is that it appears to be a large and growing number of variants each more damaging then the last, making it almost look like there is some type of perverted competition between virus writers to see who can do the most damage. It is important to remember that companies with adequate security surrounding laptop use, and those that follow recommended practices with perimeter protection have likely not been impacted.

The Patching Strategy
This isn’t to say you can avoid patching, particularly for small businesses there is a critical requirement that security patches be applied promptly. We are now down to hours between when a patch is created and someone reverse engineers it to create a virus that exploits the identified exposure. Virus checking products are simply not fast enough as they typically take up to 24 hours to identify a virus, create a response to it, and then distribute that response.

If you are already patched when the virus hits you are generally immunized from the related virus and most if not all of the variants while must virus products still have to be updated for each variant. This is particularly true now that many are specifically written to by pass popular virus checking offerings.

Securing Firewalls And Remote Sites

Firewall ports should be closed by default and only those that need to be open should be open. This latest virus targeted port 445 that is used for file and printer sharing and should never be open on a firewall (this activity, if allowed, should only occur within a company between PCs that never venture out of the perimeter protection currently in place).

What we often forget is that remote offices and employees working from home often drill through firewalls with trusted links like virtual private networks (VPNs). While I personally think VPNs are a really bad idea sometimes, they can’t be avoided and that means this remote site has to be as secure as possible. In effect, if such a link exists, the remote site should be regularly audited to insure it is adequately protected. In most cases this can be done remotely but it still needs to be done regularly.One product that could help with small offices and home offices is the Eli Managed Broadband Security Appliance . It is a remotely managed firewall, router, and access point with heavy content filtering. It is one of the few affordable products I’ve seen that comes close to affordable and adequate perimeter protection to homes and small offices.

On the physical security front, a common practice in security audits is to go to a remote executive’s site and then penetrate the company’s security from that inadequately protected site. Just because you don’t read about companies being compromised in this way does not mean the events aren’t happening.

Laptops are incredibly handy, with over 50 percent of the new PCs being sold to companies, yet you have to remember that they are virus magnets and require a much higher level of focus then many now give them.

While we often don’t talk about it, people will do things with laptops from home or hotel rooms that they wouldn’t think of doing in the office. These things often result in contamination by spyware or viruses. Laptops should never have peer relationships with any internal unprotected systems. They should always be treated as if they are infected because they have a high probability of being infected. This doesn’t mean they shouldn’t be protected. Laptops should be running fully configured software firewalls like ZoneAlarm or BlackIce Defender.

In addition, laptops really should not be using old versions of Windows. Even unpatched Windows XP machines are not being hit by the current attack and those with the SP2 service patch in place are vastly more resilient to attack then any other Windows platform.Laptops can represent the worst of all possible worlds when it comes to security because users are often disconnected making patching difficult to do timely and they generally lack the perimeter protection afforded desktop hardware. The combination of high vulnerability and low connectivity exacerbates the problem, and when we couple this with the laptops clear threat as a virus carrier, you can only conclude that it must always be maintained as current as is possible and that means the current version of the OS.

Right now, if the current assumptions prove to be true, unpatched Windows 2000 laptops are doing massive damage to the companies that have them deployed and there is really no good excuse for this. You can lag on patching desktop machines within perimeter protection because of where they are used however we tend to patch them more quickly because we can.

One other thing to remember is that a large percentage of trouble calls with laptops can be traced back to imaging them with an older version of the operating system that was never designed to work with the current generation of mobile hardware. In other words, particularly since there is no real cost advantage and a huge security and usability disadvantage, putting an old OS on a new laptop is anything but wise regardless of cause.

The State Of Negligence

We live in an increasing hostile world—gone are the pre-Internet days when viruses took days and weeks to hit. Today they land in hours and minutes. Our faith in virus checking products is now vastly misplaced because they simply can't respond to most of the high profile threats quickly enough and, even if they could, an increasing number of our users are disconnected making the timely update of virus signatures nearly impossible.This forces us to revisit our perimeter protection and make sure our perimeter is expanded to cover all critical systems even those that may exist in employees’ homes. In addition we need to give special care to mobile devices (which now include smart phones and hand held computers as well as laptops) which increasing are used as virus carriers. These machines must become juggernauts able to resist attacks on their own and they should never be accepted onto an internal network without being adequately protected.

The best advice for mobile devices is if you always keep them well patched and on the current operating platform and operating outside of firewalls even when inside companies so they won’t become the nightmare that a number of CIOs had this week.

Whenever we see selective damage like we are seeing, the question of competence comes up and, with so the “n” word {negligent} is not far behind. None of us can afford to have negligence associated with our names and companies so we need to look at the firms that are stepping up to their responsibilities and emulate them.