IPkey.com
information security
monitoring & management
Information Security Bulletin
August 2003
Feature Story:
Viruses, Worms & Scripts.
It's good to be back! Thank you all for your kind comments on the Information Security Bulletin.
This month, there have been a couple of interesting developments in the virus world. The first of these is called W32.Mimail, and second (and now famous) is the W32.Blaster worm. What makes these critters interesting is that both of them exploited well-known vulnerabilities in Microsoft software.
The W32.Mimail worm exploited a 'hole' in Windows IE for which MS released a patch on March 28, 2003. The worm first appeared 4 months later on August 1 and spread itself using an email with an attachment called 'message.zip.' The worm was well-written, but considered relatively harmless in that it did little or no damage. However, according to Symantec, W32.Mimail 'captures text from specific windows and sends the data to email addresses contained in the worm.' To my way of thinking, it may not be damaging, but it sure as heck is a security problem.
The W32.Blaster worm exploits a vulnerability in Windows, for which Microsoft released a patch on July 16, 2003. It spreads using direct IP connections on commonly used ports, so email wasn't involved. This is not a very well-written worm; it often crashed computers instead of infecting them. However, it is very successful in that it has spread very quickly around the world. Unfortunately , some newer variants have shown up which are much more damaging. We will have to wait and see.
Besides the fact that these viruses were written to exploit specific vulnerabilities, they have something else in common. Both spread so quickly that most computers were exposed before the Anti-Virus vendors released new definitions. This is a sobering reality. Even daily A/V updates are no longer enough to keep current. We have to wait for the updates to be posted, and manually download them when everyone is hammering at the site. Sometimes you can't even connect and when you can, it's slooow. I personally pushed updates to my subscribers on both 8/1 and 8/11.
This is sobering because it means that conventional A/V software is no longer enough to protect us. Viruses and worms propagate too fast and the A/V updates come too slow. What do we do?
OK, I know that some of you by now are ranting, "Are they crazy? Why didn't they install the Microsoft updates? MS has been warning us about MS-026 (the exploit used by Blaster) for a month!" I agree, but I also know that many SOHO people who use a computer for just browsing and email have no clue. ->
IPkey Hot Links!
Security
Solutions
Evaluation
Remediation
Monitoring
Management
Recovery
New!
InfoSecurity
Center
Welcome
to the
Information Security Bulletin. This is your source for the latest
practical information you can use to protect your organization's critical
information and
network services.
Marcus Clarke
ISB Editor
email me your opinions!
Managed
Monitoring
Start your
free
30 day trial today
Learn more
/
Register
or call
(866) 330-1010
-> I find it harder to sympathize with IT pros who get caught with their pants down, but I also understand that tight budgets and overworked staff running IT like a hospital in triage, is all too common.
Of course, we can all blame MS for releasing faulty software, but the Windows code base is so enormous and complex that vulnerabilities will inevitably occur. It's unrealistic to suppose that this will change anytime soon. Given that MS knows that Windows will never be secure for more than a few weeks without updates, they have addressed the problem with a real world solution.
Windows Automatic Update is a very useful feature in both XP and Windows 2000 SP3 & later. It is easy to configure, and can automatically download and install updates on a daily schedule. This is the best option for SOHO users who use a broadband Internet connection, but it will even work over dial-up phone lines.
IT Pros have a much more elegant option which is called Software Update Server (SUS). This is free (yes free) software downloadable from MS which effectively sets up your own Windows Update server. It can download any new patches and updates from MS on a daily schedule, and serve them to all your PCs. Not only does this save bandwidth, but it also means you have the entire patch library even if Microsoft servers are down or overloaded. However, the very best feature of SUS is that YOU get to decide which security patches and hot-fixes are 'approved' for your organization's PCs. This is key, because a couple of patches this year have caused serious problems on some PCs. My policy is to wait a week or so after MS releases a patch before I approve it. That gives me time to research any problems before it gets installed.
Maintaining Windows PCs with the current security patches is at least as important as maintaining current A/V updates. For those of you who don't have an IT staff, we offer Windows Update Service to keep you up to date for just a few dollars a month per PC. You will also benefit from our approval policy. Don't put it off any longer; call us!
Final Thought
In June we partnered with a
new firewall company named Fortinet.
They have a clever solution to the A/V update problem. They make
security appliances that scan all incoming network traffic for viruses
and worms. Like others, their units can schedule updates, but they
also have a distribution network that can 'push' updates to all their units
worldwide in less than 5 min. This squarely addresses the realities of
internet security today, no longer do we have days to respond, and today
even hours are too long. We now have to be thinking in terms of
minutes.
Who creates viruses?
The answer to this common question is complex. In the early days, they
were mainly written by teens in Asia or Eastern Europe. The viruses
just caused damage and often spread a message. Today, these countries
are still often the source of viruses and worms, but are now much more
sophisticated. They will try to steal personal information and
credit card numbers from your PC, or will plant a 'trojan' to be used later
in attacking a well known site. These people are not kids, but
cyber-criminals. They are smart and know that the odds are hugely in
their favor. Finally, the Anti-Virus vendors are NOT creating the
viruses to scare people into buying their products. They really don't
have to.
ISB Takeaway #1:
Schedule
Anti-Virus updates as often as you can; even hourly if possible.
Verify that updates are occurring daily.
ISB Takeaway #2:
Become familiar
with, and use Windows Update and Software Update Server.
ISB Takeaway #3:
If
you don't have the time or skills for this yourself, contact us and
we'll get it done for you.
The ISB is a monthly email newsletter
published by IPkey.com, your source for
affordable information security monitoring and
management.
IPkey.com is part of Meridian Group, a New Mexico based corporation serving
the IT need of it's clients for 14 years. We encourage you to forward ISB to your
co-workers, colleagues and friends. To subscribe or unsubscribe to the
ISB newsletter, email us at isb@ipkey.com.
Past issues of this newsletter are available at IPkey.com
ISB Archive
I invite you to call or email me with your questions and comments. As always we are here to assist you with your Information Security needs.
Next Month: Intrusion Detection & Prevention Systems
All contents copyright (C) 2003 Meridian Group Inc.