Last Monday afternoon, I got an instant message from a former colleague. “Is there a new worm out there?” she asked. I scanned
my e-mail for threat reports and noticed that something was starting up, but what I noticed more were dozens of e-mails with
little content beyond a file attachment.
Fortunately, I’d learned a few things since the days of the “I Love You” virus, which was one of the earliest mass-mailing
malwares. When that virus showed up, Oliver Rist, InfoWorld Test Center senior contributing editor, and I were at the University of Hawaii running tests, when I suddenly started receiving dozens of e-mails with the subject, “I Love You.” Perhaps it’s because I’m
pretty cynical, but I knew it had to be a virus because nobody loves a newspaper editor, and even if some benighted soul does,
there certainly aren’t dozens of them.
Since then, I’ve learned never to open an attachment that I didn’t know would be coming, regardless of who it might be from.
And I also knew that if there was any doubt, call first to confirm, scan the attachment, then open it on a machine that belongs
to someone else.
That works, but Novarg (aka “Mydoom”) still gives me reason to worry. According to Alfred Huger, senior director of engineering
for Symantec Security Response, Novarg may be the most sophisticated worm unleashed to date. Clearly, its ability to spread quickly means it is well designed, but it appears to have capabilities beyond propagation.
For example, Huger says that the worm appears to install a back door on infected systems as well as a TCP relay proxy. This
means that an infected system will facilitate future worm attacks and will make the real senders anonymous.
Whoever wrote the worm also realized that there was some value in staying under the radar. For that reason, Novarg appears
to exclude military and government addresses as well as those of anti-virus vendors and major software vendors such as Microsoft.
The idea, apparently, was to delay the discovery of the worm as long as possible so that the spread will be maximized before
the security establishment takes action.
And of course, there’s the target, SCO. The worm is designed to fire off on Super Bowl Sunday, flooding SCO with DDoS attacks
generated by the infected zombie systems. (The thinking is that this may be a response to SCO’s current legal action related
to Linux.) Huger says that unless SCO takes some sort of remedial action, it could have a negative effect on the company’s
Web site.
The problem with this sort of an attack is that there’s only so much an IT or security manager can do to prevent it. In the
case of Novarg, the epidemic was well under way before anti-virus vendors had a solution, meaning companies without good security
practices would be hurt the worst. If your employees are still clicking on attachments without knowing what’s in them, you’ve
got a problem.
Unfortunately, Huger and others think that Novarg is just the beginning. Huger thinks the sophistication of these worms will
grow much faster than before and that what we’re seeing now will only get worse. Because you can’t depend on anti-virus software
for everything, you’ll have to get back to the basics: Policies, training, auditing, and attention are required. Without these, your network will be toast in a matter of minutes.
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
