Engaging in worm warfare

Last summer, it seemed the onslaught would never end. One after another, a progression of worms and other malware threatened to bring down systems as enterprises floundered in a morass of unpatched vulnerabilities and malicious e-mails opened by unwary employees.

The worms did more than just annoy. Organizations ranging from the U.S. Marine Corps to CSX, one of the larger transportation companies in the world, found themselves temporarily out of business. At CSX, the Nachi worm took out the sprawling railroad’s signaling systems, stranding train traffic for nearly two days.

This winter, things appear to have calmed down. New worm attacks have dropped to a lower level — but that doesn’t mean the threat is gone.

It may seem as though the best way to cope with worms is to accept defeat, but that’s not true. You need to stay on your toes and keep up with new techniques for dealing with these worms as they are developed. The best worm defense means doing what you’ve always done — keep your anti-virus software up to date, and patch, patch, patch — and backing it up with cultural changes that emphasize the value of security.

Worms at Work

Worms do their damage quickly, and they’re getting faster. During one testing session in October, an unprotected server being used by InfoWorld at the University of Hawaii’s Advanced Network Computing Lab was infected by Nachi in less than

12 minutes. Worse, there is evidence reported by Symantec’s Deep Sight (currently being tested in InfoWorld’s labs) that penetration attempts are on the increase. Are these signs of soon-to-be-released worms?

Right now, it’s impossible to say, but the trends being highlighted by Deep Sight are alarming. Even the experts say we haven’t seen anything yet. “It will get worse,” says Dr. Wei Lu, CTO of Permeo Technologies. “It’s now a competition [between worm authors].”

“Significant worms are propagating more frequently,” explains Carty Castaldi, vice president of engineering at Mazu Networks. “The authors are getting more sophisticated,” and this growing sophistication means that worms are spreading by new methods and are doing damage even more effectively.

Ian Hameroff, a security strategist at Computer Associates, agrees. “These [recent] types of worms are a real present danger and threat,” he says. “Luckily they haven’t been that destructive in terms of destroying data.”

As do other experts, Hameroff worries that worm creators will combine fast propagation with a destructive payload, such as worms that send private or classified data to an outside location, or destroy or modify data. Hameroff notes that “the time between disclosure of a vulnerability by a vendor and the malware that exploits it is getting shorter,” which is further evidence that worm creators are getting faster and better.

Building an Attack Plan

Unfortunately, there is no easy way to keep the barbarians and their worms at bay. The best defense is to do as you’ve always done — but with increased vigilance. Check for vulnerabilities, then patch. When you’ve done that, patch some more. And while you’re at it, check for new security tools. Then patch some more.

This patching “consumes a lot of people resources,” says Ken Tyminski, chief information security officer at Prudential Financial, who notes that the company has been “very, very aggressive with patching.”