Engaging in worm warfare

Fourth, inventory your environment — you have to know what you have before you can patch it. This may also help you figure out where potential future vulnerabilities lie, so you can proactively address them in future maintenance.

“Stage five is to do an analysis of correlations between your assets and vulnerability knowledge,” Hameroff says, adding that software tools may be able to help here.

Finally, fix the problem then check that you’ve done it correctly.

Watching the Horizon

As important as it is to make sure your software is patched, it’s also clear that patches aren’t a perfect solution when worms are the problem. Currently, the time between the discovery of a new vulnerability and the exploit that takes advantage of it may be only two or three days. That’s simply not enough time for a large company — even one that moves aggressively — to apply the patches it needs.

Because they simply examine packets as they enter the enterprise, firewalls have their limitations. Firewalls may limit damage, but they won’t stop everything, including most types of worms. Companies thinking that they’re safe with only a firewall in place are deluding themselves.

“You cannot build intelligence that way,” says Permeo’s Lu, who suggests the real secret to detecting worms lies with examining the behavior of applications. “Usually only a few [apps] are running,” so it’s relatively easy to keep tabs on their performance, Lu explains, suggesting that any unexpected behavior from an application can be a sign of a worm at work.

Castaldi says that future worm warfare will involve building statistical models of the behavior of applications. “When there’s anomalous [application] behavior, it can be used to tell if a worm is propagating and what vector it’s using,” he explains. Just watching an application can tell you a lot about what’s going on in your network, and you can keep an eye on traffic with monitoring tools such as those from Zone Labs and similar vendors.

There’s every reason to believe that the worms of 2004 will be more numerous and more destructive than anything we’ve seen. Many security experts believe that the worms of August 2003 were only a test run — a first attempt to see what could be done with this means of attack.

The next step is to create worms for identity theft, for looting corporate secrets, for stealing financial information or other private material. Imagine the havoc that could be caused by one expert’s example of a worm that searches for a database field labeled “SSN,” then randomly changes a single number in each field.

Because of their varied nature and constant evolution, and despite all of the forces arrayed to fight worms, it’s unlikely they will ever be eliminated. Ultimately, enterprises will be limited to managing the threat by triage rather than making worms disappear completely. But with the right tools — and the right practices — it’s possible to keep the threat under control. And getting worms under control is better than the unrestricted spread of damage we’ve already witnessed.