The worm that wasn’t quite

As I began writing this last week, a new type of worm began to establish itself on the Internet. This worm was particularly insidious because it spread by ways that were initially unexpected. Just in case you haven’t already heard, this one spread by a piece of malware that was inserted on legitimate major Web sites. One allegedly attacked site was eBay; when a visitor loaded the Web page, he or she also loaded the malware.

When on a computer that used Microsoft Internet Explorer, the malware would attempt to link to a computer in Eastern Europe that would download another worm that would attempt to capture passwords and similar information, and then transmit it back to a covert site, also in Eastern Europe. Users would never know they’d been invaded.

Fortunately, once providers found out about this worm, they simply cut off the IP address of the site that loaded the second stage of the malware, and that eliminated the threat. Then, Web site managers had the time necessary to fix their systems and remove the first stage of the malware.

A similar attack began today, as this column was finished. In this attack, the malware hides in pop-up ads and inserts a worm that looks for log-on information for 50 major financial sites. When a user goes to one of those financial sites, the information is again sent to a covert site in Eastern Europe. Once again, access to that site has been cut off, so this worm is already contained.

You probably already know the steps you must take to prevent such worms from attacking your enterprise. Good enterprise and personal firewalls are a must. Up-to-date virus protection is necessary, and of course, you must keep all of the computers -- including user workstations -- patched.

None of these steps is a secret, so if you haven’t taken all or most of them, you’re not doing your job. Yes, I know that some operating system patches must be tested and validated so you can’t always patch right away, but that doesn’t mean you can’t take the other steps.

But just taking those steps isn’t enough anymore. You also need to start thinking about your policies regarding use of the Internet in your company. For example, why allow pop-up ads at all? I can’t think of a legitimate use for them in a business setting.

There’s more: Some companies use the same pop-up ad technology for other purposes on their Web sites, such as surveys or alerts. Some companies design their sites so they only work with Internet Explorer. Both of these practices should be reconsidered.

As you’re probably beginning to realize, pop-up ads are a dying practice because software that blocks them is widely available and frequently used. If you need pop-up technology for your site, there’s a growing likelihood that your users won’t be able to use all of your site.

And as people are beginning to learn, Internet Explorer is frequently (almost exclusively) the target of worm writers. It’s likely that Windows users will start moving more to Mozilla, Netscape, and other Web browsers. If you don’t allow them to use your site because you’re focused on IE, you’re simply limiting your market.

As you can see, these new threats are potentially very serious, and one of these days they will slip through and wreak havoc. You can take a few steps, some fairly simple, to limit the damage and in the long term, save yourself money. All you really have to do is rethink your policies.