Companies take cover as worm war breaks out

An Internet gang war of sorts broke out last week as the creators of two mass-mailer computer worms battled to outdo each other by releasing a dozen variants of the worms, called Bagle and Netsky, in rapid-fire fashion.

An Internet gang war of sorts broke out last week as the creators of two mass-mailer computer worms battled to outdo each other by releasing a dozen variants of the worms, called Bagle and Netsky, in rapid-fire fashion.

The conflict had corporations doing what they could to stay out of the crossfire.

The barrage of Bagle and Netsky variants appeared to pit rival virus writers in Germany and the Czech Republic who exchanged often-misspelled taunts with their code, such as “don’t ruine our busssiness” and “wanna start a war?”

In addition, two new versions of the MyDoom worm appeared, and a wholly new one, Hiton.A. This unusually wormy week had anti-virus vendors and their customers stuck in rapid-response mode.

“This is the most variants we’ve seen released in a particular week,” says Alfred Huger, senior director of engineering at Symantec Security Response, adding it far outstripped anything he could recall. “It’s so prolific, it’s affecting mail servers, making them go down.”

Like other anti-virus vendors, Symantec went into overdrive, sorting out which variants required a signature update that customers would need to apply as quickly as possible to desktops, servers and other gateways.

“Because they’re coming out so fast and furious, the need to stay updated is paramount,” says Matt Marchionne, data security specialist at Burlington Coat Factory in Burlington, N.J. The retailer uses Eset Software’s desktop anti-virus software.

Burlington Coat Factory doesn’t leave it up to its employees to decide when to get updates from Eset servers. Instead, each user’s computer automatically checks the Eset update server at regular intervals. When there’s a barrage of worms, as there was last week, the company’s IT staff re-sets the automated update to tighter intervals – from a day to an hour or even less – even though it can take up internal network capacity.

Increasingly, companies appear unwilling to rely on anti-virus software alone to protect themselves against worms.

One firm, Tripos, a St. Louis company that makes products for the pharmaceutical industry, battens down its network by not granting users access until they have passed an inspection to assure they have updated anti-virus software on their machines. Tripos does this using a policy-management appliance called CyberGatekeeper and the desktop CyberArmor firewall from InfoExpress.

“We set policies that laptops have to have updated anti-virus,” says Nathan Burns, network security administrator at Tripos. Users within the network or remotely accessing it will be directed to update their anti-virus software – Tripos uses Symantec – if their computers don’t pass inspection.

Making matters worse

To make matters worse last week, a number of the Bagle variants were discovered concealed inside password-protected ZIP files. These ZIP files aren’t stopped through the usual anti-virus scanning process.

“The simple rule is, [anti-virus software] can’t look inside a password-protected ZIP file; [it has] to look at it in order to recognize a specific fingerprint,” says Jimmy Kuo, McAfee research fellow. He adds that Windows XP, which includes a way to let users double-click to read headers on ZIP files, unfortunately makes it easier for users to be fooled by tricks that virus writers come up with to dupe people into opening ZIP attachments.

Some corporations say banning incoming attachments entirely is one way to add protection against worms.

“Netsky is one of the big ones right now,” says Bob Wood, senior network analyst at Skokie, Ill., map publisher Rand McNally, about last week’s mass-mailer worm wave. “But we just don’t allow attachments that would damage our computers.”

Wood says the company adopted the approach after getting slammed a few years ago in a mass-mailer worm outbreak.

Another firm, Daniels Trading, a commodities exchange in Chicago, says anti-virus software just isn’t enough when worm attacks are coming so fast. According to COO Glenn Swanson, the company also relies on Cisco’s behavior-blocking software, Cisco Security Agent, to stop worm activity on desktops.

“The software stops suspicious behavior – for instance, you can’t grab a whole e-mail list and send it out,” Swanson says. While Cisco Security Agent has halted many worms in their tracks, Swanson notes that virus writers are getting more crafty. At least one Netsky variant grabs a limited number of e-mail addresses at a time.

The worm wars are making some angry, calling for tougher law enforcement response.

“It’s hard to imagine a more comical situation: A handful of virus writers are playing unpunished with the Internet, and not one member of the Internet community can take decisive action to stop this lawlessness,” says Eugene Kaspersky, head of anti-virus research at Kaspersky Labs in Moscow.

He predicts the worm wars will continue until there’s more effective prosecution of virus writers.