Latest worm puts focus on patch woes

The Blaster worm that last week infiltrated hundreds of thousands, if not millions, of Windows-based computers once again highlighted the IT community’s inability to plug software holes even when they have been detected and patches have been issued.

As Network World went to press late Friday, Microsoft was preparing for what was supposed to be a denial-of-service (DoS) attack on its Windows Update Web site the next day by the compromised machines.

Blaster, which quickly took its place alongside Code Red, Nimda and MS-SQL Slammer as one of the most disruptive worms in history, also has begun spawning variants – including one called Teekids – that could do damage of their own. Concerns also were mounting that there is a separate DoS vulnerability in Microsoft’s Remote Procedure Call (RPC) interface that also can be targeted and that might require another round of patching.

Blaster, which spreads by scanning for Windows XP, NT, 2000 and 2003 machines that never were patched for the RPC vulnerability discovered last month, wreaked havoc with networks across industries, including education, banking and government.

Productivity drain

“This has been a huge productivity drain,” says Tom Danford, associate provost and CIO at the University of Dayton in Ohio, which had several LAN sub-nets infested with Blaster scanning. “We don’t have much control over the students’ computers on these LANs.”

The university blocked Blaster, which slipped in via Port 135, at the Internet gateway by using an intrusion-prevention appliance from TippingPoint Technologies. But that didn’t help stop outbreaks that started inside the network as students turned on unpatched machines infected elsewhere.

Danford says he expects more outbreaks as students return en masse to campus Aug. 23. The IT staff is preparing a Blaster “awareness” campaign to encourage everyone to ensure their PCs are patched.

Companies in the business of securing IT networks were quick to offer estimates on the overall damage caused by Blaster, also known as MSBlast and LoveSAN. Security outfit RedSiren, for instance, pegged the damage in lost productivity as IT staff went about checking for and cleaning up infected computers at $320 million, not counting business-related losses. 

The Federal Reserve Bank of Atlanta and the Maryland Motor Vehicle Administration in Glen Burnie shut down their offices last Tuesday as network staff there eradicated Blaster outbreaks that rendered LANs useless through excessive scanning. The Maryland organization sent out a SWAT team that night to all 23 of its offices to detect and eradicate the Blaster worm on 1,700 computers and patch them, a spokesman says.

Also affected were the Cox newspapers, which suffered disruptions across a shared backbone. They also had limited Internet access at one point.

Patching process

In light of such problems, the issue of patching to prevent Blaster infection was a much-debated subject in corporate IT departments last week.

Some IT staffs came to the belated discovery that the patch Microsoft issued July 16 doesn’t work on all four Service Packs (SP) for upgrades to Windows 2000. Officially, Microsoft has indicated the patch applies only to SP3 and SP4 because the company doesn’t develop patches for older, “unsupported” releases such as SP1 and SP2.

But many organizations using older versions of Windows 2000 went looking for a patch last week as Blaster rocketed across the Internet. The online computer-security forum NTBugtraq, moderated by Russ Cooper of managed security services vendor TruSecure, focused its discussion on analysis that showed that the MS03-026 patch needed to stop Blaster would work on Win 2000 SP2.

The NTBugtraq debate and cry for patch support got Microsoft’s attention: The company took what it said was the unusual course of acknowledging the patch does work for SP2.

“It just wasn’t tested for SP2,” says Stephen Toulouse, security program manager for Microsoft Security Response Center. In stating support for the patch on SP2, he says Microsoft was breaking with its customary “life-cycle policy,” which can create a “weird time zone” in terms of patching.

“I believe SP2 is the most widely deployed version of Windows 2000 in corporations today,” Cooper says. “Companies will have to wait until all or most of their software suppliers support an SP before they will upgrade. Many [software vendors] haven’t stated they support SP3 yet despite SP4 being available. Ergo, many companies have stayed on SP2.”

Toulouse says he doesn’t think Microsoft has information on what SPs its customers are using.

However, the MS03-026 patch doesn’t work for SP1, and that had some organizations rapidly upgrading.

The University of Denver’s business school computer lab, which uses Win 2000 with SP1, determined that it took only 4 minutes early Monday evening for the worm to tear into 90 machines. Ken Stafford, vice chancellor of technology, says he immediately blocked Port 135 when he determined what was happening. The worm eventually infected 500 desktops and had 100 people scrambling to protect systems.

“On Tuesday, we were blocking 52,000 hits per minute at our firewall,” Stafford says. “All the blocking brought our firewall to 92% of CPU usage, which slowed everything.”

The university removed the worm with tools from Sophos and Symantec, but found Microsoft Office disabled and tough to reinstall.

The school upgraded its Win 2000 machines to SP4 and installed the patch, but still wasn’t able to reload Office until the machines were disconnected from the Internet.