Worm outbreaks saturate networks

Last week went down as one of the worst computer security weeks ever, as a spate of new worms crippled corporate and government networks that rely on Microsoft software.

The attacks, which came a week after the damaging Blaster (or LovSan) worm struck, included a variant on that intruder and with another worm designed to save users from Blaster but instead wound up clogging networks (see graphic).

Meanwhile, a spinoff of the SoBig mass-mailer worm, tricked victims into opening attachments to so that it could grab their Outlook address book to mail itself again. VeriSign reported that SoBigF, programmed to send mail traffic through one of the company’s root DNS servers, caused a 20-fold spike in traffic between Tuesday and Wednesday. (Security watchers warned Friday, just before press time, that SoBig.F carries a Trojan it might use to attack an unknown target later that day.)

Among those networks feeling the pain last week was the Navy Marine Corps Intranet (NMCI), used by about 100,000 personnel. It was saturated for three days with scanning caused by Welchia, a worm with a mission to use Blaster-like techniques to break into computers to disinfect machines hit by Blaster and then patch them. Welchia infected tens of thousands of NMCI computers.

“It was pinging away, trying to grab a patch from Microsoft,” says Capt. Chris Christopher. “The traffic was getting too heavy, and it affected network performance.”

NMCI desktop computers weren’t affected, but network capacity wasn’t restored in large part until last Thursday. The massive cleanup effort involved patching machines for the Microsoft vulnerabilities Welchia exploited, as well as ensuring anti-virus signatures were place.

The NMCI uses Symantec’s anti-virus products, but Symantec didn’t have the signature update for Welchia ready until several hours after it hit, Christopher says.

Blaster hits airline system

Separately, a variant on the Blaster virus affected about half of Air Canada’s phone-reservation system and some airport check-in operations last Tuesday, even causing some flights to be delayed or canceled. CSX, the third largest railroad company in North America, also blamed worms for creating transportation delays.

According to CSX, the worm outbreaks mainly hit its network-supporting applications used for dispatch and signal systems operated by the CSX Transportation division. The network saturation caused CSX to halt passenger and train traffic, including morning commuter service into the Washington, D.C., area.

In light of the new attacks and the Blaster infections, Microsoft has started a fresh dialogue about how it might change its patching strategy, at least when it comes to home computers outfitted with XP (see related story). That operating system has a feature to automatically notify an end user that a software patch is needed and apply it.

A Microsoft spokesman says the company is pondering whether to alter this feature in future releases so that it would work by default. The company says it believes this method would be more effective instead by applying the patch because warnings often are ignored.

Microsoft was looking for feedback on that idea, which it acknowledged could affect the corporate world where XP also is increasingly used.

In terms of the Blaster worm, which was programmed to continuously launch a denial-of-service attack against the Microsoft windowsupdate.com URL on Aug. 16, the company disabled the targeted link to preserve the main portion of the site. However, that URL won’t be available for the foreseeable future.

As to the question of Dumaru – a worm launched last week that pretended to be from Microsoft but carried a dangerous Trojan as an attachment – Microsoft says it never sends out attachments in any official e-mail in a public mass mailing.