Internet worm hits CardCall

The W32.Blaster.Worm hit prepaid communications provider CardCall yesterday causing a "fairly severe network slowdown", according to IT manager, Gordon Kenyon.

He said the outage affected the Gold Coast company's IT infrastructure, servers and 100 PCs, after its antivirus software failed to pick up the worm.

David Banes, regional manager Symantec Security Response, Asia Pacific, said the W32.Blaster.Worm discovered on Monday (August 11, 2003) had a big impact on Australian organisations, giving Symantec's Sydney customer service centre "one of the busiest days in a long time" yesterday.

Banes said the worm reinforced the need for organisations to have comprehensive security solutions in place.

"It's important that organisations don't just rely on a particular piece of software, but have a proper policy within the organisation including training and a security policy," Banes said.

Banes said that the W32.Blaster.Worm is not a "normal" virus or worm, but "more of a code red worm".

"Normal viruses come on e-mail which antivirus software can detect, but this worm is coming in on the network so antivirus won't detect it. That’s why it's also important to have firewall and intrusion detection in place," Banes said.

Kenyon said the worm "puts files on the machines and pretends to be a Microsoft update component and chews resources".

He said the company "received lots of external traffic on the network coming from unknown sources".

Kenyon said he was alerted to the problem early Tuesday morning and the outage, which hit CardCall's call centre, was about three hours.

"First we found out that the e-mail service was down, then we went through process of trying to get everything up and running and found what was consuming the resources was in fact a worm," Kenyon said. "We're had to manually apply patches to each workstation, which took the rest of the afternoon," Kenyon said.

Kenyon said the worm interfered with CardCall's e-mail system after coming through a hole in Windows security.

Unhappy with "the people who developed the worm", Kenyon said once the IT team established what the problem was, a simple patch was applied from the Microsoft network, "but we have to restore the network to make sure it's clear and antivirus is in place".

"We manually removed the worm and applied the patch to stop it coming back.

"Our Norton antivirus software was supposed to see it, according to Symantec, but it didn't. The worm attacks via a specific port and demonstrates a flaw in Microsoft security," he said.

On average, Kenyon said CardCall gets about four patches a week from Microsoft, and added that "it's a constant battle to keep machines up to date with the latest patches".

Symantec's Banes said the worm hit organisations that had not run Windows update features or not patched properly.

"If all their copies of Windows were updated with the relevant Microsoft patch, the worm" wouldn't have been successful, Banes said.

According to Symantec, the W32.Blaster.Worm will exploit the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135. This worm will attempt to download and run the Msblast.exe file.

Trend Micro said the worm exploits the RPC DCOM buffer overflow, a vulnerability in a Windows Distributed Component Object Model Remote Procedure Call interface which allows an attacker to gain full access and execute any code on a target machine, leaving it compromised.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lauren Thomsen-Moore

Computerworld

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?