Worm wave highlights need for speedier defenses

The speed at which hackers were able to take advantage of newly disclosed software flaws makes its vital for companies to look beyond patching to broader and more holistic measures for controlling vulnerabilities, security experts said.

The advice comes in the wake of a wave of worms this week that targeted a flaw in a Plug and Play component of Microsoft's Windows 2000 software.

The worms hit several companies, including The New York Times, CNN, ABC News, Caterpillar Inc. and General Electric Co., and came less than a week after the hole they exploited was disclosed by Microsoft as part of its monthly patch-release cycle (see "Microsoft patches three 'critical' Windows flaws").

The worms, which had names such as W32/Zotob A, W32/Zobot D, W32/Rbot.CBQ and W32/Esbot-A, caused infected systems to repeatedly restart and potentially allowed remote attackers to take control of compromised systems. But the fact that the malware targeted only older Windows 2000 systems meant that the number of infected systems was fairly low, according to estimates by some antivirus vendors.

Even so, the 11 or so worms that were unleashed this week served as a sobering illustration of the ability of hackers to take advantage of new flaws before many companies have a chance to patch them, said John Pironti, principal security consultant at Unisys.

"What has happened is that hackers have adopted new attack techniques," Pironti said. "Instead of going out and looking for vulnerabilites on their own, what they are doing is waiting for patches to be released to see what holes are being fixed," and then going after those holes as quickly as they can, he said.

The trend could leave companies dangerously exposed, especially large ones that typically need time to test and analyse patches before deploying them, he said.

"They have to assume that they are going to be vulnerable to attack from the moment a patch is out," Pironti said. "They need to have countermeasures in place while the patches are tested" and deployed, he said.

Companies need to think about implementing the equivalent of the color-coded threat system used by the US Department of Homeland Security when dealing with newly disclosed flaws, said Dave Jordan, chief information security officer for the government of Arlington County.

"They should conduct business differently than they would day to day" and establish whatever countermeasures they can to mitigate risk as soon as possible, he said.

These measures include doing a thorough threat analysis when new vulnerabilities are announced, understanding what the specific risks are, turning off services and shutting down systems where needed, blocking access to affected ports, and using intrusion-detection sensors to monitor for unusual activity, security experts said.

The vast majority of worms and viruses, including those launched this week, use common attack methods and take advantage of the same flaws, such as buffer overflows, to attack vulnerable systems, said Thor Larholm, a senior security researcher at PivX Solutions, a security software vendor in California.

Instead of relying solely on patches to fix every new flaw, it's better to address some of the common underlying vulnerabilities, he said. "There are multiple ways to protect against entire classes" of vulnerabilties without having to apply patches for each one of them, Larholm said.

For instance, PivX is one of the vendors that sell tools to repair generic buffer overflows in the absence of vendor patches. Similar tools are available for detecting and shutting down port scanners, spotting unusual application behaviors, and for controlling inbound and outbound connections based on protocols, ports and host addresses.

"About 90% of the worms out there can be mitigated against just by hardening your systems," Larholm said. For instance, just disabling so-called null-session accounts, which are enabled by default on Windows 2000 systems, would have prevented this week's worms from taking advantage of the Plug and Play flaw, he said.

"I think what these attacks show is that there is still a fair bit of latency within a lot of companies" between patch release and deployment, said Fred Rica, a partner at PricewaterhouseCoopers in New York.

One way of mitigating risk is to employ better processes for testing and deploying patches, he said. The use of event management and correlation tools to monitor network and security log data for signs that a particular vulnerability may be getting exploited is also a good idea, Rica said.

"Building an event management capability can help you get ahead of some this stuff," he said.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jaikumar Vijayan

Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?