Worm wave highlights need for speedier defenses

The speed at which hackers were able to take advantage of newly disclosed software flaws makes its vital for companies to look beyond patching to broader and more holistic measures for controlling vulnerabilities, security experts said.

The advice comes in the wake of a wave of worms this week that targeted a flaw in a Plug and Play component of Microsoft's Windows 2000 software.

The worms hit several companies, including The New York Times, CNN, ABC News, Caterpillar Inc. and General Electric Co., and came less than a week after the hole they exploited was disclosed by Microsoft as part of its monthly patch-release cycle (see "Microsoft patches three 'critical' Windows flaws").

The worms, which had names such as W32/Zotob A, W32/Zobot D, W32/Rbot.CBQ and W32/Esbot-A, caused infected systems to repeatedly restart and potentially allowed remote attackers to take control of compromised systems. But the fact that the malware targeted only older Windows 2000 systems meant that the number of infected systems was fairly low, according to estimates by some antivirus vendors.

Even so, the 11 or so worms that were unleashed this week served as a sobering illustration of the ability of hackers to take advantage of new flaws before many companies have a chance to patch them, said John Pironti, principal security consultant at Unisys.

"What has happened is that hackers have adopted new attack techniques," Pironti said. "Instead of going out and looking for vulnerabilites on their own, what they are doing is waiting for patches to be released to see what holes are being fixed," and then going after those holes as quickly as they can, he said.

The trend could leave companies dangerously exposed, especially large ones that typically need time to test and analyse patches before deploying them, he said.

"They have to assume that they are going to be vulnerable to attack from the moment a patch is out," Pironti said. "They need to have countermeasures in place while the patches are tested" and deployed, he said.

Companies need to think about implementing the equivalent of the color-coded threat system used by the US Department of Homeland Security when dealing with newly disclosed flaws, said Dave Jordan, chief information security officer for the government of Arlington County.

"They should conduct business differently than they would day to day" and establish whatever countermeasures they can to mitigate risk as soon as possible, he said.

These measures include doing a thorough threat analysis when new vulnerabilities are announced, understanding what the specific risks are, turning off services and shutting down systems where needed, blocking access to affected ports, and using intrusion-detection sensors to monitor for unusual activity, security experts said.

The vast majority of worms and viruses, including those launched this week, use common attack methods and take advantage of the same flaws, such as buffer overflows, to attack vulnerable systems, said Thor Larholm, a senior security researcher at PivX Solutions, a security software vendor in California.

Instead of relying solely on patches to fix every new flaw, it's better to address some of the common underlying vulnerabilities, he said. "There are multiple ways to protect against entire classes" of vulnerabilties without having to apply patches for each one of them, Larholm said.

For instance, PivX is one of the vendors that sell tools to repair generic buffer overflows in the absence of vendor patches. Similar tools are available for detecting and shutting down port scanners, spotting unusual application behaviors, and for controlling inbound and outbound connections based on protocols, ports and host addresses.

"About 90% of the worms out there can be mitigated against just by hardening your systems," Larholm said. For instance, just disabling so-called null-session accounts, which are enabled by default on Windows 2000 systems, would have prevented this week's worms from taking advantage of the Plug and Play flaw, he said.

"I think what these attacks show is that there is still a fair bit of latency within a lot of companies" between patch release and deployment, said Fred Rica, a partner at PricewaterhouseCoopers in New York.

One way of mitigating risk is to employ better processes for testing and deploying patches, he said. The use of event management and correlation tools to monitor network and security log data for signs that a particular vulnerability may be getting exploited is also a good idea, Rica said.

"Building an event management capability can help you get ahead of some this stuff," he said.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jaikumar Vijayan

Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?