Fighting Network Worms

Network worms exist for a long time. Actually two of the first worms known (REXX-based Christmas greetings worm and Morris worm were network-based). But those were two exotic cases as at this time networks were available only to privileged few.  Network worms got into mainstream only with emergence of high speed network including cable-modems and large corporate networks with many often unpacked PCs. That happed around year 2000. Mass epidemics are pretty rate and for the last six-seven years there were only a few of them, approximately one a year.  At the same time network worm are more difficult to disinfect as infections are often distributed among multiple sites and expose gross blunders in design of the network and/or configuration of desktops (especially in case of "standard desktops" in which uniformity provides additional attraction for network worms).  The most affected classes of PCs are usually semi-abandoned corporate PCs such as laptop for remote users with bad connectivity, various test and regression machines that after initial one time use happily circulate air for a year or more without and single human logging to them, etc.

Contributing factor is low qualification of personnel especially if this type of activities is converted into specialized security position. unlike regular network or desktop support personal people often quickly disqualify in such position. Also such positions often attract power-hungry "good-for-nothing" type of people as anything connected with security provide an opportunity to exercise power not only over the users but also over fellow administrators.

I have several suggestions that I formulated as a set of questions with brief comments. I think that enterprise customers can benefit from discussing at least some of the underling ideas and counter-mesures.

1. Why so many companies are far behind in versions of antivirus deployment ?

   Antivirus software belongs to perishable goods category. That means that we should try to prevent sliding it more then one version behind the current. Or preferably to use the current version.  Any AV software which is two version old for all practical purposes cannot be considered a viable antivirus: this is a dinosaur by AV industry standards and the fact that it disinfects something is truly amazing. New viruses often require changes in virus engine and unless the engine is pluggable like in Trend Micro, the update of the software updates might be the only option to keep antivirus current and effective against new worms.

2. Is not "selective" desktop patch policy practiced by many large enterprises questionable from the point of view of protection from viruses and worms ?

   In view of recent experience with worms continuing doing patching "an old way" looks like invitation to troubles. IMHO 60-80% of workstations (depending of the type of large enterprise) can live with automatic updates.

   The other 20-40% can be patched individually. I think that this is huge waist of resources to consider each and every workstation so special that it deserves individual patching. Many security conscious employees in large corporation voluntarily switched to automatic updates. It might be a time to institutalize this practice.

Selective patching often leads to random patching of PCs when each PC has slightly different set of patches. The latter creates a permanent security vulnerability that the recent worms like Allaple as well as all previous network worms managed to exploit.

3. Can enterprise benefit from more careful settings of IE or other "standard" browser, especially cleaning temporary files cache (this is a special setting usually not enabled by default in most browsers including IE6 and IE7).

   In enterprise environment cashing is usually duplicated by devices like CacheFlow, Squid or other proxy servers anyway. Dome network worms like Alaple exploit large number of HTML files stored in such cashes to ensure re-infected even if registry entries were cleaned.
   
   Among other setting that help to fight worms are making extension visible (this is a very questionable invention by Microsoft to hide extensions and several worms -- mainly mail worms exploited it to full extent putting a huge cake into the face of Microsoft software architects (or in this case pseudo-architects).

4. Can enterprise benefit form additional independent monitoring of AV signature updates ?

   It can be done via SNMP, SMTP via a simple script or whatever.

   It looks like in large enterprises there is a stable swamp of "PCs with broken AV updates" that is a natural worm habitat for worms epidemics even if the vulnerability expolited is a year or more old.
   
   This swamp usually includes many remote PCs, some lab PCs and some second desktops. IMHO unless large enterprize make conscious efforts to drain at least a part of this swamp they will be always ready for a ride.

5. Is not typical password policy too weak from the point of view of preventing worms propagation ?

   IMHO the idea of 7 letters minimum in password length that is used by most large enterprises truly belongs to the last century. I am convinced that with current scope of networks all  large enterprises should stick to AOL scheme on Windows and do it fast unless they really want to pay the price.

   That means increasing the minimal length of password to 10 or 12 and making mandatory for user using two word concatenation with the second word being the last 4 difits of his phone extension or cubicle number (I think now everybody have phones, but just in case). Friendly-8392 or, better, FriendlY-"8392". This is not that much more difficult for a user to remember but it is impossible for any worm to crack. 

   There are just too many people who will never learn how to create good password so the increase in the mandatory length to 12 characters might be the best "idiot-proof" way to solve the problem in large enterprize environment, the problem that the latest worms like  probably Allaple.B  so successfully exploited.

   It also creates another huge security vulnerability that the recent worms like Allaple.B  and future worms will manage to exploit.

Here is the (somewhat simplified) timeline of major accidents: 

• July 16, 2001.  Code Red started propagating on Microsoft Windows systems with ISS installed. It exploited IIS-enabled systems susceptible to the vulnerability described in CERT advisory CA-2001-13 Buffer Overflow In IIS Indexing Service DLL. The unique feature of this worm was that it was strictly memory based so simple reboot would disinfect the system but if system was not patched it can be infected against from other infected computers. Reports indicate that two variants of the "Code Red" affected more than 250,000 hosts.
   
• Jan 2003. The SQL Slammer worm hit several million (up to 55 million by some estimates) hosts within very short period of time. Among  systems affected was an Ohio nuclear power plant’s safety parameter display and plant process computer. There, Slammer propagated across an unsecured T1 linking a contractor’s network to the plant’s corporate network, and from there into the plant’s control network, bypassing firewalls that could have blocked it. Sadly, unapplied patches for the exploited Microsoft SQL vulnerability had been available for at least six months.

SQL Slammer also brought more than 13,000 Bank of America ATMs to a halt by compromising database servers and overloading attached networks. In August, the Nachi worm that exploited RPC DCOM vulnerability and was designed to fight SQL Slammer infected Diebold ATMs at two financial institutions. A patch to close to the RPC DCOM vulnerability exploited by Nachi had been available for more than a month when that incident occurred.

• Aug 12, 2003. MSBlaster, which was first detected Monday Aug, 11, 2003 afternoon, has quickly spread from machine to machine over Internet. MSBlaster exploited a flaw with the Remote Procedure Call (RPC) process, which controls activities such as file sharing. The flaw enables the attacker to gain full access to the system. The vulnerability itself, which affects Windows NT, Windows 2000 and Windows XP machines, affects both servers and desktops, expanding the reach of exploit
   
• Apr 30, 2004. Sasser worm infected more than 1 million computers worldwide. It creates a mutex named Jobaka3l to ensures that no more than one instance of the worm can run on the computer at any time. Copies itself as %Windir%\avserve.exe. Adds the value "avserve.exe"="%Windir%\avserve.exe" to the registry key:
  
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  
  so that the worm runs when you start Windows. Uses the AbortSystemShutdown API to hinder attempts to shut down or restart the computer. Starts an FTP server on TCP port 5554. This server is used to spread the worm to other hosts. Retrieves the IP addresses of the infected computer, using the Windows API, gethostbyname. Generates another IP address, based on one of the IP addresses retrieved from the infected computer (This process is made up of 128 threads, which demands a lot of CPU time. As a result, an infected computer may become so slow and barely usable). Connects to the generated IP address on TCP port 445 to determine if a remote computer is online. If a connection is made to a remote computer, the worm will send shell code to it, which may cause it to open a remote shell on TCP port 9996. Creates a ftp script file cmd.ftp on the attacked computer. Uses the shell on the remote computer to reconnect to the infected computer's FTP server, running on TCP port 5554, and retrieve a copy of the worm.
   
• Aug 16, 2005. Zotob worm Main target is Windows 2000. Minimal risk to XP and 2k3 as they require authentication for the particular vulnerability to be exploited, where Win2k can be exploited using a NULL session. Setting RestrictAnonymous=2 in the registry will disable null sessions and prevent infection on Win2k systems. As this is a network worm, disinfection in a sense of removal of worm is not enough in this case. You need to apply Microsoft patch (Microsoft Security Bulletin MS05-039)  
   

• [Feb 25, 2007] Allaple.B (aka Rahack.W and Rahack.WW) description

  Standard Softpanorama spyware defense strategy based on Ghost does wonders against this worm but additionally on infected computers passwords need to be make stronger (min length 10 can help here) and patches need to be installed (automatic installation of patches on desktop is highly recommended).

  Allaple.b worm was discovered somewhere in late 2006 and was active for several month after that.

  It propagates rather slowly and does not create "avalanche epidemics" but it does propagate and at the beginning signatures for detecting and removing the worm were very weak. In March 2007 they got better and for example F-secure (which uses Kaspersky engine) which was unable to disinfect strain B completely with signatures older then, say,  Feb 28, 2006 ( I do not know the exact date) now is doing better, although far from perfect, job.  It looks like with signatures later then March 3, 2007 DrWeb detects it but still cannot disinfect completely this particular strain of the worm (I checked a free version called cureit)

  Allaple is a polymorphic network worm which contains just one executable. Polymorphism means that every copy of the worm is slightly different from each other as for the content (probably due to polymorphic decryptor), but paradoxically the length of all instances is constant (57856 bytes)

  Also when scanning the drive for HTML files and generates and drops a lot of executables with random names that contain exactly eight characters. The only exception in the first executable which always has name  urdvxc.exe which is hardwired in the worm code (see below).

  Also when worms executable runs it behaves like old polymorphic file viruses -- the polymorphic decryptor decodes the body and then control is passed to the this static part of the worm code that allocates a memory buffer and extracts the main worm's code into it.  Only after then the control is passed directly to the extracted worm's code.  At the same time while going to such length as for encryption the worm body author(s) left the size of the worm's executable file constant.

Network worms are probably the most complex type of worms to fight and they often cause considerable panic in corporate environments. And the rule is that "panic kills":  in panic some absurd actions like shutting down the whole sites are completely justified. Unfortunately this if often done after the initial splash of activity of the worm after which it is just sitting more or less quietly on infected computers.

Thus the major problem of mass epidemics caused by network worms is that the initial infection is often has a form of chain reaction and it occurs over very short period of time like a huge traffic splash that generates panic many times more destructive then the worm itself, especially if the fighting of the work is delegated to a completely technically incompetent bureaucrat.  The generated amount of traffic can overwhelm the network before any actions can be taken. Also if update servers are centralized (or super-centralized) and this for a while AV update cannot reach the targets even if they available.  Moreover the fact of updating of the signature in this case can became another attack on the network with AV signature distribution server as the worm Trojan horse.

Automatic tools like automatic disinfection are usually not very effective against such threat as new successful network worm is usually successful exactly because it invents a completely new attack vector.  Detection based on traffic anomalies can detect the initial attack but due to the chain reaction character of infections this detection is pretty much useless. Still it is important to have. 

One of the effective and rather simple way of fighting network worms is to use automatic patching mechanism supported now by Microsoft for all major flavors of Windows. Microsoft proved to be reasonably  good in this area and historically mass infection often accrued after the patch was available. So by enabling automatic installation of patches on a large fraction of corporate desktops (for servers this is a less attractive measure and would generally be weighted against the risks) cuts the critical mass of infected computers. This measure also  helps to ensure that the initial spike will be less damaging. 

The advantage of automatic patches application is that it just work on many cases. If a problem found this desktop just need to be moved into special "selected" or "security only" patches pool.  Some patches can interfere with the installed software.  But when the latter occurs, usually it is because problems with the software not patches, for example obsolete version of a popular application. Such cases can be resolved by upgrading software.

While not all PCs in a corporate environment can use this mode, probably 80% of users can be switched to this mode. Remaining 20% still represent a problem as they need to be manually or selectively patched, but even in worst case they represent less critical mass and increase the chances that the network will survive the initial "explosive" propagation period typical for most network worms.

Again I would like to stress that usually it is not network work itself that is dangerous but unqualified and often stupid actions of sysadmins and executives that are caused by panic. Many large corporations suffered multimillion losses due to shutdown of parts of their networks done after any real threat disappeared from the horizon and worms were just quietly sitting on infected computers: in many cases shutdown accrued hours after the peak of traffic was over.

Anyway, it is important to understand that too much zeal in disinfection of network worms is usually more harmful the worms themselves.  But this is a pretty rare event as Microsoft tests its parches very well.

Recommended Articles

How to use the RestrictAnonymous registry value in Windows 2000

Etc

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotes :  Somerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose Bierce :  Bernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOS :  Programming Languages History : PL/1 : Simula 67 : C : History of GCC development :  Scripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-Month :  How to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Last modified: July 29, 2012