Article

Tales from the trenches: Admins share Blaster, Sobig stories

Michael S. Mimoso, Editorial Director

Administrators and enterprise incident response teams were put through their paces in August, as two major worm outbreaks threatened the reliability and viability of networks.

Both the Blaster and Sobig-F worms generated volumes of e-mail and network traffic that clogged messaging servers and network pipelines, costing companies millions in lost productivity.

But for the numerous digital disasters, there were success stories. Most network administrators contacted by SearchSecurity.com whose systems were relatively unharmed relied on basic tenets of computer security to pull them through, namely prompt patching, diligent updating and staying current on news and information.

"I had ensured that all network components were patched and the antivirus software updated on a daily basis. I haven't seen sight or sound of these worms on either our own network or on those of my clients," said Jeremy Hughes, a consultant with Southdown Computer Services Ltd. of West Sussex, England. "Of course, applying patches causes some downtime, but far better that than the downtime caused by cleaning up the systems! I [learned] my lesson with Code Red!"

Blaster was a network-aware worm that exploited a critical vulnerability in Windows Remote Procedure Call (RPC). The flaw was first detailed and patched by Microsoft in July and, within a month, Blaster was unleashed. It scanned for and spread via port 135. The constant scanning done by the worm accounted

    Requires Free Membership to View

for volumes of network traffic that threatened uptime worldwide.

Sobig-F, meanwhile, was the most successful of all the Sobig variants. With a newly tuned mailing engine, Sobig-F spread via Outlook and choked many networks as it spread itself with abandon.

With Blaster, network and systems administrators were warned to patch immediately because of the serious nature of the flaw. In many cases, this meant dropping everything and implementing the fix, often without luxury of being able to deploy the patch first in a test environment.

"I'm leery of patches that are released shortly after a vulnerability is discovered, as I usually see a re-release of the patch to fix the issues created by the previous patch," said Rich Davidson, a systems engineer with integration firm MicroSystems Integration Inc., of Pawcatuck, Conn. "But we do maintain a close watch on the 'critical' category, and [Blaster] was definitely one to fix before it happened. We were patched two weeks before the storm."

Others choose to avoid Microsoft for mission-critical systems. Peter Bissmire, founder of Peter Bissmire Communications and Language Services of England, said his enterprise does not use a standard Microsoft client-server package, opting instead for the Apache Web server and a freeware e-mail server.

"I do not use Outlook and abhor ActiveX. I do not maintain a large address book, even though I have many mail correspondents. And I never save files in 'My Documents,'" Bissmire said. "This means that many of the MS hooks used by mail worms are simply not available."

For the few Windows systems in his shop, mostly NT 4.0 machines, Bissmire said he downloaded and installed the RPC patches immediately and kept his antivirus software up to date. "I have belts and braces, and then some," he said.

Another key component to keeping networks clear of Blaster and Sobig-F last month was fixing a watchful eye on alerts from Microsoft, antivirus vendors, news groups and mailing lists. Prevention is key, but valuable information is also found at these sources on how to remediate problems.

"You can bet that few people know how to get their systems resurrected after a worm has struck," Davidson said. "So we watch Microsoft's private news groups and monitor their Web site for breaking news and fixes. We also receive updates from the major AV vendors. Many of our clients depend on us to help them prevent damage and, should they not heed our warnings, to help them clean up the mess afterwards."

FOR MORE INFORMATION:

SearchSecurity.com news exclusive: "New September 11 virus spotted; more on the way?

Virus alert: Lovsan/Blaster

Virus alert: Sobig-F

FEEDBACK: Was Blaster a nuisance or nightmare in your enterprise?
Send your feedback to the SearchSecurity.com news team .


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: