News Stay informed about the latest enterprise technology news and product updates.

ISD 2005: Eradication remains a 'well worm' problem

Whether we're winning the war on worms remains debatable, given the continued presence of Code Red, Blaster and other high-profilers on networks.

CHICAGO -- It's been two years since the last big worm outbreak, and that has network administrators anxious. The lack of headlines has lulled users, and even some admins, into complacency. Then there's the fact no one can be sure there isn't killer code already seeping surreptitiously into networks worldwide.

"The next big worm will either work very slowly and be very difficult to detect, or it'll be one of those things that saturates

More on worm prevention
Check out our articles and tips on ways to better secure your networks from worms.
the entire Internet in 10 seconds," suggested Scott Lewandowski, a member of the Information Systems Technology Group at the M.I.T. Lincoln Laboratory. "In either case, we're going to be up the creek without a paddle."

Lewandowski's comment was part of a panel discussion Tuesday at Information Security Decisions 2005 called "Winning the War on Worms." The consensus was that while defenses had improved in recent years, progress was tempered by persistent network penetration by older worms like Blaster, Sasser, Slammer and even 2001's Code Red.

And these worms don't even carry a devastating payload. "I really don't think we've seen a well crafted, sophisticated worm" yet, Lewandowski said. Panelist Tom Chmielarski gave a more optimistic view of networks in the wake of worm outbreaks. "I can't say I like them, but they have driven security in the enterprise," the Motorola Inc. information security specialist said.

Even worm categorizations varied, with Adam Powers, a member of network

More on older malware

'Code Red': What went wrong?
Code Red continues to spread, but experts are breathing a sigh of relief that a design flaw has slowed the worm down and saved the Internet from a major collapse.

As Blaster spreads, patching accelerates
Patching the RPC-DCOM vulnerability has become a priority for many enterprises as Blaster-A makes the rounds.

Sassy Sasser worms on the move
The first automated exploits targeting a critical Microsoft vulnerability announced last month have taken the form of a family of self-executing worms called W32.Sasser.

security provider Lancope's Advanced Technology Group, taking the most conservative approach. "If you have to click something to make it work, it's not a worm. It's a virus. A worm is something that is completely automated."

However defined, both the panelists and audience members, most of whom worked on the frontlines of corporate and university networks, offered some suggestions to mitigate infestations.

Host-based intrusion detection and an IPS at the perimeter. Chmielarski employs this technique at Motorola and admits it's more a monitoring system than true defense mechanism. "But if you catch the threat early enough, you can develop a defense," he said.

  • Setting up multiple security domains. This practice of segmenting and isolating subnetworks was not without controversy as some questioned the integrity of VLANs needed to create such separations. But if done correctly and securely, virtual isolation can limit impact to only part of a network.
  • Removing default gateways and creating bit buckets. This method forces traffic down prescribed paths that can then traverse IDS, IPS or other tools that scan and scrub packets before they're trashed or sent on to a final destination. This helps gain some control over traffic flowing into a network.
  • Limiting local admin access. Reconfigure desktops and laptops to minimize administrative privileges and that will disallow some user behaviors that lead to worm infections. One audience member said he analyzed 700 different worms launched in a nine-month period and concluded only 10% spread through software vulnerability exploitation. The remainder was aided by users who did the wrong thing. Of course, this won't provide much defense against worms that elevate their privileges once inside a network, but it can limit or maybe even eliminate those that write themselves into system directories to propagate.
  • Honeypots and honeynets. Creating decoy servers or even networks to divert dark traffic away from productive systems is another option. It's possible to even make the default route lead to the honeypot in order to analyze traffic. How well this works depends on how evasive the worm.
  • 'Dark nets.' It's also possible to devote an unused portion of a network to monitor net flow and then analyze for anomalous behavior.
  • Quarantines. This involves filtering suspicious code and automatically quarantining a new device or node that tries to access a network. Several audience members said they're using the 802.1x authentication protocol to deny access to rogue devices attempting to infiltrate their networks.

What prevents many enterprises from engaging in any of these tactics is cost, manageability and potential hits to performance. That's one reason that Slammer, Sasser and the other 'old standards' are still going strong. But everyone agreed it's just a matter of time before a significant outbreak forces change. And that time may be sooner, rather than later. "We haven't seen any impact from worms," Lewandowski said. "But there could be something sitting on your machine right now that's just waiting for a command."

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.