To print: Click here or Select File and then Print from your browser's menu
--------------------------------------------------------------
This story was printed from Anchordesk,
located at http://review.zdnet.com/AnchorDesk/.
--------------------------------------------------------------
The end of e-mail viruses--and antivirus apps
|
| By Robert Vamosi: Senior Editor, Reviews |
| Monday, August 18, 2003 |
| |
Four years after the Melissa virus and three years after the ILOVEYOU virus duped us with clever e-mail subject lines, the latest viral pest, MSBlast, captured the world's attention without involving e-mail at all--and thus successfully introducing a new method of mass-infecting PCs.
MSBlast isn't the most efficient worm, but because it infected a large number of home systems and corporate networks, I expect other virus writers will soon emulate it. And that could result in some changes for today's antivirus products.
INSTEAD OF E-MAIL, MSBlast uses a direct Internet connection to spread. Many home users with always-on Internet connections and no firewalls were instantly affected when it appeared last week. Even a large number of corporate users, behind their gateway firewalls, soon found themselves struggling to contain the infection.
Businesses were affected because they generally patch only the Windows computers that have a direct Internet connection, and consider the systems behind the firewall to be safe. Last Tuesday, however, several large organizations, including GM and the Maryland Motor Vehicle Administration, found their networks infected by MSBlast.
Though no one's sure exactly how the worm got past corporate firewalls, it seems the cause may have been the unprotected systems of employees working at home and accessing these networks via virtual private networks.
Though MSBlast is more advanced than Melissa or ILOVEYOU, it's still not as well-made as 2001's Code Red and Nimda, or last January's Slammer worms. One of MSBlast's shortcomings is that it can't distinguish between different versions of the Windows operating system. This means the wrong code is sometimes executed on the wrong operating system, resulting in system crashes and other annoyances.
THE OVERALL DESIGN of MSBlast isn't very sophisticated, either. It starts looking for vulnerable systems by randomly scanning blocks of Internet addresses. The trouble with this random scanning is that after a while, some infected systems begin scanning the same block of addresses.
This is not only inefficient, but also causes Internet congestion that could slow down the whole Internet. While the virus' authors may have been pleased by this additional havoc, it reveals a relatively low level of programming expertise.
The real Achilles heel for MSBlast, though, is that it doesn't carry its own payload. Instead, once it finds a new machine to infect, it installs the Trivial File Transfer Protocol (TFTP) on the system's hard drive. TFTP then automatically downloads the rest of the worm via PC port 4444 from a recently infected machine. Many companies and organizations learned they could effectively cripple MSBlast by simply blocking port 4444 on all their systems.
As of late last week, at least three known variations of MSBlast were in circulation. While none fix the abovementioned flaws, each tries to evade antivirus detection by changing the name of the executable file.
WHILE MANY RUSHED to update their antivirus software as soon as they heard about MSBlast, an even better solution would have been to activate or install a personal firewall app (along with downloading the Microsoft patch). If you happened to become infected by this worm, and still haven't removed it from your system, here are some step-by-step instructions on how to do so.
Computers with just a personal firewall and no antivirus software were able to escape MSBlast's grip. To be clear, anyone using an up-to-date antivirus app was protected once MSBlast installed itself on their computer's hard drive. But if your system had a firewall, you avoided infection outright.
Direct Internet worms like MSBlast don't bode well for antivirus leader Symantec, and its Norton AntiVirus product. While McAfee's VirusScan 7.0 and Trend Micro's PC-cillin 2003 now include both antivirus protection and a personal firewall, Symantec still does not include a firewall in AntiVirus. To get firewall protection from Symantec, you have to pay extra for Norton Personal Firewall or the Norton Internet Security Suite. Though you could avoid becoming infected by worms like MSBlast by using only a firewall, such as ZoneAlarm Pro, you'd still remain vulnerable to other types of worms.
Thanks to MSBlast, I predict this is the beginning of the end for e-mail worms. Though there'll still be a few out there, they will be minor. Because of this, I expect all major antivirus products to change significantly, so they're able to fight the latest Internet worms, not just those sent by e-mail. Right now, this means they should all include a firewall.
And finally, I bet companies will begin patching all their desktops--those that reside both inside and outside the corporate firewall--whenever a new Windows vulnerability appears. This won't protect us from whatever sophisticated threats may arise in the coming years, but it will safeguard our systems from the MSBlast copycats that are likely to follow last week's outbreak.
Do you use a firewall and/or antivirus software? Did you get infected by MSBlast? What happened? TalkBack to me!
