As the Worm Turns: Lessons from Blaster


By Alex Salkever Compared to the images of sweaty Gothamites trudging across the Brooklyn Bridge in 95-degree heat during the massive power blackout, the MS Blaster worm now seems like a walk in the park.

Still, the latest worm to clog corporate networks and kludge the Net wreaked plenty of havoc in its own right. Internet security companies estimated losses from both downtime and wasted manhours in the hundreds of millions of dollars for U.S. companies. And Blaster-infected machines significantly impacted the Internet. The stream of bogus requests generated by the worm slowed DNS (domain name system) servers that act as the phone directories of the Internet. Compromised computers jammed up networks ranging from BMW in Germany to the Maryland Motor Vehicles Dept.

Sure, Microsoft (MSFT) carries some of the blame for the problem. Blaster exploited holes left by Microsoft programmers in the Windows 2000 and Windows XP operating systems. And Bill Gates & Co. have made some mistakes in combating Web viruses, as I'll explain in a bit. But I think network administrators and companies worldwide are as much at fault as the colossus of Redmond. So are small businesses and individual PC owners who unwittingly left their boxes exposed to this easily avoidable worm, as well as the Internet service providers who generally provide little guidance on proper security procedures. How many more wake-up calls do people need before recognizing that up-to-date computer security is a must in a digital world?

SIGNAL AND NOISE. Like the Slammer and CodeRed worms before it, Blaster targeted computers running Microsoft Windows 2000 and Windows XP operating systems. The worm carries a small program designed to exploit a chink in Redmond's digital armor and insert a file deep into the operating system in the Windows registry system. The registry is a database where the most basic rules that govern how a Windows machine behaves are stored and categorized.

Once Blaster inhabits the registry, it causes computers to restart without warning and to spew out thousands of connection requests per minute, in search of other machines to infect. The sheer volume of traffic caused enough digital noise to bog down networks.

By the same token, the Blaster program sucked up so much processing power on each machine that many individual users had difficulty performing simple tasks like dragging a cursor across their desktops, let alone installing patches. And if the disruption alone weren't bad enough, Blaster-infected machines were set to enact a denial-of-service attack against www.windowsupdate.com on Aug. 16. That's the URL Microsoft directs users to when they push the "Windows update" button on their desktop for automatic software updates.

CLOSING THE PORTS. Scary, right? It didn't have to be this way. Let's start with the network administrators. No, I don't fault them for failing to patch their systems. Patching thousands of desktops and making sure that everyone's pet application continues to work is a nightmare. But there's an easy safety measure that should have been done a long time ago: blocking all Internet requests for unassigned ports.

Let me explain: Ports are virtual entry points into a computer. Each is assigned an arbitrary number. For example, port 80 is the designated number for delivering Web-site location information. A computer has thousands and thousands of ports. Blaster generally sought entry to potential victims over ports 135 and 4444, neither of which have any significant common use. They should have been blocked off by the perimeter firewalls now used by just about every business with a significant Internet connection. Sure, hindsight is 20/20, but this should have been common sense.

That's not all: A majority of network administrators haven't even installed desktop firewalls on their users' machines. In a 2002 survey conducted by IT security research firm Infonetics, only 14% of the 240 businesses questioned had installed desktop firewalls for their employees. These would have helped stop the spread of Blaster inside organizations, even if the virus made it through outside firewalls. True, managing fleets of users equipped with desktop firewalls generally requires management software costing tens of thousands of dollars. But even that looks pretty cheap compared to huge disruptions on a network that worms like the Blaster can cause.

J'ACCUSE. Internet service providers (ISPs) should have gotten a wake-up call, too. Most love to advertise how speedy and fun it is to surf the Net on their service -- safety doesn't tend to be part of the pitch. True, most ISPs do advise users somewhere on their site that having a firewall installed on your computer is a smart thing to do. Some vendors -- EarthLink (ELNK) and AT&T (T), for example -- even sell firewall and antivirus software to their customers. But in general, the ISPs have failed to underscore that security is a serious matter.

An educational campaign on the importance of computer safety would be in order. Even better, ISPs could easily offer antivirus and basic firewalling as an economical add-on service. I would bet they could sell it for $5 per month and probably make a profit on the deal, since many firewalls and anti-virus programs are now automatically updated and require little maintenance.

I also point the finger at consumers and small businesses, particularly those with broadband connections. I know you don't have IT departments. But by now, you must have read all about Slammer, CodeRed, LoveBug, and the other worms that have spread across the Web in the past few years. And as for those of you who ignored those Microsoft Critical Update notices popping up on your screens and put off patching, well, you know who you are.

SMALL FIXES. Smart computer owners (and you know who you are, too) followed the prompt by Windows XP and turned on Microsoft's Internet Connection Firewall (ICF) when you configured your computer for broadband Internet access. Simply clicking yes at that point would have inoculated machines against Blaster, for the most part.

This worm was ample illustration that little guys play an essential role in protecting the Internet. According to antivirus and security company Symantec (SYMC), the majority of the 400,000 Blaster infected machines belonged to individuals and small users. Look at it this way: Most people wouldn't drive a car without brakes or bumpers. So why should they use a computer without the virtual equivalent?

O.K, now for my Redmond rant. Microsoft should learn a few things from this incident. First, it's simply too easy for rogue programs to access the most sensitive parts of Windows XP. Witness the ease with which Blaster was able to access the operating system's registry database.

COORDINATED EFFORT. Second, Microsoft needs to work more closely with other software vendors when it releases patches. The main reason why systems administrators cannot install patches quickly is because they fear the patch will interfere with other software running on the machine. No one wants to explain to the senior vice-president of marketing that his or her personal-contacts database crashed because of a patch.

Better coordination would probably speed up the process and make systems administrators more willing to install patches quickly. That would ultimately minimize repercussions from security flaws. I should add that Microsoft deserves credit for agreeing to configure future XP installations with the barebones ICF turned on by default. And Redmond did agree to extend support for Blaster patches for earlier versions of XP and Windows 2000 that many companies still run.

None of these fixes will happen overnight, but when they do, there could come a day when attacks like Blaster will be no more than a blip on the computer screen. Salkever is technology editor for BusinessWeek Online. Follow his column every week, only on BW Online


Best LBO Ever
LIMITED-TIME OFFER SUBSCRIBE NOW
 
blog comments powered by Disqus