Question: What kinds of trends are you seeing in the development of new worms?
Answer:
Over the past few years we've seen worms that propagated using protocols other than email. Code Red and Nimda exploited well known vulnerabilities in Microsoft IIS. The SQL Slammer Worm spread via known vulnerabilities of Microsoft's SQL product. What we have also begun to see are worms that have utilized more than one method of propagation. In the case of BugBear, the worm spread by utilizing email as well as NetBIOS shares. This increased the worm's ability to propagate which in turn, caused it to spread at a faster rate. With out a doubt, we will see more and more worms that use multiple methods of propagation by attempting to exploit multiple vulnerabilities in widely used internet services.
Worms will be more virulent. Not only will they cause congestion during propagation, but will also wreak havoc by deleting, altering, or stealing data on suspecting machines. Up until this point, we should consider ourselves lucky. If the SQL Slapper Worm deleted database information on every machine that it successfully propagated to, the impact of the worm would have been astronomical given the large number of compromised host in such a short amount of time (+74,000 hosts in 30 minutes*).
I would be very surprised if there was not a new worm written that exploited the recently announced (March 2003) buffer overflow(s) in Sendmail, which is the most widely used SMTP server on the Internet.
* Figures taken from CAIDA SLQ Slammer (Sapphire) Analysis Report: http://www.caida.org/analysis/security/sapphire/
Question: Given that I have effective anti-virus measures on the Internet and Mail gateway, on mail servers and clients. Can I further reduce risk by turning-off HTML and filtering-out executable attachments? Do other companies do this?
Answer:
If you have effective anti-virus measures on your internet gateway, mail servers, and client workstations then I would like to congratulate you on your efforts. Server and host based virus protection is a crucial aspect of a practical security model. As with all security countermeasures, it is just as important to keep these technologies up to date as it is to implement them. Most anti-virus vendors have an automatic updates feature where new virus definitions can be automatically downloaded and "pushed" to your clients. I would suggest utilizing this feature to minimize the reaction time against new threats and to alleviate some of the administrative burden associated with keeping your hosts up to date.
Turning off HTML and filtering-out executable attachments is a decision that should be discussed with upper level management and should be enforced through a policy (such as an "acceptable usage policy.")
The major advantage gained by stopping executable attachments (such as .exe and .vbs) is that you lessen the risk associated with worms that exploit these extensions, as well as new variants of pre-existing worms and potential worms to come. By taking a vulnerability approach to security opposed to an exploit approach, you do not have to rely on your anti-virus vendor for each new worm variant that arises because you are stopping the root cause of the worm. The downside of this approach is that you will have a "convenience cost" associated with your user not being able to receive legitimate attachments that utilize these extensions.
I know of organizations that have made the decision to filter both HTML and executable attachments after weighing the risks. My belief is that organizations will find that they can safely make the decision to block these types of attachments without a significant convenience impact to their user community.
Question: How to prevent the infection? Will a Firewall really help defend against a worm or other types of malware?
Answer:
Firewalls are excellent at providing access control, separation of resources, and network address translation (NAT). Firewalls however are not good at determining whether a particular type of traffic is good or bad. For example, a malicious web request to a web server sitting behind a firewall will be treated the same way as a legitimate request because the firewall allows web traffic to pass through the firewall to the web server. Since the firewall doesn't make a distinction between malicious and legitimate traffic, it is not the ideal security countermeasure to put in place to stop the infection of worms and other types of malware.
To prevent the actual infection from occurring there are a few different strategies that can be applied:
· Network Intrusion Prevention Systems (IPS) - Intrusion Prevention Systems are typically hardware based appliances that sit "inline" on your network in a similar fashion to a firewall. An IPS's job is to perform application layer inspection of protocols and precisely block very specific types of traffic from entering your network. An IPS is very effective at stopping network propagating worms from entering your network from the Internet.
· Host-based Intrusion Prevention System - Host based Intrusion Prevention System is software that is installed on your individual servers to protect the servers from attack and compromise. While host based Intrusion Prevention can also be effective it can be costly to deploy and cumbersome to manage.
· Patch (Asset) Management - Practicing adequate patch management is an essential part of protecting your hosts from infection. While it is ideal to take proactive measures to securing your network, it is also important to update your hosts with vendor applied patches. The simplest way to perform patch management is to build a database of all of your internet exposed hosts including vital information such as: their software versions, exposed ports or services, anti-virus versions, service pack levels, etc. Then monitor various vulnerability sources to determine if your internet exposed hosts are vulnerable to attack. If the vulnerability was responsibly disclosed, you should be able to find links to the vendor's website where you can download a patch or "hot fix."
For more information on Worms, see Secure Computing's recent article entitled "Predicting Worms, Information is the Key to Tackling Outbreaks"
