Microsoft has long appealed to the public with their catchy slogan that asks you, 'Where do you want to go today?' but the answer to that is fairly obvious. Windows Update!
My experience with large corporate and enterprise environments is that most administrators and security professionals do a pretty good job of keeping desktop-borne viruses at bay, and instead focus on more important issues. Larger organizations tend to have a formalized patch management process for desktops and servers that prevent the spread of worms, as well as a long-standing process for updating virus software and definitions. In some cases multiple A/V vendors are used and multiple patch management solutions in the never-ending quest for layered security. Border gateways are hardened, acceptable services in and out of the protected network are kept to a minimum, and in some cases managed alert services are used to try and foresee new and upcoming malcode events.
This doesn't stop viruses and worms from spreading, however. From social engineering and email-borne viruses to all those unpatched Microsoft SQL servers that were hit early last year, there are still many issues to deal with. However I would argue that one of the greatest threats to the spread of malcode is not from the managed desktops of the corporate world, but from the millions of home computers sitting on broadband connections, often unpatched and naked on the Internet.
Old worms live on
Case in point: let's look at the Blaster/Welchia combo, which you might mistakenly consider to be old news. Welchia in particular has already been with us for a long time (relatively speaking) but it's still very much alive. On the periphery of my home network, my cable modem's receive light stays on almost constantly, even when there's no network activity on my part at all. Curious about this and thinking I'm being scanned, I look at my firewall logs. OpenBSD's pf log indicates there are hundreds of unique IP addresses reaching out to touch me, all on the same port. I investigate further and the majority of the traffic belongs to Welchia, the worm that was released to fix the infamous Blaster but then became a menace in itself. We all know that Welchia first came out months ago and exploited the RPC DCOM vulnerability that Microsoft had patched several months prior, yet on my little subnet of the world here in high-bandwidth Canada, it has never been stronger. Digging deeper, the free SecurityFocus Analyser tool (SecurityFocus is now owned by Symantec) generates a report showing more than 26,000 Welchia requests on the server in two days, coming from almost 3,000 unique IP addresses. Who owns all these affected machines around town and across Canada? And what can be done about it?
Before we get too deep into these questions, let's take a small step into the world of the miscreants who write this stuff. Honestly, I can appreciate the reasoning behind creating Welchia, even if the end result was a bit misguided. A long time ago when Code Red first came out I spent hours looking through my web server's 404 logs, writing down IP addresses, and then taking some time to step in and put messages up on people's desktops, telling them they've been infected and that they need to do something about it. This is hardly any sort of claim to fame: it was ridiculously easy. There were numerous scripts posted to the Usenet at the time that automated this process, parsing the logs of unaffected Apache servers and shutting down and/or repairing infected IIS servers automatically for the good of the community. In my naive youth, I thought I was doing a good thing and yes, that was the full extent of my intrusion. I often found the remnants of other's attempts to do the very same -- in some cases, dozens of messages politely informing the user that he needs to take some critical action to remove the virus from his machine. More modern worms can be exploited through simplistic scripts just as easily. With all those messages on his desktop, why did the clueless user in my example not do anything? Perhaps he had simply taken a week off.
Is this act, this attempt to help people and not cause harm in and of itself immoral? Possibly, depending on what your morals are. Many security professionals have the ability to cross the line and slip into the dark side, yet few of us do. Is this simple act of trying to help someone illegal? Yes, probably so, but it depends on where you live and the location of the target machine. Is it unethical? Hardly. I would love to see the spread of worm-fighting honeypots, tarpits, worm filtering at the major ISP level, and other preventative measures, but the legality of, in some cases, touching machines outside one's domain leads us yet again into the virus world. All those machines still infected with Welchia so many months later are obviously still ripe for exploitation, perhaps with interesting backdoors to the detriment of us all.
A typical user
My older brother is a long-haul trucker who carries a laptop with him. He bought a new top-tier machine recently, and upon returning home from work decided to plug it into the Internet. "Run Windows Update right away!" I cried, and he did. Yet somehow before the process was even completed he was already infected with the latest worm at the time, Welchia, and his machine started to reboot. I tried to explain to him over the phone how this can happen, but in his mind it made no sense at all. He had anti-virus software installed, and it was a brand new computer. He simply plugged it into his broadband connection, turned the machine on and look what happened. Well, let's step out of our shoes as security professionals for a moment and imagine yourself to be the average user -- this is the current state of computer security for a typical user's Microsoft (R) Windows (TM) experience.
Outside the corporate borders and managed environments, most people who buy home computers nowadays are far from security experts. They're not your typical SecurityFocus reader at all; they're the average user. They know that anti-virus software has become mandatory, but the rest may still be somewhat of a haze. I find it difficult to explain why they must patch their computer almost weekly, or get Microsoft's monthly mega-patch. "What if we go on vacation for two weeks," one of my friends once asked me. Shut down your computer, I tell them. And unplug it from the wall.
Cheap, high-speed connections have become so pervasive now in the industrialized world that worms and viruses have propagated like never seen before. Blaster, Slammer, SoBig exploded last year, just to name a few. All of those outbreaks could have been prevented yet weren't. Simple patch management and updated virus definitions could have make these points moot, yet similar virulent outbreaks will happen in the future again and again. Microsoft has long appealed to the public with their catchy slogan that asks you, 'Where do you want to go today?' but the answer to that is fairly obvious. Windows Update!
It could be argued that the situation is getting better, however. Slowly, steadily there are policy and procedural improvements coming out of Redmond -- and we are hearing Balmer barking about security because it has started affecting Microsoft's bottom line. There are options from a multitude of security vendors as well, and many bright minds are vying for an effective, all-encompassing solution yet none is yet available. Most newer home computers are already configured to download critical patches by default, and the user must simply click to install. Microsoft is also releasing a whole range of preventative security fixes that will limit the spread of worms and viruses in Windows XP, starting with service pack 2. Finally, services like Windows Messenger will be turned off by default, and Microsoft's rudimentary personal firewall will be enabled by default. Wonderful, isn't it? It's about time!
It takes a long time for a huge ship to change direction and, just like the Titanic discovered, sometimes that change happens a bit too late. The great legacy of all those many millions of Windows 95/98/ME/NT/2k/XP home machines still sitting naked on one network means there's still much fertile ground to be exploited. Virus and worm problems will be with us for quite some time to come.
I am sadly entertained by the fact that Code Red connection attempts still appear in my firewall logs on a daily basis, more than two years after its initial release. Who owns these computers? And how long will Blaster and Welchia still be kicking around in the years to come? I truly feel sorry for all those home users out there who simply don't know any better. With so many unprotected machines on the Internet, we are fortunate that the most popular viruses as of late have been far less malicious than some of the ones that first appeared almost twenty years ago and spread on 5 1/4" floppy disks.
Worms and viruses are getting smarter, however. The next Slammer, Blaster, Bugbear or SoBig-like malcode is just around the corner. Those who study the propagation algorithms of worms [ref1: Vogt, "Simulating and optimising worm propagation algorithms"] [ref2: Hanson, Kostanecki, Jagodzinski and Miller, "Worm Propagation in Protected Networks"] could speculate on what might be coming next or how quickly they will reach saturation. Microsoft has finally started scraping slivers off their profits to help catch the virus writers who write the very viruses that purportedly are costing us billions. I think this is an excellent idea, provided it's just one tier of a multi-tiered, well thought out strategy to improve security for the public at large. If enough money is put up, I truly believe that some of these miscreants will inevitably get caught.
In the interim, why don't you take a week of holidays away from the virus world and spread some good cheer -- and remember to tell all your semi-computer-literate friends to patch their home computers, install a firewall, keep their virus definitions up-to-date and develop an attack plan against spyware. Spread the word. The typical, average computer user truly needs your help. The next big virus/worm/trojan is always just around the corner.