Four years after the Melissa virus
and three years after the I Love You virus duped us with clever e-mail subject lines, the latest viral pest, MSBlast, captured the world's attention without involving e-mail at all--and thus successfully introduced a new method of mass-infecting PCs.
MSBlast isn't the most efficient worm, but because it infected a large number of home systems and corporate networks, I expect other virus writers will soon emulate it. And that could result in some changes for today's antivirus products.
Instead of e-mail, MSBlast uses a direct Internet connection to spread. Many home users with always-on Internet connections and no firewalls were instantly affected when it appeared last week. Even a large number of corporate users, behind their gateway firewalls, soon found themselves struggling to contain the infection.
Many home users with always-on Internet connections and no firewalls were instantly affected.
Businesses were affected because they generally patch only the Windows computers that have direct Internet connections and consider the systems behind the firewall to be safe. Last Tuesday, however, several large organizations, including GM and the Maryland Motor Vehicle Administration, found their networks infected by MSBlast.
Although no one's sure exactly how the worm got past corporate firewalls, it seems the cause may have been the unprotected systems of employees working at home and accessing these networks via virtual private networks.
While MSBlast is more advanced than Melissa or I Love You, it's still not as well made as 2001's Code Red and Nimda or last January's Slammer. One of MSBlast's shortcomings is that it can't distinguish between different versions of the Windows operating system. This means the wrong code is sometimes executed on the wrong operating system, resulting in system crashes and other annoyances. Flawed worm succeeds
The overall design of MSBlast isn't very sophisticated, either. It starts looking for vulnerable systems by randomly scanning blocks of Internet addresses. The trouble with this random scanning is that after a while, some infected systems begin scanning the same block of addresses.
This is not only inefficient, it also causes congestion that could slow down the whole Internet. While the virus's authors may have been pleased by this additional havoc, it reveals a relatively low level of programming expertise.
The real Achilles' heel for MSBlast, though, is that it doesn't carry its own payload. Instead, once it finds a new machine to infect, it installs the Trivial File Transfer Protocol (TFTP) on the system's hard drive. TFTP then automatically downloads the rest of the worm via PC port 4444 from a recently infected machine. Many companies and organizations learned they could effectively cripple MSBlast by simply blocking port 4444 on all their systems.
As of late last week, at least three known variations of MSBlast were in circulation. While none fix the abovementioned flaws, each tries to evade antivirus detection by changing the name of the executable file. Firewall? What firewall?
While many rushed to update their antivirus software as soon as they heard about MSBlast, an even better solution would have been to activate or install a personal firewall app (along with downloading the Microsoft patch). If you happened to become infected by this worm and still haven't removed it from your system, here are some step-by-step instructions
on how to do so.
Direct Internet worms such as MSBlast don't bode well for antivirus leader Symantec.
Computers with just a personal firewall and no antivirus software were able to escape MSBlast's grip. To be clear, those who were using an up-to-date antivirus app were protected once MSBlast installed itself on their computers' hard drives. But if your system had a firewall, you completely avoided infection.
Direct Internet worms such as MSBlast don't bode well for antivirus leader Symantec and its Norton AntiVirus
product. While McAfee's VirusScan 7.0
and Trend Micro's PC-cillin 2003
now include both antivirus protection and a personal firewall, Symantec still does not include a firewall in AntiVirus. To get firewall protection from Symantec, you have to pay extra for Norton Personal Firewall
or the Norton Internet Security suite
. Though you could avoid becoming infected by worms such as MSBlast by using only a firewall, such as ZoneAlarm Pro
, you'd still remain vulnerable to other types of worms.
Thanks to MSBlast, I predict this is the beginning of the end for e-mail worms. Though there will still be a few out there, they will be minor. Because of this, I expect all major antivirus products to change significantly so that they're able to fight the latest Internet worms, not just those sent by e-mail. Right now, this means they should all include a firewall.
And finally, I bet companies will begin patching all of their desktops--those that reside both inside and outside the corporate firewall--whenever a new Windows vulnerability appears. This won't protect us from whatever sophisticated threats may arise in the coming years, but it will safeguard our systems from the MSBlast copycats that are likely to follow last week's outbreak.
Do you use a firewall and/or antivirus software? Did you get infected by MSBlast? What happened? TalkBack to me.