The Wolf - tracking the underground

Virus onslaught: who or what is really to blame?

16 September 2003

Amid the chaos of Blaster, Nachia, Dumaru and SoBig.F in August an overzealous anti-virus industry raised the bar with all-too-revealing press disclosures and faulty alert mechanisms.

Hyped press releases resulted in the premature disclosure of where the SoBig.F binaries were posted (the virtual equivalent of knocking on the door of a crack house and telling the occupants the police are watching). And faulty alert mechanisms created a form of a Denial of Service attack against unsuspecting and innocent users — not to mention assisting the worm in spreading further. Add to the mix widespread vulnerabilities affecting a vast user base known for unpatched systems and outdated protection, and one has a veritable recipe for disaster.

Loose Lips
Whether a race to prove one’s prowess, a dysfunctional need for attention, or purely a marketing ploy, premature disclosure of sensitive information can hamper legitimate investigations and preclude future surveillance attempts. The security industry has too few resources and quite often the very nature of compromise demands close collaboration to fit together certain pieces of a complex puzzle. When these shared details are subsequently leaked to the media, the chance to ‘catch the bad guy’ severely diminishes.

Rather than risk the unattractive label of paparazzi pawn, vendors and researchers who have come into possession of potentially sensitive information may wish to consider a few tips from the Organization for Internet Safety (OIS), specifically — withholding public release until proper authorities have been notified and proper investigation has been conducted.

Of course, adhering to the concepts of the OIS when dealing with any potentially exploitable information is likely a good idea. Simplistically speaking, it all boils down to an old military concept dealing with security — need to know. If you don’t have the need, you don’t need to know. Access denied.

Unnecessary Services
Blaster and Nachia exploited month-old and three month-old vulnerabilities. In the case of Blaster and with one of the Nachia exploits, the RPC/DCOM flaw had been widely publicized and the patch available since 16 July, 2003 — nearly a month prior to the first Blaster discovery.

The WebDAV exploit that Nachia included (in addition to the RPC/DCOM exploit) had been patched in March 2003 for IIS servers and in May 2003 for other affected operating systems. Unlike worms such as Code Red or Slammer, the vulnerabilities equally affected desktops, thereby involving vast numbers of home users as well as corporate systems. This segment of the population is, for the most part, woefully unprepared to understand the nature of the threat, much less take the steps to properly mitigate it.

While one can point fingers and argue that certain segments of the population should be barred from Internet access, or insist that ISPs arbitrarily block certain ports, or forcibly patch their users’ systems, these opinions and pseudo-solutions attempt to resolve the symptom, not the disease. Shipping operating systems with unnecessary services enabled is irresponsible and risky at best. What role does RPC/DCOM play on the average home user’s computer? In the case of WebDAV, why enable remote management tools by default? Hasn’t history taught us this same lesson over and again?

End users cannot be required nor expected to harden their computer systems. It's purely a pipe dream to ever assume they can or will. The burden cannot simply be off-loaded to the ISP either. Change must come from the source and it must come in the form of more responsible software releases. Only those services absolutely necessary for the system to operate in a non-networked fashion should be enabled by default. To do otherwise continues to place users and the Internet at increased risk of attack.