The End of the Worm Era

By Larry Seltzer  |  Posted 2006-08-30 Print this article Print

Opinion: It's not the end of threats or of malware, but many classes of attack have seen their best days. The advantage has shifted to the defense.

Jose Nazario, blogmaster of the Worm Blog, noticed something interesting about the recent MS06-040 vulnerability.

This was one of those very worst kinds of vulnerabilities: accessible through a network interface and capable of executing attack code on the remote system.
Many of the most severe examples of worms, and the most famous examples of malware, have been based on such vulnerabilities. Think of Blaster and Sasser. In fact Sasser, which hit the streets in the spring of 2004, was the last of the great network worms.
Sasser was based on a vulnerability in the LSASS (Local Security Authority Subsystem Service) process. Since that time there have been several other vulnerabilities, including MS06-040, that could be invoked through the network and which could execute remote code. Malware was developed for all of them, and indeed lately the normal course of things is for the exploit to be available within a day or two and malware within a day or two after that. But none of them have resulted in worms of any significance.

Did Nazario found a blog to focus on research for a malware field that is in decline? Perhaps even obsolete? I dont know about obsolete, but clearly things have changed, and I noticed it a while ago. Several years ago the field was fertile for worm authors. Nowadays its too easy for people to defend themselves.

Anyone out there who is vulnerable to W32.Wargbot, the main worm released to exploit MS06-040, was vulnerable to many other attacks that predated it, and was probably infected with lots of other malware already. To me, this diminishes the significance of this vulnerability.

What has changed? Perhaps the biggest change is Windows XP SP2. The number of security improvements in it are significant, including an inbound firewall that would stop just about any of these attacks in the default configuration.

A study released by Microsoft of disinfections performed by their Malicious Software Removal Tool makes the point better than I could. Three percent of disinfections performed by the March, 2006 release of the tool were on Windows XP SP2 systems. Windows XP Gold and SP1 systems accounted for 63 percent of removals. By March of 2006 virtually all preloaded systems had been running SP2 for some time, increasing the percentage of the overall installed base running it, and this trend just increases every day.

A well-known security researcher eavesdrops on a botnet linked to the recent MS06-040 Windows attack and confirms that for-profit spammers are winning the cat-and-mouse game against anti-virus scanners. Click Here to read more.

Another major reason is the commoditization of network security: Even a simple NAT router would block most of these attacks. Almost all of these worms come through ports not normally routed by a simple router. And most of even the cheapest routers these days include a firewall, which precludes even more attacks.

Im definitely on the optimistic side these days. It seems to me that defense is advancing faster than the attack. Even IM worms, which not long ago were on everyones list of "Threats of the Future," appear to be dying out.

Optimism is not the same thing as complacency. There are still plenty of threats out there. You just have to know how to defend yourself against them.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. More from Larry Seltzer Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel