Jose Nazario, blogmaster of the Worm Blog, noticed something interesting about the recent MS06-040 vulnerability.
This was one of those very worst kinds of vulnerabilities: accessible through a network interface and capable of executing attack code on the remote system.
Many of the most severe examples of worms, and the most famous examples of malware, have been based on such vulnerabilities. Think of Blaster and Sasser. In fact Sasser, which hit the streets in the spring of 2004, was the last of the great network worms.
Sasser was based on a vulnerability in the LSASS (Local Security Authority Subsystem Service) process. Since that time there have been several other vulnerabilities, including MS06-040, that could be invoked through the network and which could execute remote code.
Malware was developed for all of them, and indeed lately the normal course of things is for the exploit to be available within a day or two and malware within a day or two after that. But none of them have resulted in worms of any significance.
Did Nazario found a blog to focus on research for a malware field that is in decline? Perhaps even obsolete? I dont know about obsolete, but clearly things have changed, and I noticed it a while ago. Several years ago the field was fertile for worm authors. Nowadays its too easy for people to defend themselves.
Anyone out there who is vulnerable to W32.Wargbot, the main worm released to exploit MS06-040, was vulnerable to many other attacks that predated it, and was probably infected with lots of other malware already.
To me, this diminishes the significance of this vulnerability.
What has changed? Perhaps the biggest change is Windows XP SP2. The number of security improvements in it are significant, including an inbound firewall that would stop just about any of these attacks in the default configuration.
A study released by Microsoft of disinfections performed by their Malicious Software Removal Tool makes the point better than I could.
Three percent of disinfections performed by the March, 2006 release of the tool were on Windows XP SP2 systems. Windows XP Gold and SP1 systems accounted for 63 percent of removals.
By March of 2006 virtually all preloaded systems had been running SP2 for some time, increasing the percentage of the overall installed base running it, and this trend just increases every day.
Another major reason is the commoditization of network security: Even a simple NAT router would block most of these attacks. Almost all of these worms come through ports not normally routed by a simple router. And most of even the cheapest routers these days include a firewall, which precludes even more attacks.
Im definitely on the optimistic side these days. It seems to me that defense is advancing faster than the attack. Even IM worms, which not long ago were on everyones list of “Threats of the Future,” appear to be dying out.
Optimism is not the same thing as complacency. There are still plenty of threats out there. You just have to know how to defend yourself against them.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
More from Larry Seltzer