Worms Spur New Defenses

Administrators create own solutions to stop infected attachments.

In battling worms such as Bagle and MyDoom, users are growing frustrated a lack of tools and help from software vendors, leading some administrators to take innovative steps to keep their networks from being crippled on a weekly basis.

MyDoom.O hit earlier this week and quickly began clogging corporate networks with millions of infected e-mail messages. The worm took several search engines offline as it sent thousands of search requests through the sites in an effort to find more e-mail addresses. And, just two days after its initial assault, a second portion of the attack appeared, using a back door installed by MyDoom.O to upload more malicious code to infected machines.

Even some companies fortunate enough to have avoided major problems in that round of mass infections have begun planning ways to keep dangerous attachments out of users in-boxes. Their work comes at a time when security companies such as Sophos plc. are reporting record numbers of new infections and companies such as Microsoft Corp. stumble in efforts to thwart such attacks.

/zimages/3/28571.gifMicrosoft jumped its usual schedule to put out a cumulative patch for IE flaws. Click here to read more.

Kohls Corp. had only three machines infected by MyDoom.O, but the IT staff is considering building a Web-based portal that would be used as a drop for potentially harmful attachments.

Through the use of a white list at the mail gateway, only a small set of explicitly approved attachment types would be allowed to go to users. All other messages containing attachments would be directed to the portal.

The messages would be held for a few hours, then scanned for viruses. If a message is clean, the recipient will get an e-mail containing a link to the message at the portal. Infected messages would be deleted, and the sender would receive an e-mail informing him or her that the message contained a virus and was destroyed.

/zimages/3/28571.gifIts put up or shut up time for Microsoft on spam, says Security Editor Larry Seltzer. Click here to read more.

"We cant stop files from coming in. Information drives business, and stopping the flow of information is the same as stopping the business," said Bart Lansing, manager of desktop services at Kohls, based in Menomenee Falls, Wis. "We have to find creative ways to say yes to that information flow, while managing it effectively and protecting our users, often from themselves. Thats our job."

Another measure some organizations are considering is blocking file attachments at the e-mail gateway to stop worms such as last weeks MyDoom.O from spreading.

Like most of the current crop of e-mail-borne worms, MyDoom.O spreads via the use of infected mail attachments that users must open to execute the malware. As a result, many administrators have been filtering potentially dangerous file types, such as executables and screen savers, at their mail gateways. However, MyDoom and some other recent worms and viruses have spread through .zip, image and other file types that previously had been considered safe.

/zimages/3/28571.gifFor insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.

The stream of these attacks has taken such a toll on administrators and security teams that some consider blocking all attachments before they reach the desktop as the only way to safeguard against widespread infection.

"At some point, you have to keep users from doing this. Educating them clearly hasnt worked, so this is the only thing left," said a network administrator at a Southern university who asked not to be named. "E-mail was not meant to transfer files. Its not a safe medium for that."

This strategy can be disruptive to business operations, however, making it unattractive to many.

Although much of the worms behavior is unremarkable, the two-stage attack worries some security experts. "The continued increase in the sophistication of malicious code attacks such as this most recent MyDoom outbreak is troubling," said Ken Dunham, director of malicious code at iDefense Inc., based in Reston, Va.

To make the situation even more challenging, one potential source of relief that many had been counting on, Microsofts Service Pack 1 for Windows Server 2003, has been delayed until at least next year because of "quality issues," said officials at the Redmond, Wash., company.

The update, which had been due later this year, includes a new technology that inspects clients trying to connect to the network and denies them access if their anti-virus software isnt updated or if they dont comply with other security policies. Microsoft is touting this as a way to halt infections before they begin.

/zimages/3/28571.gifCheck out eWEEK.coms Security Center at http://security.eweek.com for security news, views and analysis.


Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page: /zimages/3/19420.gif http://us.i1.yimg.com/us.yimg.com/i/us/my/addtomyyahoo2.gif