In addition to the simplicity with which new malware can be written, recent problems were largely the result of new worms' capabilities to propagate via a network of 'zombie' computers, which have been infected without the user's knowledge. These networks are referred to as "bot networks" or 'botnets'. Bot-enabled worms are often nicknamed 'bots'.
According to Joe Hartmann, Director of Antivirus Research Group at Trend Micro, there are multiple bot variants from multiple authors.
"We saw six different bots from four different malware families, which all utilised the same exploit code," Hartmann said. "They all had the same core functionality but added new code functionality, such as a mass mailer. This helped lead to broader global proliferation for some of the variants."
Security experts add that this technique is common among malware writers. The original exploit code is written and posted to a public Internet site, then the other writers append additional functionality, such as more advanced seeding and propagation techniques, to make the malware more pervasive and advanced.
The speed with which a writer can exploit vulnerabilities is absolutely essential to a successful bot attack, for two reasons. First, there is typically only a 30 to 90-day window of opportunity between the announcement of a vulnerability and the point at which the majority of computers are patched, at which point the systems can no longer be infected. Second, there are a number of different groups of worm authors each competing to build their own bot networks. The authors know that time is of the essence, because they are racing each other to infect as many user systems as possible to form a botnet and preclude the other group from using those same systems to create their own botnets.
As a result, once a vulnerability is announced, writers are highly motivated to create their exploit code and release it into the wild as quickly as possible, to maximise the effectiveness of the attack. According to Bruce Hughes, senior research engineer with Trend Micro, most bots continuously exploit the same vulnerabilities.
"When a company gets infected, they respond by patching their systems against that vulnerability and likely are never infected again," Hughes said. "However, a new vulnerability makes them targets again."
Pointing again to both the speed with which the exploit was written, as well as the use of modular code, Hughes points to the success of WORM_SASSER and WORM_BLASTER. Like the recent ZOTOB infections, these exploits were added to existing bots very quickly after the vulnerabilities were announced. Although the first variants had limited success, Hughes warns that later variants were far more successful.
Security experts warn that there may be more attacks that are based on these vulnerabilities - and that, as always, end-user vigilance is the best defense. This includes keeping up with the latest Microsoft patches, maintaining current antivirus definitions, and using sound judgment.
To safeguard against this kind of threat, security experts at Trend Micro offer the following advice:
Ensure your system is patched with the most current Microsoft system update.
Ensure your antivirus definitions are up-to-date. To remove the manual burden of doing this, most antivirus companies offer an automated update option within their security product.
Increase your security settings on your browser. The higher the settings, the less a potential attacker can accomplish, if he can get in at all.
Limit your user rights when online. Using these vulnerabilities, a malicious user can typically only work under the same rights as the legitimate user. Hence, if the legitimate user logs in with only standard user privileges, the malicious user would only be able to obtain those same privileges. In contrast, if the user is logged-in with administrator privileges, the malicious user could potentially gain full control of the user's system.
Change your email preferences to: a. disable automatic download when previewing the message; and b. block pictures and other Internet content (including HTML) from automatically downloading to your computer.
Use safe email practices, including abstaining from clicking on any embedded links.
Abstain from launching attachments that appear to be pictures or other files from an unknown source, as well as from people you know, if the attachment was unexpected. When in doubt, ask the person if they sent you anything, prior to opening any attachment.
print
save
email
comment
Copyright @ 2004 Software & Support Media
Powered By Media Teknologi Informasi Corp.
Privacy PolicyTerms of Use
