Future Tense for Mar. 6, 2007
By Steve Welker
This month's (15.09) issue of Wired has a fascinating article about the botnet attacks on Estonia in April and May and an accompanying commentary by former intelligence officer Ralph Peters titled, "Washington Ignores Cyberattack Threats, Putting Us All at Peril",/a>.
It amazes me that the U.S. government seems to be investing so little in defense against cyber attacks, despite many warnings from IT professionals. The problem is not new; the countermeasures should be. This "Future Tense" column appeared two years ago in August 2005:
Two worms feasted on Caterpillar and The New York Times last week.
They also dined on, and at the expense of, CNN, General Electric, ABC Television, United Parcel Service — in all, about 10 major corporations.
The two worms, Zotob and Rbot, are the latest examples of malicious software that infects a computer and then uses the new host to spread to other systems. Usually, these worms do no damage — unlike computer viruses, the worst of which can erase your computer’s files — except for slowing down your computer. However, Zotob and Rbot had flawed code and caused computers running the old Microsoft 2000 operating system to repeatedly shut down and restart — a significant annoyance, but also a clear signal of an infection.
As I write this, Zotob, Rbot and their cousins continue spreading around the world. Taking advantage of Microsoft’s “Plug ’n’ Play” program — a very useful feature that makes it possible to hook on new hardware such as printers without making complex changes in the operating system — the worms look over the Internet for other vulnerable machines, copy themselves and widen their search. It’s believed that Zotob and Rbot ultimately would open up their host machines so someone could operate the computers without the owner’s knowledge, but I haven’t seen any reports of that happening — yet.
The idea of a computer worm is older than home computing. Science-fiction writer John Brunner coined the word and described a worm’s action in his 1975 novel, “The Shockwave Rider.” The hero, Nick Haflinger, used a worm to open secret government and corporate files to the public.
In 1978, two Xerox researchers wrote the first software worm and published a now-famous article describing how they it worked. They thought worms might prove useful as a way to disseminate software updates.
Ten years later, Robert Tappan Morris, a graduate student at Cornell University, released the first “wild” worm. It consumed so many computer resources so quickly that the Internet almost collapsed. Since then, worms like Mydoom, Sobig, Blaster and Witty have exploited other software vulnerabilities, but they, like Zotob and Rbot, usually spread more slowly to avoid detection. Even so, most worms and viruses are found quickly and security-software companies like Symantec and McAfee, as well as Microsoft and Apple themselves, promptly write and distribute software “patches” to plug open holes in the operating system.
Most people have heard of computer viruses, but a couple of things about Zotob and Rbot are unusual and interesting.
First, Microsoft itself told programmers about the weakness in the plug-and-play system. The company sent out a user alert and a corrective patch on Aug. 9-10. Zotob’s creators produced the worm just four days later — an amazingly short time for a complex piece of code — and they probably couldn’t have moved so fast without Microsoft’s pointing the way.
This has been the subject of a long-running debate among information technology managers. Should individuals and companies should “go public” when they discover software problems? I remember a huge debate in the IT community in the 1990s after an independent software designer discovered a problem in Microsoft Windows, begged the company for months to fix it and finally, in desperation, published the details on the Internet. Microsoft first tried to downplay the report, then it tried threatened to sue the programmer and finally, reluctantly, it admitted the mistake and belatedly announced a fix (while Microsoft denied and dithered, Symantec and McAfee sold thousands of copies of their anti-virus updates to fix the problem).
Today, Microsoft and other companies usually don’t wait when they learn about a vulnerability. They write the code to fix it and distribute the update ASAP.
It’s not Microsoft’s fault that people didn’t promptly apply the patch to prevent Zobot and Rbot from infecting computers. Except, it sort of is Microsoft’s fault. Some years ago the company published a software upgrade called SP2 (Service Pack 2), that actually broke some code it was designed to fix. After that experience, many people became leery of installing patches and updates. Trust me on this, nowadays you should always install security updates.
The other thing I found interesting about Zobot and Rbot is that some versions last week seemed designed to kill other worms. Mikko Hypponen, a Finnish expert in security software, said it looks to him like competing gangs of cybercrooks each tried to exploit the Microsoft vulnerability, but also tried to cripple their competition’s attacks.
“We seem to have a bot war on our hands,” Hypponen told CNet.com. “There appear to be three different virus-writing gangs turning out new worms at an alarming rate, as if they were competing to build the biggest network of infected machines.”
One final thing about Zobot and Rbot. They both hit major corporations who have strong security systems and highly capable systems administrators. If the worms could get past those defenses, what hope does a home-computer operator or small business have against malicious attacks?
All you can do is stay informed, use anti-virus software, promptly install security upgrades and pray that the next software worm doesn’t feed on your computer ... in the future.
Steve Welker is the editor of SurryBusiness.com. His e-mail address is firstname.lastname@example.org.