THIS STORY HAS BEEN FORMATTED FOR EASY PRINTING
Two more worms spread across the Internet
By Hiawatha Bray, Globe Staff, 8/20/2003
As computer networks worldwide recover from the effects of last week's Blaster worm assault, two more attack programs spread across the Internet yesterday. One of them, called Welchia or Nachi, purports to repair the computer security flaw that allowed Blaster to infiltrate thousands of machines. But in the process, Welchia can bring down corporate computer networks. The other worm, called SoBig, could turn home and business computers into relay points for unwanted Internet e-mail ads, or "spam."
Both of them underscore the relative ease with which vandals can bypass the security features found on millions of home and corporate computers. Industry experts warned yesterday that attack programs, sometimes called "malware," are becoming steadily more sophisticated and dangerous, forcing computer users to become more adept at protecting their machines.
The SoBig worm is the latest in a series of similar worms that have plagued computers running Microsoft Corp.'s Windows operating systems. But the latest version, called SoBig.F, has some menacing new features.
When it infects a machine, SoBig scans a variety of data files, searching for e-mail addresses. It then mails copies of itself to these addresses. The mail messages feature a variety of subject lines chosen at random, such as "Wicked screensaver," "Thank you!" or "Your Details," They also include an attached file. Activating this attachment will infect the computer, which will then try to infect more machines.
If a SoBig-infected machine is connected to a corporate computer network, the worm will infect any other machines on the network that are set to allow the sharing of data files. SoBig is designed to deactivate itself automatically on Sept. 10.
So far, this malware is similar to earlier versions of SoBig. But Vincent Weafer, senior director of the security response team at antivirus software maker Symantec Corp., said the new version plants a "Trojan horse" program on the computers it infects to let the originator of the worm secretly send e-mail messages through infected machines. Symantec researchers say that the creator of SoBig has used the Trojan feature to steal personal information from infected computers, and to relay spam.
Weafer warned that the same method could be used to plant even more dangerous Trojans, including programs that could launch crippling attacks on other Internet computers.
"Once you have a backdoor Trojan installed on your machine," said Weafer, "technically anything is possible."
Symantec and other antivirus software makers received hundreds of reports of SoBig infections yesterday, but experts said this worm should spread more slowly than last week's Blaster worm, which is still infecting thousands of computers worldwide. SoBig is only spread via e-mail, and only infects users who click to activate the attached file. Blaster attacked any Internet-connected computer that lacked the correct antivirus patches and firewall settings, and it spread automatically, with no need of assistance from a careless computer user.
SoBig's creator was clearly up to no good. But the Welchia worm may be a misbegotten effort to protect people from the Blaster worm. This program spreads through networks afflicted with the same security flaw that Blaster exploited -- a weakness in several versions of Microsoft Corp.'s Windows operating system.
But Welchia actually repairs the flaw once it has infected the machine. It then uses the infected computer to look for other vulnerable machines. It's this effort to find other machines to infect that makes Welchia so troublesome. The worm sends out so many search messages that the traffic can overwhelm normal network communications.
Indeed, the Reuters news agency reported yesterday that computers at Air Canada's telephone call center and passenger check-in counters were crippled by the Welchia worm.
Fortunately, the same measures that protect computers against the Blaster worm will work against Welchia. Symantec and other antivirus companies offer detailed instructions on their Internet sites. In addition, major antivirus companies have offered updates that will filter out the new SoBig worm. Microsoft also offers specific technical advice on its website for protecting home and office computers against worms and viruses.
Like nearly all common malware, the two new worms only attack computers equipped with Microsoft operating systems. But Ken Dunham, malicious code intelligence manager for data security company iDEFENSE Inc. in Reston, Va., said it's unfair to assign too much blame to Microsoft for the attacks.
"It's not like they're the bad guys," Dunham said. He noted that Microsoft has moved quickly to report on security flaws like the one that made Blaster possible, and to offer repair patches for them. But because there are hundreds of millions of Microsoft-based machines in the world, said Dunham, it will take a long time to upgrade security on all of them.
The new worms also demonstrated the need for home computer users to use firewall programs to protect their machines. Both SoBig and Welchia communicate over data networks using special communications services or "ports" that are not normally used by legitimate network traffic. A properly configured firewall can prevent a Welchia infection. A firewall-equipped machine could still be infected with SoBig, but the firewall would prevent the worm from installing a Trojan program on the computer.
Setting up a firewall can require a more sophisticated understanding of computer networks than most home users possess. Nevertheless, Ken Dunham of iDEFENSE said that they would have to make the effort. "Basic security now is not just updated antivirus," said Dunham, "but you definitely have to have a firewall."