Users: We can't take much more worm turmoil

Computerworld - Users scrambling to fend off a continuing barrage of malicious attacks last week expressed a growing sense of frustration over software vulnerabilities and the constant need to defend against new and increasingly sophisticated threats.

The attacks disrupted IT services at some large companies and prompted the U.S. Department of Homeland Security to issue an advisory relating to one of them.

"We are just very tired of this," said Eric Beasley, a network administrator at Baker Hill Corp., an application service provider in Carmel, Ind. "But it's unfortunately only a harbinger of what's to come."

For the second straight week, security administrators found themselves battling fires on multiple fronts. First, a variant of the recent Blaster worm, variously called Nachi, Welchia or MSBlast.D, surfaced early last week.

Dubbed by some as a "do-gooder" worm, Nachi was ostensibly created to disinfect and patch systems infected by Blaster. But the huge volume of Internet Control Message Protocol (ICMP) traffic that Nachi generated on corporate networks prompted the DHS to issue a warning about denial-of-service attacks caused by the worm.

The other attack came from W32/Sobig.F, a fast-spreading variant of a previous e-mail-borne virus that by midweek had earned the dubious distinction of being the worst ever in terms of the number of systems infected worldwide.

Security experts attributed the worm's seemingly unprecedented speed and reach to its ability to install on each machine it infects a Simple Mail Transfer Protocol server, which it uses to propagate itself via e-mail, and to the fact that it's spread both by e-mail and by network file-sharing.

The attacks disrupted service at some large companies. On Aug. 20, Jacksonville, Fla.-based CSX Corp., which owns the largest rail network in the eastern U.S., had to halt passenger and freight train services—including the morning commuter trains in metropolitan Washington—as a result of Blaster. The worm caused "significant slowdowns" to major applications, including dispatching and signal systems, according to a note on the CSX Web site.

Air Canada's reservation and airport check-in systems were similarly affected by Blaster, causing the Saint-Laurent, Quebec-based airline to delay and even cancel some flights on Aug 19.

Even companies not directly affected by last week's attacks felt their ripple effects.

External e-mail service at the MD Anderson Cancer Center at the University of Texas at Houston was slowed by Sobig.F "because of the massive number of pings and infected e-mail attempting to penetrate our perimeter defenses," said Lew Wagner, the center's chief information security officer. At its peak, the center's e-mail server was being hit by "tens of thousands" of such e-mails, he said.

And Baker Hill, which uses a third party to screen e-mail, had to deal with a stream of spoofed messages using the e-mail addresses of Baker Hill employees that were being bounced back by other servers.