Blended threats: How to keep them at bay

Blended threats is the term coined for the latest generation of Internet worms. What differentiates them from past worms and viruses is their ability to propagate using multiple paths, thus increasing their infection rates and the amount of damage they can cause.

As blended threats evolve and become more sophisticated, they will present new challenges for securing networks. Here, I will explain blended threats, their implications and how to best defend against them.

The first high-profile blended threat arrived in 2001 under the name Code Red (see story). Sin ce then, several other blended threats have achieved widespread infection, including Nimda, Klez, Bugbear and this year's Lovgate. Just recently, another variant of the Code Red worm started spreading.

Special delivery from e-mail to the network

With the exception of Code Red, all of these worms use e-mail as their primary avenue for propagating. Once on a network, they continue to spread via network file shares or Web servers. These two, and sometimes three, propagation paths are what allow these blended threats to spread quickly. Previous worms typically used e-mail to spread and infected only the message recipients. Such infections typically rely on a user to open a message or a file before they can propagate further, which slows down the rate at which the worm spreads.

With blended threats, an infected machine will start actively infecting other machines without relying on any user behavior. Users who then download files from infected file and Web servers further increase the number of nodes that are actively spreading the worm.

The Nimda worm is a classic example of how blended threats can propagate. It initially spread through e-mail by exploiting a bug in Microsoft Outlook and Outlook Express that allowed it to propagate without the user opening an attachment. Once a desktop was infected, it spread from there through network shares and vulnerable Microsoft IIS Web servers. On the Web servers, Nimda modified common files such as index.html and others in such a way that it could exploit another bug in Microsoft Internet Explorer. It would then infect any clients that accessed the infected Web site and continue to propagate from there. It's easy to see how worms such as Nimda, with three avenues for spreading, can quickly wreak havoc on both individual networks and the Internet at large.

Advise Column
David Aylesworth, product manager at eSoft Inc.
David Aylesworth is a product manager at eSoft Inc., a network security company in Broomfield, Colo. He can be reached at

What are the implications of these blended threats for network security? We have become comfortable in a world where viruses spread slowly enough for antivirus vendors to identify them and distribute signature updates to customers before widespread infection, or at least in time to contain infections. Now we have blended threats that are spreading throughout the Internet in a matter of hours.

A similar problem exists for vendors of intrusion-detection systems (IDS), many of which rely on attack signatures that take time to develop and distribute. This phenomenon will require security vendors to come up with faster ways to develop and distribute signatures to their customers. In addition, security products will have to become better at preventing intrusions rather than just detecting them. This capability already exists in antivirus products and is starting to become available in intrusion-prevention systems that extend IDSs to automatically terminate attacks as they are identified.

Because blended threats are not just using e-mail to propagate, vendors will also have to provide antivirus and content-filtering products for other protocols. We have seen Web and file-sharing protocols used in past blended threats, but we have also encountered other viruses that spread through instant messaging and peer-to-peer networking protocols. So it's not unreasonable to assume that blended threats will eventually exploit vulnerabilities in these services as well.

How to protect your systems

Without knowing exactly how blended threats will evolve, there are still some safe computing practices we can put in place to protect ourselves from many likely scenarios:

Using antivirus products at network gateways, servers and desktops is a prudent step, and those products with automatic updating capabilities will ensure the most up-to-date protection for your network.

  • Firewalls should be used to block access to internal services that don't require public Internet access. This will help block some of the various propagation paths used by blended threats.
  • Even with firewalls in place, internal networks should be designed to authenticate internal users. It's not safe to assume that internal systems can be trusted when malicious code may be running on them.
  • Intrusion-prevention systems that support automated attack-signature updates can also provide additional protection.
  • Finally, perhaps the most important step is to keep software current by regularly installing vendor updates and security patches. All of the blended threats that have resulted in mass infection did so by exploiting known vulnerabilities in application software, some of them more than a year old. This means they all could have been prevented if users regularly installed software updates. Be sure to subscribe to security mailings from all your software vendors, and have a plan for implementing those updates as quickly as possible.

Copyright © 2003 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon