Virus proves users, systems still vulnerable, security experts say

Security software vendors and other experts have been warning users of the dire consequences posed by e-mail viruses, such as the worm disguised as a photo of Russian tennis star Anna Kournikova that was launched this week.

Servers across corporate America were bombarded on Monday with the Visual Basic Script (VBS) worm built from a crude tool kit (see story). That the Kournikova worm spread as swiftly as it did proves that companies have a long way to go to improve lax security in their infrastructure and among their users, according to security managers and analysts.

"I didn't see anything new about this one. People should have had filters in place to prevent this," said Mark Amos, manager of information security at Owens Corning in Toledo, Ohio.

The worm was allegedly written by a 20-year-old Dutch man who goes by the handle "OnTheFly." The unidentified suspect turned himself in to police in the Dutch province of Friesland yesterday (see story). In his statement to the authorities, the suspect said that he "made a virus to prove how simple it was to make [one] and how vulnerable computers are for viruses."

This time, users were relatively lucky because the worm didn't damage their computers. But the virus did widely replicate itself: Once the attachment was opened, the worm worked its way through every e-mail address in the address books of Microsoft Outlook users.

Yet, eight months ago, Microsoft Corp. put out a patch for its Outlook e-mail software in response to similar problems with the more damaging "I Love You" virus last year. That patch would have prevented users from being infected with the Kournikova worm, analysts said.

While those hardest hit aren't talking about the virus and its damage to their corporate systems, a few security managers have shared their experiences with the Kournikova worm, or VBS/SST.

The easiest way to avoid being infected was to not open the attachment. But despite hard lessons from the "I Love You" and Melissa viruses, many users chose to double-click the infected attachment for the promise of a photo of the tennis pro and model.

Paul L. Schmehl, supervisor of support services at the University of Texas at Dallas, said constant education of his staffers has led them to a point where he trusts them to recognize the potential threat in unsolicited attachments.

"Our experience has shown that our users do use sound judgment regarding attachments," he said. "However, the onslaught of viruses that use stealth, encryption, multiple attachment file names, subject lines and body text makes it more hassle than it's worth to keep our users informed of the details of every virus. So we now bounce them at the gateway mail server, and they never enter our environment to begin with."

Amos deploys similar multiple lines of defense.

"We hadn't had any reports of infections," he said. "[But], we did filter a lot of that stuff. We had around 500 .vbs hits [Tuesday]." Part of the filtering includes antivirus software that scans for infected files, but other filtering devices also block extensions, such as .exe and .vbs, that commonly contain viruses.

Owens Corning uses several layers of security that keep end users from even seeing most attachments, Amos said. The company uses an external filter service outside the firewall, antivirus software at the firewall, filters internally between servers and on the antivirus software on the desktops, Amos said. Users, with limited exceptions, can't receive attachments, he said.

While it may seem draconian, the company's strict e-mail usage policy prohibits personal e-mails, he noted, and "people are unlikely to complain that, 'Gee I didn't get my valentine,' when they know they are only supposed to use e-mail for business purposes."

All that effort seems to have done the trick with the Kournikova virus, according to Amos. "We didn't have any problem at all," he said.

Gary Mattson, network security manager at San Francisco-based Catholic Healthcare West, said the external protection he had this week, compared with the partial lack of it when the Melissa virus hit in March 1999, proved that there's a lot to be said for gateway protection.

Like Amos, Mattson has layers of filters. First, his e-mail goes through the Message Monitoring Server Network from Tumbleweed Communications Corp. in Redwood City, Calif. Though the software isn't primarily there to catch viruses, it has that side effect. Then, Mattson said, his servers clean out infected attachments with Groupshield 4.5 antivirus software from Network Associates Inc.

But Mattson said software alone won't provide adequate protection. Staffing is also a must. "You can't just put it up there and walk away and not staff it," he said. "We have patient data that we want to ensure stays confidential."

Blocking suspect attachments is no silver bullet either, said Matthew Pemble, a consultant at the Preston Technology Management Centre in Lancashire, U.K.

Virus writers can rename a Microsoft Word file, for example, as a rich text file. While rich text can't hold viral macros, Word documents can, and an otherwise savvy user may unwittingly open a virus in what he thought was a safe file type.

"This is not to say that blocking by extension is bad -- it is a massive damage limiter -- just that it is not enough," Pemble said. "Scan everything at the gateway, scan everything at the desktop [preferably using different tools.] And then expect to get hit once in a while, anyway."

For more coverage of this issue, visit Computerworld's Security Watch page.

Copyright © 2001 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon