Last week’s rash of Windows 2000 worms highlight a relatively new phenomena of “business worms” that cause mass infections on local networks while leaving the internet relatively unscathed, an antivirus vendor observed on Friday.
Zotob, Bozori, and other networks worms that exploited the MS05-039 vulnerability created headlines for their impact within certain companies, but did not blanket the internet the way previous worms have.
There’s no question that this worm [Bozori] is spreading. However, it seems to be confined to localized ‘explosions’ inside large corporations, David Emm, senior technology consultant for Kaspersky Lab UK wrote Friday.
He noted, as several virus experts also did last week, that unlike the Sasser and Blaster outbreaks, there were no reports for mass residential infections.
The worm can’t reach many machines over the Internet because these days everybody deploys a firewall, Emm wrote. However, a worm can penetrate a local network without going through the firewall: when an infected laptop is brought into a network.
Antivirus vendors and Microsoft said as soon as Zotob started spreading over a week ago that it was unlikely to cause much damage, as it travels over TCP port 445, often blocked by firewalls by default, and only infected unpatched Windows 2000 machines.
But high-profile outbreaks within corporations – such as the infection that left ABC News producing its TV news scripts on electric typewriters when all its PCs died – showed that perimeter protections was not always effective.
Caterpillar, CNN, Disney, Daimler-Chrysler, the Financial Times, Kraft, the New York Times, San Francisco International Airport, SBC, and UPS were among the other companies reported to have been infected.
Without knowing how all these companies’ networks are set up, it is not possible to say accurately why they were infected, but some are speculating that laptops infected outside of the LAN and then returned to the office could be to blame.
There may some circumstantial evidence to support this argument, such as the fact that major outages only started being reported a couple of business days after the worms were unleashed – when laptops had had a chance to move in and out of the network.
The SANS Institute’s Internet Storm Center reported data showing that while the amount of port 445 scans was up considerably during the peak of the attack, the number of sources doing the scanning was not much greater than normal background noise.
This may shows that a relatively small number of infected machines were doing the scanning, but they were doing a lot of it.
This could be consistent with, but certainly does not prove, the theory of contained explosions of infections within the soft centers of corporate networks, protected from infecting other LANs by their own perimeter security.
The Bozori incident suggests that we’re on the threshold of a new era, in which ‘business worms’ will cause ‘local network outbreaks’ in large corporations, but will have little effect on the Internet as a whole, Emm wrote.