A new worm called W32/Blaster.A started spreading in the early hours of the 12th of August, Hong Kong time but Allan Dyer, Chief Consultant at the local information security company; Yui Kee Computing Ltd. says the outbreak was preventable.
Mr. Dyer described the outbreak, "During Tuesday, we received a small number of enquiries from companies that had been infected, and we blocked a far larger number of connection attempts by the worm at our firewall." In fact, Yui Kee recorded over 37 thousand attempted attacks on their systems during Tuesday. "Obviously, there are a large number of systems on the Internet that got infected, but the administrators of those systems could have prevented it", Dyer continued.
Good information security management will have multiple lines of defence, some of the measures that would have prevented the spread of W32/Blaster.A include:
- A firewall: "Least privilege" firewall rules would have blocked the connection attempts made by the worm, preventing it from entering companies. Home users and SMEs can use personal firewalls. A default installation of F-Secure Distributed Firewall blocks the ports used by the worm.
- Updating systems: Software developers issue security patches for their products when a vulnerability is found. In this case, Microsoft issued a patch in Microsoft Security Bulletin MS03-026 on the 16th of July 2003. Fixing the vulnerability was described as "critical". Administrators have had almost a month to apply the patch.
- Tracking the information security news for important alerts. Yui Kee first notified the users of its' YKAlert service about the vulnerability announcement on the 17th July (Hong Kong time). They were alerted again on the 1st of August when CERT/CC advised that the vulnerability was being exploited. YKAlert users were alerted about the outbreak of W32/Blaster.A on 12th August at 07:05, before it had become widespread and in sufficient time to take emergency action.
Dyer sent a stern warning to malware writers, "This is not about blaming the victim, the responsibility for this disruption clearly lies with the criminal who wrote and released this worm. He or she should face a court for this crime, just like Simon Vallor." Simon Vallor was jailed in the UK earlier this year for two years after being convicted of writing and releasig three viruses, known as Redesi, Gokar and Admirer. "However, prudent computer users and administrators will pay attention to safety and security, just like we do in the real world whenever we handle money, cross the road, or take another risk."