New worms spread anti-virus software through ISS security products and are hard to find

Zdnet China March 29 (Reporter: Robert tlemos): computer virus analysts said the witty worm first picked a computer with known security vulnerabilities and then quickly spread. Most of the companies that have been poisoned were too late to install and fix them. Program .

In less than 48 hours after the security vulnerability description was published last week, witty worm began to spread over the network, making it the fastest worm to exploit security vulnerabilities, association for network data analysis Cooperation (CAIDA) and Holy Land According to a report jointly published by the University of California.

The report said: The computer was intruded by worms the day after the vulnerabilities of firewall software were revealed. It can be seen that only the terminal users Install patches to block security vulnerabilities.

Witty leverages the security vulnerabilities of internetsecuritysystems (ISS) software, including RealSecure and BlackICE. Although ISS said earlier that only 2% of users were intruded by witty worms, the report said witty had drilled in as many as 12,000 computers in less than an hour.

Colleenshannon, a senior security researcher at CAIDA, one of the authors of the report, said that if other worms can survive so quickly, enterprises may have to reduce their reliance on traditional anti-virus methods and begin to adopt other methods to mitigate external threats.

She said: in just two days, there was not enough time. A large group of people could not do well. This must rely on improving the end user's technical level and updating patches from time to time.

The report also showed signs that the worm may intrude itself into the affected server to speed up the attack.

Witty worms spread early on Saturday. About 45 minutes later, about 12,000 servers on the Internet were infected. Most servers containing security vulnerabilities were poisoned. In 10 seconds, 110 infected hosts surfaced, making CAIDA believe that those servers were used to actively spread the worm, a technique called preseeding ).

This worm must be pre-planted. Shannon said: there is no other possibility from data analysis.

Witty worm can write 65 k long data into a random hard disk location, damage the hard disk, resulting in nearly half of the system due to viruses within 12 hours of the machine.

By contrast, the Server Load balancer worm that exploits Microsoft SQL Security Vulnerabilities infected 70,000 to 100,000 computers. CAIDA said that the ratio of computers infected with witty is relatively small. The worm also attacks computers designed to prevent virus threats.

The report says that the impact of such evolution cannot be ignored. The report said: with only a small skill, malicious people may break into thousands of machines and use them to do whatever they want, without leaving any clues on the victim host. (Tang Huiwen)