As the Worm Turns: Lessons from Blaster

Compared to the images of sweaty Gothamites trudging across the Brooklyn Bridge in 95-degree heat during the massive power blackout, the MS Blaster worm now seems like a walk in the park.

Still, the latest worm to clog corporate networks and kludge the Net wreaked plenty of havoc in its own right. Internet security companies estimated losses from both downtime and wasted manhours in the hundreds of millions of dollars for U.S. companies. And Blaster-infected machines significantly impacted the Internet. The stream of bogus requests generated by the worm slowed DNS (domain name system) servers that act as the phone directories of the Internet. Compromised computers jammed up networks ranging from BMW in Germany to the Maryland Motor Vehicles Dept.

Sure, Microsoft carries some of the blame for the problem. Blaster exploited holes left by Microsoft programmers in the Windows 2000 and Windows XP operating systems. And Bill Gates & Co. have made some mistakes in combating Web viruses, as I'll explain in a bit. But I think network administrators and companies worldwide are as much at fault as the colossus of Redmond. So are small businesses and individual PC owners who unwittingly left their boxes exposed to this easily avoidable worm, as well as the Internet service providers who generally provide little guidance on proper security procedures. How many more wake-up calls do people need before recognizing that up-to-date computer security is a must in a digital world?

SIGNAL AND NOISE. Like the Slammer and CodeRed worms before it, Blaster targeted computers running Microsoft Windows 2000 and Windows XP operating systems. The worm carries a small program designed to exploit a chink in Redmond's digital armor and insert a file deep into the operating system in the Windows registry system. The registry is a database where the most basic rules that govern how a Windows machine behaves are stored and categorized.

Once Blaster inhabits the registry, it causes computers to restart without warning and to spew out thousands of connection requests per minute, in search of other machines to infect. The sheer volume of traffic caused enough digital noise to bog down networks.

By the same token, the Blaster program sucked up so much processing power on each machine that many individual users had difficulty performing simple tasks like dragging a cursor across their desktops, let alone installing patches. And if the disruption alone weren't bad enough, Blaster-infected machines were set to enact a denial-of-service attack against www.windowsupdate.com on Aug. 16. That's the URL Microsoft directs users to when they push the "Windows update" button on their desktop for automatic software updates.

CLOSING THE PORTS. Scary, right? It didn't have to be this way. Let's start with the network administrators. No, I don't fault them for failing to patch their systems. Patching thousands of desktops and making sure that everyone's pet application continues to work is a nightmare. But there's an easy safety measure that should have been done a long time ago: blocking all Internet requests for unassigned ports.

Let me explain: Ports are virtual entry points into a computer. Each is assigned an arbitrary number. For example, port 80 is the designated number for delivering Web-site location information. A computer has thousands and thousands of ports. Blaster generally sought entry to potential victims over ports 135 and 4444, neither of which have any significant common use. They should have been blocked off by the perimeter firewalls now used by just about every business with a significant Internet connection. Sure, hindsight is 20/20, but this should have been common sense.

That's not all: A majority of network administrators haven't even installed desktop firewalls on their users' machines. In a 2002 survey conducted by IT security research firm Infonetics, only 14% of the 240 businesses questioned had installed desktop firewalls for their employees. These would have helped stop the spread of Blaster inside organizations, even if the virus made it through outside firewalls. True, managing fleets of users equipped with desktop firewalls generally requires management software costing tens of thousands of dollars. But even that looks pretty cheap compared to huge disruptions on a network that worms like the Blaster can cause.