Commentary: Plugging the worm holes

by Paul Stamp, with Laura Koetzle and Benjamin Gray

The recent Zotob worm spread rapidly around the world, bringing some networks to their knees. It was the first worm to do so in more than a year and a half.

Predictably, the usual chorus of Microsoft denigrators has publicly decried sloppy programming practices in Redmond. Still, Zotob's global impact is negligible compared with that of damaging predecessors like MSBlast--partly because Microsoft had disabled most services by default in Windows XP and all subsequent operating systems. Although Microsoft's practices are far from perfect, this incident shows that its changes are helping.

		Related story Watch out for worm wars A surge in worms could be part of a battle by cybercrooks vying to hijack PCs for use in Internet crimes.

Still, Zotob did hit enterprises worldwide, infecting machines running Windows 2000 by exploiting a vulnerability in the plug-and-play service. Microsoft issued a security bulletin and a patch for this flaw last week. So what?

• The long-awaited worm attack arrives...
This is the first widespread worm to hit enterprises since MyDoom in January 2004. This indicates two things: First, people are getting better at protecting their systems, and second, virus writers are turning their attentions to more profitable activities, such as identity theft and attacks on specific companies

• ...but it has muted impact.
The worm affected Visa and media outlets like ABC and CNN--hence, all the television coverage--but other companies escaped unscathed. Why? Because Microsoft had already released a patch for the vulnerability, and the worm could mostly only attack unpatched Windows 2000 machines

• Better lockdown in Windows 2003 and XP prevents catastrophe.
In previous releases of Windows, Microsoft enabled almost all features of the operating system, whether the customer needed them or not, attracting much criticism from security-conscious customers. In recent major releases, Microsoft changed direction and started disabling features by default, forcing customers to enable only the features that they needed. The vulnerability that Zotob exploits affects all Windows systems, but because only Windows 2000 systems have the anonymous logon feature enabled by default, most Windows 2003 Server and XP machines were Zotob-proof.

• Widespread worms will give way to targeted attacks.
Security bugs will always appear--but with fewer services available to exploit in the future, worm writers will have a tougher time creating attacks like SQL Slammer and MyDoom that affect enterprises across the board and around the world. However, expect worm writers to step up the level of focused activities targeting vulnerabilities known to exist in specific environments--and these will have much more serious financial consequences for the victim.

© 2005, Forrester Research, Inc. All rights reserved. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.