- Security software vendors and other experts have been warning users of the dire circumstances from viruses, such as the worm disguised as a photo of Russian tennis star Anna Kournikova, that was launched last week.
Servers across the corporate world were bombarded with the Visual Basic script (VBS) worm built from a crude tool kit. That the worm spread as swiftly as it did proves that companies have a long way to go to improve lax security in their infrastructure and among their users.
"I didn't see anything new about this one. People should have had filters in place to prevent this," says Mark Amos, manager of information security at Owens Corning in Toledo, Ohio.
The worm was allegedly written by a 20-year-old Dutch man who goes by the handle "OnTheFly." The unidentified suspect turned himself in to police in the Dutch province of Friesland.
In his statement to the authorities, the suspect said that he "made a virus to prove how simple it was to make [one] and how vulnerable computers are for viruses." This time, users were lucky because the worm didn't damage their computers.
Once the attachment was opened, the worm worked its way through every address in the address books of Microsoft Outlook users. Yet, eight months ago, Microsoft put out a patch for its Outlook email software in response to similar problems with the I Love You virus last year. That patch would have prevented users from being infected with the Kournikova worm.
While those hardest hit aren't talking about the virus and its damage to their corporate systems, a few security managers have shared their experiences with the Kournikova worm, or VBS/SST.
The easiest way to avoid being infected was to not open the attachment. But despite hard lessons from the I Love You and Melissa viruses, users chose to double-click the infected attachment for the promise of a photo of the tennis pro and model.
Paul L Schmehl, supervisor of support services at the University of Texas at Dallas, says constant education of his staffers has led them to a point where he trusts them to recognise the potential threat in unsolicited attachments.
"Our experience has shown that our users do use sound judgment regarding attachments," he says, "however, the onslaught of viruses that use stealth, encryption, multiple attachment file names, subject lines and body text makes it more hassle than it's worth to keep our users informed of the details of every virus. So we now bounce them at the gateway mail server, and they never enter our environment to begin with."
Amos deploys a similar line of defence, or rather multiple lines of defence.
"We hadn't had any reports of infections," he says, "[but], we did filter a lot of that stuff. We had around 500 .vbs hits [Tuesday]." Part of the filtering includes antivirus software that scans for infected files, but other filtering devices also block extensions, such as .exe and .vbs, that commonly contain viruses.
Owens Corning uses several layers of security that keep end users from even seeing an attachment, Amo says. The company uses an external filter service outside the firewall, antivirus software at the firewall, filters internally between servers and on the antivirus software on the desktops, Amos says. Users, with limited exceptions, can't receive attachments, he says.
While it may seem draconian, the company's strict e-mail usage policy prohibits personal emails, he notes, and "people are unlikely to complain that, 'Gee I didn't get my valentine,' when they know they are only supposed to use email for business purposes."
That seemed to have done the trick, he says. "We didn't have any problems at all."
Gary Mattson, network security manager at San Francisco-based Catholic Healthcare West, says the external protection he had this week, compared with the partial lack of it when the Melissa virus hit in March 1999, proved that there's a lot to be said for gateway protection.
Like Amos, Mattson has layers of filters. First, his email goes through the Message Monitoring Server Network from Tumbleweed Communications in Redwood City, California. Though the software isn't primarily there to catch viruses, it has that side effect. Then, Mattson says, his servers clean out infected attachments with Groupshield 4.5 anti-virus software from Network Associates.
Mattson says software alone won't provide adequate protection. Staffing is also a must. "You can't just put it up there and walk away and not staff it. We have patient data that we want to ensure stays confidential."
Blocking suspect attachments is no silver bullet either, says Matthew Pemble, a consultant at the Preston Technology Management Centre in Lancashire, UK.
Virus writers can rename a Microsoft Word file, for example, as a rich text file. While rich text can't hold viral macros, Word documents can, and an otherwise savvy user may unwittingly open a virus in what he thought was a safe file type.
"This is not to say that blocking by extension is bad -- it is a massive damage limiter -- just that it is not enough." Pemble says. "Scan everything at the gateway, scan everything at the desktop [preferably using different tools.] And then expect to get hit once in a while, anyway."