Better security limits botwar's collateral damage

Malicious hackers unleashed new variants of a computer worm that attacks a vulnerability in Microsoft's Windows 2000 operating system, but infection rates appeared to be relatively low and damage minor yesterday.

The latest "War of the Worms" stands in contrast to previous outbreaks that brought networks and millions of PCs to a crawl in recent years.

It's a sign, security experts say, that computer users are heeding warnings to quickly install patches as they're released. It also indicates Microsoft's efforts to batten down the hatches of its ubiquitous software is paying off.

"Customers who have been impacted are feeling pain and we're working with them to make sure they get through the recovery process as soon as possible," said Debby Fry Wilson, director of Microsoft's security response centre. "But in terms of the numbers of customers impacted, it is relatively low."

Still, administrators of infected computers scrambled yesterday to clean their machines.

Besides sluggish network connections caused by their spread, the worms Rbot, Zotob and variants also opened a backdoor that could be used to install additional programs. Some infected PCs also reboot repeatedly without warning.

Yesterday, four new variants of the worm had been detected by F-Secure in Finland, bringing the total to 11, said Mikko Hypponen, the company's manager of antivirus research.

He said the variations apparently had been programmed to compete with each other - one automated "bot" pushing the worm will remove another from an infected computer.

"We seem to have a botwar on our hands," Hypponen said. "There appear to be three different virus-writing gangs turning out new worms at an alarming rate, as if they would be competing who would build the biggest network of infected machines."

The latest worm targets a vulnerability that was publicly disclosed on August 9 by Microsoft, which also released a free fix. The problem involves the "Plug and Play" service that lets users easily install hardware on their PCs.

By August 12, someone had posted code that could be used to build a worm, or a piece of malicious software that replicates over networks. By Sunday, the first worm was released into the wild, continuing the trend of hackers increasing the speed with which they develop exploits.

From the start, the number of potential victims was limited by the fact that only a vulnerability in Windows 2000 was remotely exploitable. The operating system was never marketed as a consumer product.

The damage was further reduced by the fact that businesses have become more aware of the risks of not maintaining tight security.

"Businesses in general are doing a much better job at putting patches in place," said Martha Stuart, of computer security firm Sophos.

At the same time, Microsoft has reworked later versions of Windows to limit a computer's exposure to nasty software from the internet.

A security update for Windows XP by default recommends switching on automatic updates and installs a firewall that blocks the traffic used by the worm to propagate.

But even if those measures had been turned off, users of the latest Windows operating system were not affected. Microsoft reworked the software to ensure that it was less exposed to remote attacks.

"Compared to earlier versions of Windows, there are a third less vulnerabilities because of the security development work we have done, and half the number of critical vulnerabilities," Wilson said.