Internet worm hits CardCall

The W32.Blaster.Worm hit prepaid communications provider CardCall yesterday causing a "fairly severe network slowdown", according to IT manager, Gordon Kenyon.

He said the outage affected the Gold Coast company's IT infrastructure, servers and 100 PCs, after its antivirus software failed to pick up the worm.

David Banes, regional manager Symantec Security Response, Asia Pacific, said the W32.Blaster.Worm discovered on Monday (August 11, 2003) had a big impact on Australian organisations, giving Symantec's Sydney customer service centre "one of the busiest days in a long time" yesterday.

Banes said the worm reinforced the need for organisations to have comprehensive security solutions in place.

"It's important that organisations don't just rely on a particular piece of software, but have a proper policy within the organisation including training and a security policy," Banes said.

Banes said that the W32.Blaster.Worm is not a "normal" virus or worm, but "more of a code red worm".

"Normal viruses come on e-mail which antivirus software can detect, but this worm is coming in on the network so antivirus won't detect it. That’s why it's also important to have firewall and intrusion detection in place," Banes said.

Kenyon said the worm "puts files on the machines and pretends to be a Microsoft update component and chews resources".

He said the company "received lots of external traffic on the network coming from unknown sources".

Kenyon said he was alerted to the problem early Tuesday morning and the outage, which hit CardCall's call centre, was about three hours.

"First we found out that the e-mail service was down, then we went through process of trying to get everything up and running and found what was consuming the resources was in fact a worm," Kenyon said. "We're had to manually apply patches to each workstation, which took the rest of the afternoon," Kenyon said.

Kenyon said the worm interfered with CardCall's e-mail system after coming through a hole in Windows security.

Unhappy with "the people who developed the worm", Kenyon said once the IT team established what the problem was, a simple patch was applied from the Microsoft network, "but we have to restore the network to make sure it's clear and antivirus is in place".

"We manually removed the worm and applied the patch to stop it coming back.

"Our Norton antivirus software was supposed to see it, according to Symantec, but it didn't. The worm attacks via a specific port and demonstrates a flaw in Microsoft security," he said.

On average, Kenyon said CardCall gets about four patches a week from Microsoft, and added that "it's a constant battle to keep machines up to date with the latest patches".

Symantec's Banes said the worm hit organisations that had not run Windows update features or not patched properly.

"If all their copies of Windows were updated with the relevant Microsoft patch, the worm" wouldn't have been successful, Banes said.

According to Symantec, the W32.Blaster.Worm will exploit the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135. This worm will attempt to download and run the Msblast.exe file.

Trend Micro said the worm exploits the RPC DCOM buffer overflow, a vulnerability in a Windows Distributed Component Object Model Remote Procedure Call interface which allows an attacker to gain full access and execute any code on a target machine, leaving it compromised.

Join the newsletter!

Error: Please check your email address.

More about MicrosoftSymantecTrend Micro AustraliaTuesday Morning

Show Comments

Market Place