A series of computer worms exploiting a vulnerability in one of Microsoft Corp.'s operating systems have shut down computers in companies across North America, striking them so quickly that experts say hackers may have finally got the upper hand on businesses.
The malicious software, which appeared at the beginning of the week, infected companies running Windows 2000 that did not have their networks patched fast enough with the latest software fixes Microsoft released on Aug. 9.
International hackers created the worms, known generally as Zotob and Ircbot, in just seven days. The trouble is companies require about two to four weeks to test patches before they install them to see how they will affect their systems.
“This is a wake-up call to everyone that the rules have changed,” said Stephen McWilliams, vice-president at Fusepoint Managed Services Inc., which manages other companies' IT operations in its data centres across Canada. “We are getting close to zero day vulnerability.”
The hackers build their worms using information in patches that Microsoft releases each month to fix flaws in its software.
Several years ago, hackers required 250 days to create the Code Red and Nimda worms off Microsoft's vulnerability reports. Last year, the Sasser worm appeared in just 15 days.
Businesses across North America were scrambling Wednesday to get patches into place. IT consultancies declined to name specific clients hurt in the attacks, but they said the latest worm to strike the Microsoft platform is less damaging than previous ones.
Among the companies hit were Canadian Imperial Bank of Commerce, BMO Nesbitt Burns Inc. and Bank of Nova Scotia. The attacks slowed Internet banking, but customers' security and personal information were never at risk, said Frank Switzer, a spokesman for Scotiabank. “We are back to normal today,” he added.
“I am aware of outbreaks in some large financial services organizations. I am aware of efforts to mobilize protections in large telecom organizations, but not of outbreaks there. I know a very large number of assorted businesses in all industries who have been impacted,” said Richard Reiner, chief technology officer of Assurent Secure Technologies, a Toronto-based IT security firm.
“Some previous worms were able to bring entire enterprise networks down because of the vast amounts of network traffic they generated. This one does not do that,” he said. It is, however, “capable of disabling certain individual servers and desktops and of bringing single individual systems down should those systems not be adequately protected.”
Mr. Reiner rated the Zotob and Ircbot worms a six on a scale of 10 in terms of danger. In comparison, he said the “Slammer” worm that struck in January, 2003, rated a nine.
As of Wednesday, there were nine different versions of the latest worm using the vulnerability in Windows 2000, according to F-Secure Corp., a software security firm in Helsinki.
Computer worms are programs that spread and replicate themselves over networks. Once installed on devices, they can communicate back to a controlling server that can remotely execute commands. “Think of it like a general of an army who now has all these soldiers under his command,” said Jack Sebbag, vice-president and Canadian general manager at McAfee Inc., a security software company.
In this latest series of attacks, competing hackers are creating a family of worms using the same vulnerability, and one worm variant appears to be deleting another. “We seem to have a botwar on our hands. There appears to be three different virus writing gangs turning out new worms at an alarming rate,” said Mikko Hypponen, chief research officer at F-Secure.
In the United States, affected companies included Time Warner Inc.'s CNN, New York Times Co. and Caterpillar Inc.
With files from Canadian Press
