Plug the Mobile Worm Hole

Or risk unpleasant consequences

The problems started the day I returned from my most recent trip. Due more to a stroke of luck than to good planning, my office workstation is near my network router, and about an hour after I started working, I saw the router's WAN activity light turn solid white and stay that way.

Although this light is often on, it typically doesn't stay on for long. With a growing sense of alarm, I toured the office and saw that no one was performing any work on the Internet. Glancing at my network switch, I noticed that three connections were very active and knew that I had a problem. I pulled the plug on the connections, and sure enough, the WAN activity light immediately went out.

Two of the active connections went to network client and server systems that I use primarily for testing. The other connection went to my wireless access point (AP), which not coincidentally was connected to the laptop that I took on my recent trip. To be sure that the WAN activity was related to one of those three systems, I plugged one of the connections back in and watched my WAN activity light jump back to life. My fears were confirmed: I had some type of virus on my network. I wasn't sure how the virus got through my defenses or which virus it was, but something was there.

Digging into the Problem
One of my test systems was running Windows XP Service Pack 1 (SP1). I had recently rebuilt the other systems and hadn't installed the latest hotfixes on them. Because all these machines are test systems, I hadn't installed antivirus software on them.

First, I needed to eliminate the virus. Then, I wanted to find out how it got on my network. I run a firewall and my production systems use antivirus software, so determining how the virus was introduced was essential to preventing similar vulnerabilities in the future.

After scanning the infected systems, I found that the source of the problem wasn't the MSBlaster worm that I expected to find. The culprit was the "good" variant of that worm, known as MSBlast.D, which, ironically, automatically patches systems that the MSBlaster worm has exploited. MSBlast.D basically replaces the dllhost.exe and svchost.exe files with its own versions of these programs, then performs a Trivial FTP (TFTP) transfer with the Windows Update Web site to download fixes. Nice, had it worked—but it didn't. Instead, MSBlast.D locked up every system it ran on, requiring me to boot the systems in Safe mode to get rid of it. Additionally, by using up all my bandwidth, MSBlast.D essentially caused a Denial of Service (DoS) on my network—proving that there's no such thing as a good worm.

By the time I'd repaired all three systems, I knew that I had brought the worm into my network on my laptop. I'd been using a new laptop for the past couple of months and switched back to my old laptop just before my trip, grabbing the old laptop out of a drawer and putting it directly into my bag. I hadn't patched the machine or updated its antivirus definitions. I'm sure that the laptop became infected when I plugged it into the wireless network that I used on my trip. Some PC on the wireless network had the worm and merrily spread it to every other PC on the same subnet.

Protect Your Mobile Systems
Although unpleasant, this experience pointed out a couple of areas in which I hadn't been vigilant enough. The first and most important of those is the need to run a personal firewall on my mobile systems, especially when using public networks. This precaution alone would have stopped the worm in its tracks. The worm spread across port 135—the port that Microsoft networking uses. While traveling, I want my laptop to communicate over port 80 so that I can browse the Web and use Microsoft Outlook Web Access (OWA). Occasionally, I might need standard POP3 access through port 110. But I certainly don't want access to Microsoft networking over port 135. Using a personal firewall to shut down all unwanted (and unneeded) ports would have drastically reduced my attack surface.

Second, all mobile systems should always have the latest patches and antivirus definitions. Although I thought my networks were protected from the outside, I learned that networks aren't really secure until you've plugged the mobile worm hole.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.