CERT® Incident Note IN-2003-01
The CERT Coordination Center publishes incident notes to provide
information about incidents to the Internet community.
Malicious Code Propagation and Antivirus Software Updates
Release Date: July 2, 2003
Recent reports to the CERT/CC have highlighted two chronic
- The speed at which viruses are spreading is increasing. This
echoes the trend toward faster propagation rates seen in the past
few years in self-propagating malicious code (i.e., worms).
Beginning with the Code Red worm (CA-2001-19, CA-2001-23) in 2001 up through
the Slammer worm (CA-2003-04) earlier this year, we
have seen worm propagation times drop from hours to minutes.
A similar trend from weeks to hours has emerged in the virus
(i.e., non-self-propagating malicious code) arena. The
effectiveness of antivirus software suffers as a result. Several
recent malicious code incidents involving variants of W32/BugBear
have achieved widespread propagation at rates significantly faster
than many previous viruses. This increased speed is, unfortunately,
also faster than many antivirus signatures can be identified and
updated, regardless of the update method (including automated
signature updates). The CERT/CC has received reports of successful
compromises from users whose signatures were up to date for the
prior versions of W32/Sobig.
Signature-based antivirus software is not the only type of
antivirus software at risk: antivirus software that uses heuristics
to determine malicious behavior may be circumvented by malicious
code that employ new techniques. They should not be unconditionally
trusted either, as they may not always block malicious code from
executing. Additionally, we are aware of instances where corrupted
antivirus software updates have caused the software to be disabled
without the user's knowledge.
- In a number of the reports, users who were compromised may have
been under the incorrect impression that merely having antivirus
software installed was enough to protect them from all
malicious code attacks. This is simply a mistaken assumption, and
users must always exercise caution when handling email
attachments or other code or data from untrustworthy sources.
In general, it is important to remember that while antivirus
software vendors continue to improve the speed and reliability of
their signature update mechanisms, there will always be some window
of time when a system does not contain signatures to detect a
particular worm or virus. Several recent research papers that have
placed estimates on the magnitude of "worst-case scenario"
malicious code propagation rates also illustrate the risk to
systems during the window of time before signatures are
Apply "defense in-depth"
As mentioned above, it is not sufficient to rely solely on
antivirus software for complete protection. Therefore, we recommend
users apply a strategy of "defense in-depth" (where several layers
of security or access controls are used) when considering ways to
protect their computers from attackers. Although it may not be
practical for all users, another way of achieving defense in-depth
is to use diverse software and operating systems when possible.
Some additional ways of improving security beyond the use of
antivirus software follow.
In addition to following the steps outlined in this section, the
CERT/CC encourages home users to review the "Home Network
Security" and "Home Computer
Run and maintain an antivirus product
While an up-to-date antivirus software package cannot protect
against all malicious code, for most users it remains the best
first-line of defense against malicious code attacks.
Most antivirus software vendors release frequently updated
information, tools, or virus databases to help detect and recover
from malicious code, including W32/Bugbear.B and W32/Sobig.E.
Therefore, it is important that users keep their antivirus software
up to date. The CERT/CC maintains a partial list of antivirus
Many antivirus packages support automatic updates of virus
definitions. The CERT/CC recommends using these automatic updates
Do not run programs of unknown origin
Never download, install, or run a program unless you know it to
be authored by a person or company that you trust. Email users
should be wary of unexpected attachments, while users of Internet
Relay Chat (IRC), Instant Messaging (IM), and file-sharing services
should be particularly wary of following links or running software
sent to them by other users, as these are commonly used methods
among intruders attempting to build networks of distributed
denial-of-service (DDoS) agents.
Disable or secure file shares
Best practice dictates a policy of least privilege. For example,
if a Windows computer is not intended to be a server (i.e., share
files or printers with others), "File and Printer Sharing for
Microsoft Networks" should be disabled.
For computers that export shares, ensure that user
authentication is required and that each account has a well-chosen
password. Furthermore, consider using a firewall to control which
computer can access these shares.
By default, Windows NT, 2000, and XP create certain hidden and
administrative shares. See the
HOW TO: Create and Delete Hidden or Administrative Shares on Client
Computers for further guidelines on managing these shares.
Deploy a firewall
The CERT/CC also recommends using a firewall product, such as a
network appliance or a personal firewall software package. In some
situations, these products may be able to alert users to the fact
that their machine has been compromised. Furthermore, they have the
ability to block intruders from accessing backdoors over the
network. However, no firewall can detect or stop all attacks, so it
is important to continue to follow safe computing practices.
Recovering from a system compromise
If you believe a system under your administrative control has
been compromised, please follow the steps outlined in
for Recovering from a UNIX or NT System Compromise
- Paxson, V., Staniford, S., Weaver, N. "How to 0wn the Internet
in Your Spare Time" http://www.icir.org/vern/papers/cdc-usenix-sec02/index.html
- Moore, D., Paxson, V., Savage, S., Shannon, S., Staniford, S.,
Weaver, N. "The Spread of the Sapphire/Slammer Worm" http://www.cs.berkeley.edu/~nweaver/sapphire/
Authors: Chad Dougherty
and Allen Householder
This document is available from: http://www.cert.org/incident_notes/IN-2003-01.html
CERT/CC Contact Information
- Email: firstname.lastname@example.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
- CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.
We strongly urge you to encrypt sensitive information sent by
email. Our public PGP key is available from
If you prefer to use DES, please call the CERT hotline for more
Getting security information
CERT publications and other security information are available
from our web site
* "CERT" and "CERT Coordination Center" are registered in the
U.S. Patent and Trademark Office.
Any material furnished by Carnegie Mellon University and the
Software Engineering Institute is furnished on an "as is" basis.
Carnegie Mellon University makes no warranties of any kind, either
expressed or implied as to any matter including, but not limited
to, warranty of fitness for a particular purpose or
merchantability, exclusivity or results obtained from use of the
material. Carnegie Mellon University does not make any warranty of
any kind with respect to freedom from patent, trademark, or
Conditions for use,
disclaimers, and sponsorship information
Copyright ©2003 Carnegie Mellon University.