CRN Test Center: Blaster/Lovsan Worm Points Out Service Opportunities

The Windows vulnerability the worm exploits has been known for months, and a patch was made available in mid-July. That, coupled with the fact that the worm is easily fended off by following any one of a legion of well-known best practices for network management--even without the patch--indicates there is plenty of work for solution providers that can manage the issues for their customers.

The worm takes control of systems by making a remote procedure call through one of several ports. Any well-configured firewall would block this part of the attack, so affected networks obviously need port scans to reveal open ports and firewall installation, management or upgrades.

The nature of the attack is such that as the worm spreads through a network, there would be an unnatural rise in activity on ports being used for the attack. That would cause traffic congestion at the switch level if switches are used to route data by software port number. That opens the door to offering network monitoring services to detect and act against the resultant port storming.

Once the worm gains control of a system through an RPC to the distributed COM layer in the operating system, it downloads an executable--the actual worm code--via TFTP. This underscores another undermanaged area in most networks: disabling system services that are not needed. TFTP may be needed by some systems, but there are many exploits that use various services that are not commonly needed but enabled by default. As part of a network lock-down service, solution providers could audit systems and turn off services that are not needed on a system-by-system basis.

The most obvious service to offer affected customers is patch management. Had customers applied the existing patch, they would not have suffered the worm. The service can be as simple as running the Microsoft Autoupdate Wizard on all client machines so patches are applied automatically. If a more staged approach is desired, one machine can be set to automatically update, then the solution provider can apply the patch manually to other systems after a week or so of sound operation. Microsoft has a security notification subscription service to provide security alert e-mails if an even more hands-on approach is preferred. Finally, a full-bore patch and system configuration management system could also be installed to handle larger networks.