Microsoft is working on a plan to include worm removal tools in a new feature called Microsoft Update that’s on schedule for release by this year’s end.
With the proliferation of destructive worms like Blaster, NetSky and Sasser escalating daily to pose an ever-greater threat to home users, Microsoft plans to release the new Microsoft Update as part of the larger Windows Update patch management platform.
Depending on the threat level of malicious worms, the software giant will automate the worm removal process. This goes beyond Microsoft’s latest moves to create disinfection tools to deal with major virus outbreaks.
Earlier this year, Microsoft distributed a detection and removal tool for Windows XP and Windows 2000 machines infected by the Blaster virus. The tool was released as a 317 KB download (3 to 5 minutes for dial-up connections) after ISPs complained that infected home users were “actively transmitting” the worm.
Last weekend, when the Sasser worm and several mutants started exploiting the Local Security Authority Subsystem Service (LSASS) vulnerability, Microsoft again released a removal tool for customers.
However, as security experts have repeatedly warned, home users need to be actively prodded into applying software fixes. A Microsoft spokesperson told internetnews.com that the company’s long term security vision was outlined in a recent executive e-mail issued by Chairman Bill Gates, where “significant investments” in four key areas were identified.
In the March 31 document, Gates said Microsoft would continue to spend heavily on isolation and resiliency, software updating, software quality, and authentication and access control.
The plans include a complete revamp of Microsoft’s Software Update Services (SUS), which will evolve into a new product called Windows Update Services and will be shipped as a free component of the Windows Server. It promises seamless update, scanning and installation capabilities for Windows servers and desktops.
Even as work continues on automating the worm removal process, security researchers caution that the dependence on automatic clean-up tools could be very risky for consumers.
The SANS Internet Storm Center, which tracks malicious Internet activity, believes it leads to complacency. “While we don’t want to discourage people from using these tools, we also don’t want the public to get too complacent and think that once they use one of these tools everything is fine. We are seeing a great deal of evidence of multiple infections on machines with Sasser,” stated a SANS advisor y.
“Machines infected with Sasser are often also infected with something else, frequently one of the recent agobot/gaobot/phatbot variants that also target the MS04-011 vulnerabilities. Our standard advice remains, if you get infected, your best course of action is a complete rebuild of the system.”
The Center described Sasser as an “indicator exploit” and made it clear that when a user is infected by Sasser, it means the system was unpatched and still vulnerable to the LSASS exploit. “Before Sasser, a large number of bot variants exploited this same vulnerability. We find that many systems infected with Sasser are infected with one or more bots in addition to Sasser.”
SANS said anti-virus signatures are typically not able to keep up with all versions and warned that many ‘bots’ include specific code to plant backdoors, disable firewalls and antivirus products, or to add additional system accounts.
“Antivirus software is not able to reliably detect and clean all of these bots…As a result, if you are infected by Sasser, try to rebuild your system from scratch.” Detailed instructions on setting up a new system safely are available here.
Home users buying new systems must also assume it is not yet patched and use extreme care the first time they connect it to a network, the Center added.