The Swen computer worm is turning out to be a bigger problem than earlier expected, using a brief head start on computer antivirus defenses, as well as complex abilities and an effective masquerade, to infect Windows machines and spread via e-mail to many users.
The worm, also known as “Gibe” or its more technical name of “w32.swen@mm,” takes advantage of a well-known vulnerability in Internet Explorer that was first announced in March 2001. A software patch and removal tools for affected Windows systems are available, but because of its persistence — the worm infects via e-mail or network sharing automatically — it may be difficult to eliminate.
“People are absolutely seeing this pop up in their mailboxes today,” Symantec senior director of Security Response Vincent Weafer told TechNewsWorld. “For the person who has got it, it’s a painful cleanup process.”
Significant Spread
Weafer said Swen, which spoofs a Microsoft security message, has spread primarily among home users, who accounted for 87 percent of infections as of Friday. “It’s significant, but it’s still not going to be a real major event,” Weafer said. “We see it dying down.”
Still, even non-Windows users were affected by the worm’s spread, as one TechNewsWorld reader — a Mac user — reported receiving more than 250 Swen e-mails in the last day.
MessageLabs chief technology officer Mark Sunner described the worm as highly complex and told TechNewsWorld that although it was first discovered September 14th, it was not seen as a priority, and the threat was not added to updated protection from leading antivirus vendors.
“Initially, this went right under the nose of normal desktop antivirus,” Sunner said, endorsing MessageLabs’ intercept-and-scan approach over traditional antivirus methods that he claimed do not work. “It’s almost inexcusable it went through those vendors.”
As virus fighters and security companies, including Symantec and F-Secure, upped their severity ratings on Swen before the weekend, MessageLabs reported the interception of more than 35,000 copies of the worm. Sunner said there were infections in 84 countries Friday afternoon, with one in every 355 e-mails containing the worm.
Polymorphic Problem
Classified as a worm because of its ability to copy itself without infecting host files, Swen represents a high level of sophistication in its ability to execute code automatically, its deceptive spoof of Microsoft correspondence and its randomization of information that could be used to identify it, according to Sunner.
“It’s massively polymorphic,” he said. “It randomizes file text, file name and subject with a high degree of polymorphism. Someone really thought about this.”
Sunner likened the worm to the original Gibe worm, but said it was written in C++ and also used an SMTP engine, adding to the indications of a highly sophisticated author.
Symantec’s Weafer agreed, adding that the higher-level programming language allowed the addition of some of the worm’s features — a trend among the latest viruses.
Who’s Counting
Another unique feature of Swen is its ability to communicate with a Web site that keeps track of the number of computers it has successfully infected. As of late Friday afternoon, the counter was up to more than 1.5 million infected computers.
Ken Dunham, malicious code intelligence manager at iDefense, told TechNewsWorld that the number of infections might be skewed because the Web site address was posted to a security mailing list and likely garnered hits from researchers and others.
However, Dunham said that because it is supposedly accounting for all infections, which are typically underreported, Swen might actually be giving a more accurate estimate than usual of the spread.
“Swen may be giving us a clear picture of how widespread some of these new worms actually are,” he said. “When we see 20,000 interceptions listed on a public Web site, there may actually be several hundred thousand infected computers.”
Seems to me that most worms can be avoided by following a few simple rules:
1) Don’t open attachments. Make sure your settings prevent your e-mail client from opening attachments and, in some cases, from displaying pictures.
2) Keep your anti-virus software up to date.
3) Avoid use of mainstream programs such as Internet Explorer/Outlook/Outlook Express for Internet/e-mail access. Or, if you must use them, be careful and check all your settings.
My network consists of Windows 98/2000, Linux, OpenBSD, and Mac OS. To date I have received four e-mails containing the SWEN worm attachment – yet the network remains unaffected mostly because I adhere to and enforce basic security rules.
I realize that this this will not stop the spread of worms/virii completely, but it should slow down the sperad. Unfortunately, most people are too willing to sacrifice security for the sake of convenience.
You know… You could just set up a filter so that you can only receive mail from people you know… You could also require digital signatures attached to the messages you receive… These two measures would solve all spam and worm-related problems… But no… Just go ahead with Microsoft bashing… You’re aware that, if some other company with a different operating system would dominate the market, things would be the same, right?
While I seriously advocate the use of open source solutions and have had a hate on for MS for the longest time, the world is not going to change too soon. I started using Linux full time after spending 6 months arguing with MS tech support. I was told by MS that Windows 98 is not an Operating System, it is an Operating Environment. I’d have to sensor my response, but I told them that whatever they want to call it, it wasn’t operating. I have not purchased any MS products since – save for 2000 which came OEM on a system I bought a couple years back.
I keep 98 & 2000 on my network as a necessary evil. The vast majority of users (including my clients) still cling to MS Products. Sometimes it feels like a losing battle, but we must plug on ahead.
This is not bashing MS, simply stating that in my experience the majority of stuff done on Windows can be done on other OS at a fraction of the cost. I think people have just become used to rebooting every other hour.
I’m not certain that a class action suit would accomplish much either. How many people out there read the license agreement, not just the part that says, "I AGREE"? While MS marketing actions are, imo, detestable and completely lacking in ethics, there is now enough of a choice out there where you DON’T have to use Windows.
What I think is that the other manufacturers should consider porting their products to run on Linux/Unix/Mac OS. And offer free packages to people who want to port their current copy. This would give a greater advantage to the Other OS out there and would expand the market for the current companies.
But then again, maybe this is just one guy’s opinion.
I have no problems in my PC since I have implemented safeguards against SWEN and others.
However, what i’m having a problem is that ever since that worm got out, 99% of the emails that I receive are the mass mailed product of that worm and i’m losing so much productivity sifting thru the emails.
Is there a way to fix that at the ISP level where the pop server resides?
Thanks
Unfortunately ISP level filtering has been made more difficult since VeriSign introduced their SiteFinder "service" by adding a wildcard to the .com and .net TLDs; it’s now no longer possible to filter mail by discarding stuff from hosts that do not resolve — EVERYTHING now resolves! This worm appeared at a convenient time — if I were of a suspicious or paranoid nature, I’d be tempted to dream up a conspiracy theory about it…
You should see me — I get 200+ e-mails DAILY with worm infections, my POP3 account get blocked if I don’t download e-mail every 3 hours, and since most of it contains attachments, it takes forever to download — let alone the fact that i’m connecting via cellphone when I’m on the road (most of the time), makes it both expensive and tedious and sloooowww… i’m so tired it this, it has been over 2 weeks and nothing seems to be happening. I’ve checked my computer for the virus and I seem to be clean, yet still getting the e-mails. My ISP is doing nothing and they say the can’t do nothing. This is soooo frustrating.
Any idea how can I avoid getting so many junk?!?!??!?!
THanks.,
So here we go again. Even though the IE vulnerability has been well known for almost 30 months, Microsoft’s policy of not fixing foundation-level vulnerabilities and buggy code, insecurities, and the failed design model, coupled with the hegemonic marketing practices that push consumers into buying a Microsoft product because to choose other OS’s is so difficult at point of computer purchase, has resulted in yet another deluge of Microsoft-spawned garbage. I AM so tired of getting this Swen email spoof that just clogs up my POP3 account, wastes download time and slows down general services, because oftentimes these messages carry attachments which have to be downloaded too.
I think it is time that the computer-using public band together to initiate a class-action suit against Microsoft for gross irresponsibility coupled with commercial promiscuity that simply spread the problem to more and more users. How can anyone ever trust this company for "secure" computing – it’s idea of secure computing is to lock everything down with royalty-based schemes based on so-called intellectual property rights.
I AM currently exploring dumping Microsoft products in my company and at my home. Enough is enough – time to give Mac or Linux a chance methinks. Bill Gates has had enough of my money and that of the shareholders who invest in my company and these problems have become a repetitive pattern and we are tired of it. Time for a change, even if it does mean that the staff’s learning curve will be steep initially. That will at least be a worthwhile investment of time and effort if it means secure and stable computing.