Discovering Blended Threats

A blended threat is malicious code that uses multiple methods to propagate and attack targets. In affect, a blended threat is a worm that can use multiple automated attacks to compromise systems and propagate. Blended threats can spread rapidly and do a great deal of damage.

The Nimda worm, an early example of a blended threat, compromised and infected more than two million computers in less than 24 hours. Nimda spread by attacking a known vulnerability in Microsoft’s Internet Information Server (IIS) software. Nimda also spread itself via infected e-mail attachments and could spread across networks by infecting vulnerable shares. Blended threats such as Nimda can cause hundreds of millions of dollars in damage.

Because blended threats can spread via multiple methods and are automated, they are more difficult to defend against than simple viruses or worms. Some of the ways that blended threats can spread are:

• Exploiting known vulnerabilities in systems and applications

• Via Web pages

• Infecting shared folders and directories

• Through e-mail attachments

Although it’s an integral part of defending your computer, antivirus software alone is not sufficient to protect your systems from blended threats. For example, like many other blended threats, the CodeRed worm spread by exploiting vulnerabilities in Microsoft operating systems. Because CodeRed executed itself directly in a computer’s memory rather than first copying itself to a hard disk, it was able to bypass many antivirus products.

Early blended threats infected millions of computers in a single day; newer blended threats can spread even more quickly. Before long, we will see worms that spread to millions of hosts in a matter of hours or even minutes. With the speed at which blended threats spread, it’s imperative that you take steps to protect your computers. A layered defense, also known as defense in depth, is the best way to protect your WLAN. Defense in depth includes:

• Patching your system and applications regularly to eliminate vulnerabilities

• Installing antivirus software and making sure that it stays up to date

• Using a firewall to protect your network

Again, patching your system to eliminate vulnerabilities is extremely important. Many worms and blended threats have spread by exploiting known vulnerabilities. Vendors often release patches to correct vulnerabilities weeks prior to the appearance of malicious software designed to exploit the flaws. Because millions of users fail to download and apply these patches, however, worms and blended threats spread and do millions of dollars of damage.

Taking the time to secure your WLAN will prevent a worm from spreading to your computers from a nearby WLAN or infected computer. Recently, an associate’s WLAN was infected with the Sasser worm, even though she had taken steps to protect her network from attack via her Internet connection. She had a properly installed firewall and antivirus solution, but her WLAN was completely insecure.

A neighbor inadvertently connected to her WLAN instead of his own, and the worm spread to her WLAN from his infected computer. Had she taken steps to prevent unauthorized connection to her wireless network, the Sasser worm would have never infected her computers.