Feared Windows Worm Starts Attack
Exploiting what may be the most widespread Windows vulnerability ever, a new worm is on the loose, setting up a distributed denial-of-service attack against Microsoft Corp. and fulfilling security experts' ominous predictions.
MSBlaster, as it's been labeled by its author, hit the wild late on Monday and has been spreading fairly quickly across the globe taking advantage of a vulnerability in Microsoft's Windows operating system. But unlike most worms, this one isn't spreading via email. End users don't have to errantly click on a malicious attachment or be drawn in be a devious subject line. MSBlaster, also known as Lovsan and Poza, is distributing itself machine to machine through Port 135.
''Unlike most worms, people don't even know they've got it,'' says Chris Belthoff, a senior security analyst with Sophos, Inc., a security and anti-virus company based in Lynnfield, Mass. ''If your system isn't patched, it's unlikely you would even know you were infected... There's no email. No one has to click on anything. If systems were left unprotected, then the potential for spreading is very high.''
The worm isn't deleting information or wreaking havoc on the infected systems, say security analysts. MSBlaster doesn't even carry a destructive payload. Instead, it's geared to harvest as many vulnerable systems as possible and launch the DDoS attack on the windowsupdate.com Web site starting this Friday. The worm even has a message to Microsoft in its coding: 'billy gates why do you make this possible? Stop making money and fix your software!'
MSBlaster exploits a flaw with the Remote Procedure Call (RPC) process, which controls activities such as file sharing. The flaw enables the attacker to gain full access to the system. The vulnerability itself, which affects Windows NT, Windows 2000 and Windows XP machines, affects both servers and desktops, expanding the reach of any exploit that takes advantage of it.
Where the vulnerability affects servers and desktops in such popular operating systems, there are potentially millions of vulnerable computers out there right now. The security industry sent out a widespread warning about two weeks ago, spurring many companies to install the necessary patch, which was available from Microsoft almost a month ago.
But security analysts worry that there are still millions of unpatched machines vulnerable to the new worm.
Dan Ingevaldson, an engineering manager with Altanta-based Internet Security Systems, Inc., says they did some testing within the last few days and found that about 70 percent of systems were still unpatched.
''Just say there are 20 million vulnerable computers,'' says Ingevaldson. ''If you patch 20 percent of them, you're still looking at 16 million vulnerable computers.''
Ingevaldson says they're not exactly sure of the number of vulnerable computers but is confident that it ranges in the millions. By contrast, SQL Slammer, which caused a lot of problems around the world, infected only about 100,000 computers.
''We're talking about a lot more than SQL,'' says Ingevaldson. ''A lot of vulnerabilities exist in Internet Explorer and Outlook, but this is a core piece of the operating system. It's one of the most widespread and serious of the vulnerabilities we've seen. I'm not sure if it's the most widespread, but it's definitely one of the most.''
Regardless of exactly how many computers will be affected, MSBlaster is likely to create a stir, if not serious problems, at Microsoft.
By aiming the DDoS attack at windowsupdate.com, the author of the worm is deliberately trying to make it difficult for IT managers and individual users to download the patch they need to secure their systems against the worm. ''It will focus all the net congestion on that site,'' says Steven Sundermeier, vice president of products and services at Central Command Inc., an anti-virus company based in Medina, Ohio. ''If it spreads enough around the world, it could shut down that site. And if that happens, it will render patching impossible.''
A Microsoft spokesman could not be reached by deadline, but Ingevaldson says he's heard reports that Microsoft has been working on securing their Web site since Monday afternoon.
''I'm sure Microsoft is a seasoned veteran when it comes to defending against DDoS attacks,'' he adds. ''I have heard they're not very worried about the coming attack on Friday. Maybe they know something I don't. They're big and they're very savvy about these kind of things. They've got a lot of muscle and a lot of experience.''
August 04, 2003
As U.S. workers opened their email Monday morning, they unleashed a new mass-mailing worm. Mimail, which temporarily shut down several government agencies last Friday, has raised concerns in an industry already on high alert for a coming large-scale hacker attack.