Download our in-depth report: The Ultimate Guide to IT Security VendorsExploiting what may be the most wide-spread Windows vulnerability ever, a new worm is on theloose, setting up a distributed denial-of-service attack against Microsoft Corp. andfulfilling security experts' ominous predictions.
MSBlaster, as it's been labeled by its author, hit the wild late on Monday and has beenspreading fairly quickly across the globe taking advantage of a vulnerability in Microsoft'sWindows operating system. But unlike most worms, this one isn't spreading via email. Endusers don't have to errantly click on a malicious attachment or be drawn in be a devioussubject line. MSBlaster, also known as Lovsan and Poza, is distributing itself machine tomachine through Port 135.
''Unlike most worms, people don't even know they've got it,'' says Chris Belthoff, a seniorsecurity analyst with Sophos, Inc., a security and anti-virus company based in Lynnfield,Mass. ''If your system isn't patched, it's unlikely you would even know you were infected...There's no email. No one has to click on anything. If systems were left unprotected, thenthe potential for spreading is very high.''
The worm isn't deleting information or wreaking havoc on the infected systems, say securityanalysts. MSBlaster doesn't even carry a destructive payload. Instead, it's geared toharvest as many vulnerable systems as possible and launch the DDoS attack on thewindowsupdate.com Web site starting this Friday. The worm even has a message to Microsoft inits coding: 'billy gates why do you make this possible? Stop making money and fix yoursoftware!'https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i What analysts are concerned about is the number of vulnerable systems that the worm couldinfect.
MSBlaster exploits a flaw with the Remote Procedure Call (RPC) process, which controlsactivities such as file sharing. The flaw enables the attacker to gain full access to thesystem. The vulnerability itself, which affects Windows NT, Windows 2000 and Windows XPmachines, affects both servers and desktops, expanding the reach of any exploit that takesadvantage of it.
Where the vulnerability affects servers and desktops in such popular operating systems,there are potentially millions of vulnerable computers out there right now. The securityindustry sent out a widespread warning about two weeks ago, spurring many companies toinstall the necessary patch, which was available from Microsoft almost a month ago.
But security analysts worry that there are still millions of unpatched machines vulnerableto the new worm.
Dan Ingevaldson, an engineering manager with Altanta-based Internet Security Systems, Inc.,says they did some testing within the last few days and found that about 70 percent ofsystems were still unpatched.
''Just say there are 20 million vulnerable computers,'' says Ingevaldson. ''If you patch 20percent of them, you're still looking at 16 million vulnerable computers.''
Ingevaldson says they're not exactly sure of the number of vulnerable computers but isconfident that it ranges in the millions. By contrast, SQL Slammer, which caused a lot ofproblems around the world, infected only about 100,000 computers.
''We're talking about a lot more than SQL,'' says Ingevaldson. ''A lot of vulnerabilitiesexist in Internet Explorer and Outlook, but this is a core piece of the operating system.It's one of the most widespread and serious of the vulnerabilities we've seen. I'm not sureif it's the most widespread, but it's definitely one of the most.''
Regardless of exactly how many computers will be affected, MSBlaster is likely to create astir, if not serious problems, at Microsoft.
By aiming the DDoS attack at windowsupdate.com, the author of the worm is deliberatelytrying to make it difficult for IT managers and individual users to download the patch theyneed to secure their systems against the worm. ''It will focus all the net congestion onthat site,'' says Steven Sundermeier, vice president of products and services at CentralCommand Inc., an anti-virus company based in Medina, Ohio. ''If it spreads enough around theworld, it could shut down that site. And if that happens, it will render patchingimpossible.''
A Microsoft spokesman could not be reached by deadline, but Ingevaldson says he's heardreports that Microsoft has been working on securing their Web site since Monday afternoon.
''I'm sure Microsoft is a seasoned veteran when it comes to defending against DDoSattacks,'' he adds. ''I have heard they're not very worried about the coming attack onFriday. Maybe they know something I don't. They're big and they're very savvy about thesekind of things. They've got a lot of muscle and a lot of experience.''