The attack, which is expected to start tonight, is aimed at Microsoft's windowsupdate.comWeb site -- the site users have been sent to for the patch that will ward off the Blasterworm. Microsoft execs want to make sure that system patching continues even after the attackbegins.
''we've been working nonstop to make sure we can provide the patch to our customers and wethink we'll be able to,'' says Stephen Toulouse, a security program manager in Microsoft'sSecurity Response Center. ''Our number one concern is getting customers the patch and makingsure they can get to our site.''
To that end, Toulouse says Microsoft is guiding users to the patch through an alternateroute. Customers can get to it by going to www.microsoft.com/security. That site won't beaffected even if the windowsupdate.com site goes offline during an attack.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i Toulouse adds that they've taken steps to ward off the attack and keep the site up andrunning, but he would not give specifics for fear that the information would help futurevirus writers.
He adds that even though Microsoft is frequently the target of DDoS attacks and has practiceguarding against them, he can't be sure the site won't experience problems once the Blasterattack hits full force.
''Denial-of-Service attacks tend to be successful because they're brute force attacks,''says Toulouse. ''It's always one of those things where we'll know when it happens.''
Microsoft has logged an increase in traffic to the windowsupdate.com site over the pastseveral hours, Toulouse says, adding that some customers had their computer clocksmisconfigured so their DoS attacks came early. But he expects to see the traffic flow to thesite increase steadily over the course of the day today and tomorrow.
''We've just been preparing as if it's going to start any moment,'' says Toulouse.
The Blaster worm was first detected on Monday. It quickly spread from machine to machineacross the globe through a flaw in the Windows operating system. But the worm doesn't carrya destructive payload, only causing a small percentage of infected computers to rebootbecause of a flaw in its own coding.
Instead, Blaster, otherwise known as LovSan and Poza, is specifically aimed at causingtrouble for Microsoft. The worm is geared to harvest as many vulnerable systems as possibleand launch a DDoS attack on the windowsupdate.com Web site starting late Friday or earlySaturday morning. By focusing all the net congestion on that Web site, the author of theworm is deliberately trying to make it difficult for IT managers and individual users todownload the patch they need to secure their systems against the worm.
Several anti-virus and security companies, including Symantec Corp., raised the worm'sthreat level to their second-highest rating earlier this week, despite the fact that thenumber of new infections had leveled off or even slowed. Blaster has not caused much networkcongestion and hasn't affected Internet traffic on anything but a very localized scale.
But analysts say it's the potential they're worried about.
Blaster exploits a flaw with the Remote Procedure Call (RPC) process, which controlsactivities such as file sharing. The flaw enables the attacker to gain full access to thesystem. The vulnerability itself, which affects Windows NT, Windows 2000, Windows 2003 andWindows XP machines, affects both servers and desktops, expanding the reach of any exploitthat takes advantage of it.
Where the vulnerability affects servers and desktops in such popular operating systems,there are potentially millions of vulnerable computers out there right now. The securityindustry sent out a widespread warning about two weeks ago, spurring many companies toinstall the necessary patch, which was available from Microsoft almost a month ago.
And with millions of systems still unpatched, Microsoft is determined to make sure customersare able to get onto their Web site and download the needed fix.