Warning Goes Out about Blaster Email Hoax

Share it on Twitter  
Share it on Facebook  
Share it on Google+
Share it on Linked in  
Security analysts are warning IT managers and users about an email hoax that is playing offpeople's concerns about the Blaster worm.

A new backdoor Trojan, named the Graybird-A, is being disguised as a patch for the MicrosoftWindows vulnerability that the Blaster worm has been exploiting for the past week. The boguspatch is coming attached to an email.

Microsoft has issued a statement warning users that the company never delivers softwaredirectly via email. Patches can be downloaded from the official Microsoft Web site or fromCD-Roms or floppy disks.

''Packaging Graybird as a Microsoft patch is a very devious trick,'' says Chris Belthoff, asenior security analyst at Sophos, Inc., an anti-virus and security company. ''Blaster isbelieved to have infected hundreds of thousands of computers around the world, and this is adeliberate attempt to exploit users' panic. Never trust unsolicited executable code thatarrives via email. Businesses should consider blocking all executable code at the emailgateway so it cannot reach their users.''

Users will be getting its Windows patches from a different Microsoft Web address than usual.

Because of the Blaster worm, Microsoft also has killed off its windowsupdate.com Web site.The Blaster worm was launching a distributed denial-of-service attack (DDoS) throughinfected computers against the windowsupdate.com Web site starting on Saturday, Aug. 16.

Instead of suffering through the attack or trying to ward it off, Microsoft simply shut downthe address.

Users can access Windows patches via the www.Microsoft.com site or the newhttp://windowsupdate.microsoft.com site.

''Users should not think this step means they no longer have to do anything about theBlaster worm,'' says Graham Cluley, senior technology consultant for Sophos. ''All computerusers still have a responsibility to ensure this worm has no hiding place on their PCs. So,install the patch from Microsoft, ensure your firewall is properly configured, and confirmyour anti-virus is up-to-date.''

The Blaster worm was first detected on Aug. 11. It quickly spread from machine to machineacross the globe through a flaw in the Windows operating system. But the worm doesn't carrya destructive payload, only causing a small percentage of infected computers to rebootbecause of a flaw in its own coding.

Instead, Blaster, otherwise known as LovSan and Poza, is specifically aimed at causingtrouble for Microsoft. The worm is geared to harvest as many vulnerable systems as possibleand launch a DDoS attack on the windowsupdate.com Web site. By focusing all the netcongestion on that Web site, the author of the worm was deliberately trying to make itdifficult for IT managers and individual users to download the patch they need to securetheir systems against the worm.

Blaster exploits a flaw in the Remote Procedure Call (RPC) process, which controlsactivities such as file sharing. The flaw enables the attacker to gain full access to thesystem. The vulnerability itself, which affects Windows NT, Windows 2000, Windows 2003 andWindows XP machines, affects both servers and desktops, expanding the reach of any exploitthat takes advantage of it.

Where the vulnerability affects servers and desktops in such popular operating systems,there are potentially millions of vulnerable computers out there right now. The securityindustry sent out a widespread warning about two weeks ago, spurring many companies toinstall the necessary patch, which was available from Microsoft a month ago.

Submit a Comment

Loading Comments...