Friday, April 12, 2024

Feared Windows Worm Starts Attack

Datamation content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Exploiting what may be the most wide-spread Windows vulnerability ever, a new worm is on the

loose, setting up a distributed denial-of-service attack against Microsoft Corp. and

fulfilling security experts’ ominous predictions.

MSBlaster, as it’s been labeled by its author, hit the wild late on Monday and has been

spreading fairly quickly across the globe taking advantage of a vulnerability in Microsoft’s

Windows operating system. But unlike most worms, this one isn’t spreading via email. End

users don’t have to errantly click on a malicious attachment or be drawn in be a devious

subject line. MSBlaster, also known as Lovsan and Poza, is distributing itself machine to

machine through Port 135.

”Unlike most worms, people don’t even know they’ve got it,” says Chris Belthoff, a senior

security analyst with Sophos, Inc., a security and anti-virus company based in Lynnfield,

Mass. ”If your system isn’t patched, it’s unlikely you would even know you were infected…

There’s no email. No one has to click on anything. If systems were left unprotected, then

the potential for spreading is very high.”

The worm isn’t deleting information or wreaking havoc on the infected systems, say security

analysts. MSBlaster doesn’t even carry a destructive payload. Instead, it’s geared to

harvest as many vulnerable systems as possible and launch the DDoS attack on the Web site starting this Friday. The worm even has a message to Microsoft in

its coding: ‘billy gates why do you make this possible? Stop making money and fix your


What analysts are concerned about is the number of vulnerable systems that the worm could


MSBlaster exploits a flaw with the Remote Procedure Call (RPC) process, which controls

activities such as file sharing. The flaw enables the attacker to gain full access to the

system. The vulnerability itself, which affects Windows NT, Windows 2000 and Windows XP

machines, affects both servers and desktops, expanding the reach of any exploit that takes

advantage of it.

Where the vulnerability affects servers and desktops in such popular operating systems,

there are potentially millions of vulnerable computers out there right now. The security

industry sent out a widespread warning about two weeks ago, spurring many companies to

install the necessary patch, which was available from Microsoft almost a month ago.

But security analysts worry that there are still millions of unpatched machines vulnerable

to the new worm.

Dan Ingevaldson, an engineering manager with Altanta-based Internet Security Systems, Inc.,

says they did some testing within the last few days and found that about 70 percent of

systems were still unpatched.

”Just say there are 20 million vulnerable computers,” says Ingevaldson. ”If you patch 20

percent of them, you’re still looking at 16 million vulnerable computers.”

Ingevaldson says they’re not exactly sure of the number of vulnerable computers but is

confident that it ranges in the millions. By contrast, SQL Slammer, which caused a lot of

problems around the world, infected only about 100,000 computers.

”We’re talking about a lot more than SQL,” says Ingevaldson. ”A lot of vulnerabilities

exist in Internet Explorer and Outlook, but this is a core piece of the operating system.

It’s one of the most widespread and serious of the vulnerabilities we’ve seen. I’m not sure

if it’s the most widespread, but it’s definitely one of the most.”

Regardless of exactly how many computers will be affected, MSBlaster is likely to create a

stir, if not serious problems, at Microsoft.

By aiming the DDoS attack at, the author of the worm is deliberately

trying to make it difficult for IT managers and individual users to download the patch they

need to secure their systems against the worm. ”It will focus all the net congestion on

that site,” says Steven Sundermeier, vice president of products and services at Central

Command Inc., an anti-virus company based in Medina, Ohio. ”If it spreads enough around the

world, it could shut down that site. And if that happens, it will render patching


A Microsoft spokesman could not be reached by deadline, but Ingevaldson says he’s heard

reports that Microsoft has been working on securing their Web site since Monday afternoon.

”I’m sure Microsoft is a seasoned veteran when it comes to defending against DDoS

attacks,” he adds. ”I have heard they’re not very worried about the coming attack on

Friday. Maybe they know something I don’t. They’re big and they’re very savvy about these

kind of things. They’ve got a lot of muscle and a lot of experience.”

Subscribe to Data Insider

Learn the latest news and best practices about data science, big data analytics, artificial intelligence, data security, and more.

Similar articles

Get the Free Newsletter!

Subscribe to Data Insider for top news, trends & analysis

Latest Articles