Exploiting what may be the most wide-spread Windows vulnerability ever, a new worm is on the
loose, setting up a distributed denial-of-service attack against Microsoft Corp. and
fulfilling security experts’ ominous predictions.
MSBlaster, as it’s been labeled by its author, hit the wild late on Monday and has been
spreading fairly quickly across the globe taking advantage of a vulnerability in Microsoft’s
Windows operating system. But unlike most worms, this one isn’t spreading via email. End
users don’t have to errantly click on a malicious attachment or be drawn in be a devious
subject line. MSBlaster, also known as Lovsan and Poza, is distributing itself machine to
machine through Port 135.
”Unlike most worms, people don’t even know they’ve got it,” says Chris Belthoff, a senior
security analyst with Sophos, Inc., a security and anti-virus company based in Lynnfield,
Mass. ”If your system isn’t patched, it’s unlikely you would even know you were infected…
There’s no email. No one has to click on anything. If systems were left unprotected, then
the potential for spreading is very high.”
The worm isn’t deleting information or wreaking havoc on the infected systems, say security
analysts. MSBlaster doesn’t even carry a destructive payload. Instead, it’s geared to
harvest as many vulnerable systems as possible and launch the DDoS attack on the
windowsupdate.com Web site starting this Friday. The worm even has a message to Microsoft in
its coding: ‘billy gates why do you make this possible? Stop making money and fix your
software!’
What analysts are concerned about is the number of vulnerable systems that the worm could
infect.
MSBlaster exploits a flaw with the Remote Procedure Call (RPC) process, which controls
activities such as file sharing. The flaw enables the attacker to gain full access to the
system. The vulnerability itself, which affects Windows NT, Windows 2000 and Windows XP
machines, affects both servers and desktops, expanding the reach of any exploit that takes
advantage of it.
Where the vulnerability affects servers and desktops in such popular operating systems,
there are potentially millions of vulnerable computers out there right now. The security
industry sent out a widespread warning about two weeks ago, spurring many companies to
install the necessary patch, which was available from Microsoft almost a month ago.
But security analysts worry that there are still millions of unpatched machines vulnerable
to the new worm.
Dan Ingevaldson, an engineering manager with Altanta-based Internet Security Systems, Inc.,
says they did some testing within the last few days and found that about 70 percent of
systems were still unpatched.
”Just say there are 20 million vulnerable computers,” says Ingevaldson. ”If you patch 20
percent of them, you’re still looking at 16 million vulnerable computers.”
Ingevaldson says they’re not exactly sure of the number of vulnerable computers but is
confident that it ranges in the millions. By contrast, SQL Slammer, which caused a lot of
problems around the world, infected only about 100,000 computers.
”We’re talking about a lot more than SQL,” says Ingevaldson. ”A lot of vulnerabilities
exist in Internet Explorer and Outlook, but this is a core piece of the operating system.
It’s one of the most widespread and serious of the vulnerabilities we’ve seen. I’m not sure
if it’s the most widespread, but it’s definitely one of the most.”
Regardless of exactly how many computers will be affected, MSBlaster is likely to create a
stir, if not serious problems, at Microsoft.
By aiming the DDoS attack at windowsupdate.com, the author of the worm is deliberately
trying to make it difficult for IT managers and individual users to download the patch they
need to secure their systems against the worm. ”It will focus all the net congestion on
that site,” says Steven Sundermeier, vice president of products and services at Central
Command Inc., an anti-virus company based in Medina, Ohio. ”If it spreads enough around the
world, it could shut down that site. And if that happens, it will render patching
impossible.”
A Microsoft spokesman could not be reached by deadline, but Ingevaldson says he’s heard
reports that Microsoft has been working on securing their Web site since Monday afternoon.
”I’m sure Microsoft is a seasoned veteran when it comes to defending against DDoS
attacks,” he adds. ”I have heard they’re not very worried about the coming attack on
Friday. Maybe they know something I don’t. They’re big and they’re very savvy about these
kind of things. They’ve got a lot of muscle and a lot of experience.”