Security analysts are warning it’s inevitable that a worm is released in
the wild to attack users through the newly discovered vulnerabilities in Microsoft’s
”I think it’s just a matter of time,” says Steve Sundermeier, vice president of products
and services at Central Command Inc., an anti-virus and security company. ”We’re all gearing
up for it. It’s definitely going to come. We’re going to see a new worm.”
Microsoft Corp. announced this week the existence of three recently found flaws in Windows
RPC protocols. Two of the flaws are eerily similar to the RPC vulnerability, discovered this
summer, that led to last month’s release of the Blaster worm, which quickly spread across
the world, clogging up corporate systems, sucking up bandwidth and ultimately trying to
launch a denial-of-service attack on a Microsoft Web site.
These new vulnerabilities include a denial-of-service flaw and two buffer overruns. The
flaws allow a remote attacker to take control of an infected computer, downloading files,
destroying information or using that computer to attack other computers.
The new vulnerabilities offer up a temptation that security analysts think worm writers
won’t be able to resist. With the original Blaster code laying the developmental groundwork
for a second wave of attacks, much of the hard work is already done.
”These new vulnerabilities are close cousins of the RPC vulnerability that was first
published in July,” says Chris Belthoff, a senior security analyst with Sophos Inc., an
anti-virus company based in Lynfield, Mass. ”It’s a very close variant of the vulnerability
that the Blaster worm was written to exploit. So the expectation is that we’ll see the Son
of Blaster or Blaster Junior — a worm or multiple worms that take advantage of the
And Belthoff says with the original Blaster code out there, it would be quick and easy for a
virus writer to whip up a damaging knock-off that would exploit the new vulnerabilities.
That means the new worm could literally hit within days or even hours.
”It could come at any time now,” adds Belthoff. ”It wouldn’t surprise me if something is
seen in the next few days. It’s certainly possible. Since this vulnerability is so similar
to the one the Blaster worm exploited, it’s not a huge development task to write another
worm to exploit this vulnerability.”
Belthoff also notes that the first Blaster, though it crashed some systems because of a flaw
in its own coding, didn’t wreak much damage on the infected computers. Blaster was largely
geared to cause trouble for Microsoft by launching a DoS attack against the Web page that
enabled users to download the patch.
Users may not be so lucky with the next worm, which could be far more damaging to the
But Central Command’s Sundermeier says the infected machines are too valuable to the worm
writer to damage.
”Sure, the hacker has the ability to download code of his or her choice and that code could
be malicious to the infected computer,” he explains. ”But if he causes significant damage
to that machine, then that machine is taken out. If they’re going to launch a DoS attack,
they won’t want to take down machines that they actually need.”
Sundermeier adds that there’s a positive side to a new worm hitting so soon after Blaster.
”Blaster is still in people’s minds,” he says. ”Our saying is ‘What is soon learned is
soon forgotten.’ But this is so close to the original Blaster, that may not be the case
here. But people shouldn’t think that just because they are patched for Blaster, they’re
patched for this one.”
MJ Shoer, president and CTO of Jenaly Technology, Inc., a Portsmouth, N.H.-based outsourced
IT firm covering businesses in New England, says he’s been busy making sure clients’ systems
are patched and updated.
”Everybody needs to be patched. That’s what it boils down to,” says Shoer. ”We’re making
sure firewalls are tight and anti-virus is up to date. We’re just checking all the
Shoer says when it comes to making sure a system is patched, the biggest vulnerability to
the corporate network is the mobile user. Many corporate administrators push patches down to
individual desktops and laptops that are connected to the network. If a worker has been on
the road, simply dialing in from slow hotel connections, they’re not likely getting the
patches and security updates they need.
Shoer adds, ”We’re aggressively watching all the points of exposure.”