 | ||||
|
| | ||
|
Reader resources MSBlast worm  Prevention and cure |
| ||
|
|
||||
|
|
||||
The 'time bomb' in the worm's code, discovered by anti-virus and security researchers, will turn every infected system into a DoS agent on August 16, this Saturday. The systems will begin sending random strings of data to the windowsupdate.com Web site in an attempt to knock it offline. If the DoS attack is successful, administrators will be unable to patch their systems against the vulnerability exploited by MSBlast.
The worm also contains anti-Microsoft messages in its code: "billy gates why do you make this possible?" the second part of the message says. "Stop making money and fix your software!!"
Ever since mid-July, when Microsoft announced vulnerability in a widespread component of Windows, security experts have been waiting for some online vandal to create a worm that takes advantage of it.
"[MSBlast] is pretty widespread," said Johannes Ullrich, chief technology officer for the storm centre. "It is sort of getting to the point where it is causing some slowdown."
Some system administrators posting to a mailing list run by the North American Network Operators' Group, a popular forum for engineers who maintain large networks, believe that as much as 10 percent of the data coming into their networks has been created by the worm.
Starting with a random Internet address, the worm sequentially scans for computers with the vulnerability. MSBlast installs the Trivial File Transfer Protocol (tftp) server, and runs the program to download its program code to the compromised server. It will also add a registry key to insure that the worm is restarted when the host computer is rebooted.
The worm attacks Windows computers via a hole in the operating system, which Microsoft warned of 16 July. Nine days after the software giant announced the flaw, hackers from the Chinese X Focus security group publicly posted a program to several security lists designed to allow an intruder to break into Windows computers. The Windows flaw has been characterized by some security experts as the most widespread ever found in Microsoft's OS.
The flaw is in a component of the OS that lets other computers request that the Windows system perform an action or service. The component, known as the remote procedure call (RPC) process, facilitates activities such as sharing files and allowing others to use the computer's printer. By sending too much data to the RPC process, an attacker can cause the system to grant full access to the system.
The Chinese code worked on only three variants of Windows, but other hackers have since refined it. Nine days ago, a hacker posted an attack program to a security mailing list. Many facets of the current worm seem to be similar to that program.
Experts have feared that a worm created to take advantage of the Microsoft flaw could have an effect similar to that of the Slammer worm that downed corporate networks in January.
Slammer spread to corporate networks worldwide, causing databases to go down, bank teller machines to stop working and some airline flights to be cancelled. Six months earlier, a researcher had released code that exploited the major Microsoft SQL vulnerability used by the worm to spread.
Microsoft Windows users can update their operating systems through the company's Windows Update service. More information about the flaw and workarounds are available in the advisory posted online. A worm that takes advantage of what some security experts describe as the most widespread Windows flaw ever has started spreading, while new analysis has uncovered a time bomb in the worm's code poised to unleash a furious denial of service attack at Microsoft itself.
|
| ||||
|
| | ||
|
Reader resources MSBlast worm Prevention and cure |
| ||
|
|
||||
|
|
||||
The 'time bomb' in the worm's code, discovered by anti-virus and security researchers, will turn every infected system into a DoS agent on August 16, this Saturday. The systems will begin sending random strings of data to the windowsupdate.com Web site in an attempt to knock it offline. If the DoS attack is successful, administrators will be unable to patch their systems against the vulnerability exploited by MSBlast.
The worm also contains anti-Microsoft messages in its code: "billy gates why do you make this possible?" the second part of the message says. "Stop making money and fix your software!!"
Ever since mid-July, when Microsoft announced vulnerability in a widespread component of Windows, security experts have been waiting for some online vandal to create a worm that takes advantage of it.
"[MSBlast] is pretty widespread," said Johannes Ullrich, chief technology officer for the storm centre. "It is sort of getting to the point where it is causing some slowdown."
Some system administrators posting to a mailing list run by the North American Network Operators' Group, a popular forum for engineers who maintain large networks, believe that as much as 10 percent of the data coming into their networks has been created by the worm.
Starting with a random Internet address, the worm sequentially scans for computers with the vulnerability. MSBlast installs the Trivial File Transfer Protocol (tftp) server, and runs the program to download its program code to the compromised server. It will also add a registry key to insure that the worm is restarted when the host computer is rebooted.
The worm attacks Windows computers via a hole in the operating system, which Microsoft warned of 16 July. Nine days after the software giant announced the flaw, hackers from the Chinese X Focus security group publicly posted a program to several security lists designed to allow an intruder to break into Windows computers. The Windows flaw has been characterized by some security experts as the most widespread ever found in Microsoft's OS.
The flaw is in a component of the OS that lets other computers request that the Windows system perform an action or service. The component, known as the remote procedure call (RPC) process, facilitates activities such as sharing files and allowing others to use the computer's printer. By sending too much data to the RPC process, an attacker can cause the system to grant full access to the system.
The Chinese code worked on only three variants of Windows, but other hackers have since refined it. Nine days ago, a hacker posted an attack program to a security mailing list. Many facets of the current worm seem to be similar to that program.
Experts have feared that a worm created to take advantage of the Microsoft flaw could have an effect similar to that of the Slammer worm that downed corporate networks in January.
Slammer spread to corporate networks worldwide, causing databases to go down, bank teller machines to stop working and some airline flights to be cancelled. Six months earlier, a researcher had released code that exploited the major Microsoft SQL vulnerability used by the worm to spread.
Microsoft Windows users can update their operating systems through the company's Windows Update service. More information about the flaw and workarounds are available in the advisory posted online.
