Blaster worm spreading, experts warn of attack

While the worm's spread slowed Monday evening and early Tuesday, the number of infected hosts is still very large and new infections are likely as home users in Europe and the U.S. return from work and connect to the Internet from unprotected home machines on Tuesday, according to Mikko Hyppönen, manager of antivirus research at F-Secure Corp. in Helsinki.

The large base of infected machines also has experts worried about a denial of service attack that the worm is programmed to launch against Microsoft's automated Windows update Web site starting August 16.

Traffic directed at the site, windowsupdate.microsoft.com, from so many hosts could effectively shut down the service, which is used to distribute software updates and security patches to Microsoft Windows users, Hyppönen said.

Unlike the Code Red worm, which contained code for a similar attack against the IP (Internet protocol) address of the White House's main Web server, Blaster targets the windowsupdate.microsoft.com domain, preventing Microsoft from simply changing the address of the domain to sidestep the attack, he said.

Microsoft is aware of the denial of service threat and is looking at ways to make windowsupdate.microsoft.com more resilient, both to protect against the Blaster worm and future threats, a company spokesman said.

That said, the windowsupdate site is "extremely resilient" and has never suffered a complete denial of service, he said.

"If there's an attack on Saturday, the worst case scenario is that the site is slower than normal but not brought to its knees," he said.

Security experts will be holding their breath and waiting for the preprogrammed attacks to start, but those infected by Blaster must now cope with the daunting task of cleaning up affected systems.

The number of infected machines at the University of Florida is still a small fraction of the campus's 20,000 or 30,000 hosts, but cleanup may take a while, especially in departments that are short of IT administrators and that lack software for managing updates across multiple systems, Wiens said.

Because other more subtle attacks using the RPC vulnerability have been circulating for weeks, owners of machines infected by Blaster may also consider doing a fresh installation of the operating system to overwrite any back-door programs or other malicious code placed on the machine by hackers, Ullrich said.

Blaster's code is small and can be quickly removed using free tools provided by F-Secure as well as other antivirus vendors, Hyppönen said.

However, customers should patch their systems before removing Blaster to prevent reinfection from the worm, he said.

Security experts also recommend installing firewall and antivirus software to prevent future attacks.