Experts ponder coming Blaster attack

While Internet users and corporations dig out from the havoc caused by the new W32.Blaster Internet worm, security experts are questioning whether a massive denial of service attack from infected machines, scheduled for Saturday, will succeed.

The worm, referred to alternately as the DCOM worm or Lovsan worm, first appeared on the Internet late Monday and spread quickly, infecting machines running the Windows XP and Windows 2000 operating systems.

Blaster takes advantage of a known vulnerability in a Windows component called the DCOM (Distributed Component Object Model) interface, which handles messages sent using the RPC (Remote Procedure Call) protocol.

As of Thursday, the Blaster worm infected between 250,000 and one million computers, according to Vincent Gullotto, vice president of the AVERT antivirus response team at Network Associates.

But the worst may still be coming.

In addition to being programmed to seek out and infect vulnerable Windows computers, Blaster is set to launch a denial of service attack against a Microsoft Web site on August 16.

Infected machines worldwide will begin sending a constant stream of phony connection requests to the windowsupdate.com Internet domain in an maneuver known as a TCP (Transmission Control Protocol) SYN flood attack.

Microsoft uses windowsupdate.com to distribute software patches to Windows customers.

The machines will begin their attack at 12:00 a.m. local time, with each infected computer judging the time by consulting its system clock.

That will create a cascading attack that will cross the globe as clocks in each time zone roll over to the new day, according to Mikko Hyppönen, antivirus research director at F-Secure in Helsinki.

Once launched, the attack will continue, unabated, through the end of December, then begin again on January 16, 2004, according to an analysis of the worm code by security company eEye Digital Security.

If successful, the attack would be difficult for Microsoft to stop, according to experts.

More than 100,000 infected machines could be involved in the attack, creating a massive flood of traffic to Microsoft's windowsupdate servers, according to Gullotto.

Attack traffic will come from computers using thousands of different IP (Internet Protocol) addresses, making it impossible to deploy a blocking list. In addition, attack traffic will arrive on Port 80, a vital computer communications port used to access the World Wide Web, Hyppönen said.

But experts agree that all may not be lost.

By mistake or design, Blaster's author provided the incorrect domain address for windowsupdate. The address specified in the worm's code, windowsupdate.com, simply forwards users to the actual Windows update site, windowsupdate.microsoft.com, Hyppönen said.

Microsoft can easily change the DNS (Domain Name System) configuration for windowsupdate.com to have it stop forwarding traffic to the actual site, sidestepping Saturday's Blaster DOS attack, he said.

The windowsupdate.com DNS record could be changed to point to a phony IP address like 0.0.0.0 or to point attack traffic back to the attacking machine itself, Hyppönen said. Either of those changes would also spare the Internet from a flood of spurious attack traffic, he said.