Blaster worm spreading, experts warn of attack

Outbreak is the most serious since the SQL Slammer worm in January

A new worm that exploits a widespread vulnerability in Microsoft's Windows operating system continued its spread on Tuesday, making Monday's outbreak the most serious since the appearance of the SQL Slammer worm in January, according to security experts.

The worm, referred to alternately as W32.Blaster, the DCOM Worm or Lovsan worm, first appeared on the Internet late Monday and spread quickly, infecting machines running the Windows XP and Windows 2000 operating systems. 

Blaster takes advantage of a known vulnerability in a Windows component called the DCOM (Distributed Component Object Model) interface, which handles messages sent using the RPC (Remote Procedure Call) protocol.

RPC is a common protocol that software programs use to request services from other programs running on servers in a networked environment.

Vulnerable systems can be compromised without any interaction from a user, according to Johannes Ullrich, chief technology officer at the SANS Internet Storm Center, which monitors threats to the Internet infrastructure.

The Internet Storm Center first detected the new worm around 7:00 p.m. Greenwich Mean Time, and Blaster "took off" within the first hour of appearing, Ullrich said.

On Monday evening, antivirus and computer security firms around the world issued warnings about the new worm and instructed users to patch affected Windows systems and block communications ports used by the worm to spread.

By Tuesday morning, those warnings appear to have had some affect, Ullrich said.

"The worm has pretty much levelled out now. ISPs (Internet service providers) blocked port 135, which the worm used for propagation and we're seeing a limited spread," he said.

A flaw in the worm's code that governs which flavor of exploit to use when compromising a vulnerable machine may also account for the slowdowns, Ullrich said.

That flaw caused machines running Windows XP to crash and reboot, temporarily taking the host offline and tipping off the machine's owner.

Ullrich put the number of machines infected by Blaster at 30,000 worldwide, fewer than the number infected by the Code Red and Nimda worms of 2001, but more than were infected by the recent Slammer worm.

At the University of Florida in Gainesville, network security engineer Jordan Wiens saw a surge in attack traffic from an infected computer on the campus network around 3:00 p.m. Eastern Daylight Time and worked quickly to block the worm's spread by shutting down ports that it uses to copy itself to other vulnerable machines.

The University of Florida uses firewalls and intrusion detection system software to protect the campus network from Internet-borne attacks, but was probably undone by a user who was infected at home, then connected to the campus network using a dial-up modem, Wiens said.

Despite acting quickly to deploy filters to stop Blaster, the university's IT staff was coping with a sizeable number of infected computers by 5:00 p.m. Monday, he said.

While the worm's spread slowed Monday evening and early Tuesday, the number of infected hosts is still very large and new infections are likely as home users in Europe and the U.S. return from work and connect to the Internet from unprotected home machines on Tuesday, according to Mikko Hyppönen, manager of antivirus research at F-Secure Corp. in Helsinki.

The large base of infected machines also has experts worried about a denial of service attack that the worm is programmed to launch against Microsoft's automated Windows update Web site starting August 16.

Traffic directed at the site, windowsupdate.microsoft.com, from so many hosts could effectively shut down the service, which is used to distribute software updates and security patches to Microsoft Windows users, Hyppönen said.

Unlike the Code Red worm, which contained code for a similar attack against the IP (Internet protocol) address of the White House's main Web server, Blaster targets the windowsupdate.microsoft.com domain, preventing Microsoft from simply changing the address of the domain to sidestep the attack, he said.

Microsoft is aware of the denial of service threat and is looking at ways to make windowsupdate.microsoft.com more resilient, both to protect against the Blaster worm and future threats, a company spokesman said.

That said, the windowsupdate site is "extremely resilient" and has never suffered a complete denial of service, he said.

"If there's an attack on Saturday, the worst case scenario is that the site is slower than normal but not brought to its knees," he said.

Security experts will be holding their breath and waiting for the preprogrammed attacks to start, but those infected by Blaster must now cope with the daunting task of cleaning up affected systems.

The number of infected machines at the University of Florida is still a small fraction of the campus's 20,000 or 30,000 hosts, but cleanup may take a while, especially in departments that are short of IT administrators and that lack software for managing updates across multiple systems, Wiens said.

Because other more subtle attacks using the RPC vulnerability have been circulating for weeks, owners of machines infected by Blaster may also consider doing a fresh installation of the operating system to overwrite any back-door programs or other malicious code placed on the machine by hackers, Ullrich said.

Blaster's code is small and can be quickly removed using free tools provided by F-Secure as well as other antivirus vendors, Hyppönen said.

However, customers should patch their systems before removing Blaster to prevent reinfection from the worm, he said.

Security experts also recommend installing firewall and antivirus software to prevent future attacks.

Related:

Copyright © 2003 IDG Communications, Inc.