X

Microsoft prepares to be Blasted

The giant hopes to be ready when hundreds of thousands of computers infected with the MSBlast worm start pelting its Windows Update service with data requests on midnight Friday.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
3 min read

special coverage
'MSBlast' echoes over Net
 Worm exploits widespread
 Windows flaw


Microsoft hopes to be ready when hundreds of thousands of computers infected with the MSBlast worm start pelting its Windows Update service with data requests on midnight Friday.

The company has taken steps to try to dodge the denial-of-service attack, but it's also begun educating Windows users about other ways to get updates and patches in the event that the update service is made unavailable.

"We are preparing," said Stephen Toulouse, security program manager for Microsoft's security research center. "We are working diligently to make sure that our customers can get the patch."

The primary payload of the MSBlast worm, which began infecting systems Monday, is a denial-of-service attack against the service from which most Windows users get their updates. If successful, the maneuver would frustrate efforts to patch the Windows vulnerability the worm exploits. The strategy is also a way of simply harassing the Redmond, Wash.-based software giant; the worm's code contains a message for the company's founder: "billy gates why do you make this possible? Stop making money and fix your software!!"

Named after the msblast.exe file that contains the program, MSBlast continued to spread across the Net on Wednesday, infecting nearly 228,000 computers by midmorning, according to data gathered by security company Symantec.

Computers infected with the worm will start sending connection requests to the Windows Update service at midnight Friday, according to the clock on a given user's computer.

Although Toulouse was mum on the specific steps the software giant is taking to prepare for the attack, Microsoft is advertising alternative ways to get downloads and information from its site. The company has put more than 10 links on its main Web site to send people to more information and alternative channels for downloading updates.

Toulouse also stressed that consumers can and should get the latest patches from the company's Download Center.

Lloyd Taylor, vice president of technology and operations at Keynote Systems, which evaluates network performance, said that Microsoft's service will likely fall victim to the attack.

"I don't think any network in the world would be accessible with the amount of traffic that is going to be thrown at it," Taylor said.

Taylor also said that the traffic volume directed at the Microsoft site could take down small local networks. But a similar prediction a few years ago fell flat.

In 2001, after Code Red infected some 350,000 computers, it aimed a similar denial-of-service attack at Whitehouse.gov. Network administrators were able to move the site from the targeted Internet address and sidestep the attack. Moreover, despite hundreds of thousands of PCs flooding the Internet with data, local network outages didn't happen.

Marc Maiffret, chief hacking officer for security software maker eEye Digital Security, said the amount of data sent from each infected computer would be small and that it would be unlikely to overwhelm any networks. Each compromised computer should send 50 packets of data every second--about 16kbps. That's quite low for such attacks.

"I doubt Windows Update will go down," Maiffret said. "They have a big network, and it's very distributed."