'MSBlast' worm widespread but slowing

The MSBlast worm has infected as many as 100,000 computers in the past 24 hours, but the program's spread has slowed, said security researchers on Tuesday.

		Reader Resources MSBlast worm facts CNET Reviews

The worm's infection rate climbed throughout the day on Monday, but overnight the spread of the program dropped off, said Alfred Huger, senior director of engineering for security company Symantec. The reason for the slower spread is likely because of the poor programming of the worm, rather than a lack of vulnerable computers, he said.

"This is the best-case worm," Huger said. "This didn't turn out to be Slammer, which is good for us, but there is still all the variants" that are likely to crop up.

On Tuesday, new hosts were being claimed by the worm about 40 percent slower than as of the same time Monday, Huger said.

Meanwhile, Microsoft confirmed it is working with law enforcement to find the person or group who released the worm.

"We are working diligiently to make sure that we are going to handle the increase in traffic from the worm," said Stephen Toulouse, security program manager for Microsoft's security response center, adding the customers can also download patches from the Microsoft Download Center.

The worm, which security experts believe started spreading early Monday, scans for vulnerable computers so widely that an unpatched Windows XP computer on the Internet could be infected in as little as 25 minutes, according to Symantec studies.

Network performance measurement company Keynote Systems reported something of a drop in performance in two of the primary backbones that carry Internet traffic. But for the most part, Keynote found that the worm caused very little slowdown.

"Unlike the Slammer worm, which had significant negative effects on the Internet's infrastructure, the Blaster worm is not having a similar effect, as it is programmed to propagate much more slowly," Lloyd Taylor, Keynote's vice president of technology and operations, said in a statement.

The introduction of the MSBlast worm--also known as W32.Blaster and W32/Lovsan--ends nearly a month of speculation over when a programmer would commit the obvious crime of writing a worm to take advantage of a vulnerability in a widely used feature of Microsoft Windows.

The new worm pieces together code to exploit the most recent major flaw in Windows with publicly available tools, such as the Trivial File Transfer Protocol (TFTP) server.

		Special Report Patchwork security Software "fixes" are routinely available but widely ignored.

The worm is programmed to cause infected computers to send a flood of data to Microsoft's Windows Update service, starting Saturday morning. The denial-of-service attack could slow down, and even halt access to, the primary way Microsoft customers receive updates for their computers.

The Update service suffered a different kind of denial-of-service attack on Tuesday as people rushed to patch their PCs. The increased volume slowed, or prevented, access to the service. Multiple attempts to connect to the service from CNET's offices failed.

Microsoft representatives were not immediately available for comment.

MSBlast's first attack will last until the end of the year, security researchers said, adding that the coding of the worm will cause it to continue the attack in the latter half of each month for the first six months of 2004.

The worm still hasn't reached the levels of Code Red II, which infected more than 300,000 servers in 10 hours. However, the original Code Red spread very slowly until some online vandal modified the worm and fixed a critical flaw in how it spread. Symantec's Huger worries that someone might do the same with the MSBlast worm.

"This was written very poorly," Symantec's Huger said. "It's the children of Blaster that I fear now."