X

Network operators: Worm still squirming

Earlier reports that network traffic caused by the MSBlast worm dropped 30 percent to 40 percent may not mean that the worm is slowing, a major provider of network services says.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
3 min read
Earlier reports that network traffic caused by the MSBlast worm dropped 30 percent to 40 percent may not mean that the worm is slowing, a major provider of network services said Friday.

Instead, the worm seems to have been spreading at nearly the same rate over the past few days, according to Internet service provider Akamai Technologies.

"A lot of the network operators started filtering port 135," the data channel used by the worm, said Andy Ellis, chief security architect at Akamai. "That made it look like the number of infected machines was dropping."

In reality, the rate at which the MSBlast worm--named for the worm's filename, "msblast.exe"--is compromising computers seems to have dropped only slightly, Ellis said. The worm started spreading Monday and has infected from 300,000 to a million computers, according to Akamai data.

A wide range of estimates for the spread of a worm are a common problem in gauging the effects of such an attack.

The latest data from security company Symantec, which uses a large intrusion-detection network to record the Internet addresses of infected Windows PCs and servers, estimates that 380,000 addresses have become home to infected computers since Monday morning.

The data does not necessarily correspond to the number of computers infected, as one Internet address can be the home to an entire network of computers, many of which are infected. On the other hand, the data also doesn't take into account any machines that have been cleansed of the infection since the worm began spreading. Moreover, most dial-up and some broadband Internet users receive a new Internet address every time they connect to their provider, making it appear that many more machines are infected than really are.

"For a Windows XP machine, it inherits a new IP (Internet Protocol address) every time it reboots," said Alfred Huger, senior director of engineering for Symantec's security response.

Symantec's data also shows a 30 percent to 40 percent decrease in traffic between Monday and Tuesday of this week. Huger agreed that the filtering being done by Internet service providers may well be the cause.

"The question is, 'How long will they keep that (filtering) up?'" he said. "It costs a great deal of money--in CPU time and bandwidth."

The new data comes on the same day that Microsoft managed to dodge an impending denial-of-service attack. The attack, which would have leveled a flood of data at Microsoft's Windows Update site, was foiled when the software giant deleted the address the worm was targeting. The worm is expected to continue to spread despite the aborted attack.

Microsoft also announced on Friday that an e-mail hoax is circulating. The subject line of the e-mail is "updated," and the message appears to contain a critical update to patch systems against the MSBlast worm. In reality, clicking on the attached file will infect the recipient's computer with a Trojan horse program. Antivirus company Sophos dubbed the new program Graybird. Microsoft warned consumers that the company never uses e-mail to distribute patches.