Cleanup dampens Blaster worm

The MSBlast worm's infection rate is slowing as people and businesses disinfect compromised computers, say antivirus companies--though not everyone agrees it's all over yet.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
3 min read
The MSBlast worm's infection rate has slowed as companies and home users clean up compromised computers, according to antivirus firms.

Named after the msblast.exe file that contains the program, MSBlast continued to spread to new computers on Thursday, but the rate of infection has slowed significantly. Since Monday at noon, the worm had infected as least 330,000 computers, according to security company Symantec.

"We had an exponential growth on Monday, but it has dramatically slowed down," said Vincent Weafer, senior director for the company's security response team. Symantec has dubbed the worm "W32/Blaster."

Far fewer computers may currently be infected with an active copy of the worm. Symantec's data does not take into account the number of infected computers that have been cleaned of the program. Since Monday, business and home users have been securing their PCs and deleting the worm from computers that had been compromised.

Unlike the more-common mass-mailing e-mail viruses, an Internet worm like MSBlast spreads automatically, by exploiting weaknesses in computers that are connected to the Internet. The worm uses a widespread Windows flaw that Microsoft warned about and patched a month ago. People who have not applied the patch--by downloading it from Microsoft's Windows Update service or the company's Web site--are the only ones vulnerable.

Security company Network Associates said it has received reports of infections from several hundred companies and PC users.

"We are seeing a continual drop off--Tuesday was the day it really had the opportunity to spread," said Vincent Gullotto, vice president of Network Associates' antivirus emergency response team. "Our process today is really focused on any problems that customers are having."

If true, the drop in the number of computers infected could be good news for Microsoft.

The primary payload of the MSBlast worm is a denial-of-service attack against the network from which most Windows users get their updates. If successful, the maneuver will frustrate efforts to patch the Windows vulnerability that the worm exploits. The strategy is also a way of simply harassing the Redmond, Wash.-based software giant; the worm's code contains a message for the company's founder: "billy gates why do you make this possible? Stop making money and fix your software!!"

Computers infected with the worm will start sending connection requests to the Windows Update service at midnight Friday, according to the clock on a given user's computer. That will first happen in Russia, just over the International Date Line, at about 4 a.m. PT.

Not everyone agrees that the worm is going away just yet. Some organizations are seeing indications that the worm's spread is growing, or at least, that more people are becoming aware of the self-spreading program.

special coverage
'MSBlast' echoes across the Net
 Worm exploits a widespread
 Windows vulnerability

The Computer Emergency Response Team (CERT) Coordination Center, a clearinghouse for information on Internet threats, continued to see about the same number of reports on Thursday as the previous day.

"It is really hard to say up or down," said Art Manion, an Internet security analyst with the CERT Coordination Center. "Reports are fairly steady. Our numbers are not good enough to say up or down."

The group previously said that as many as 1.4 million Internet addresses had become the homes of computers infected by the worm or an earlier attack program on which the worm was based.

However, Manion stressed that the numbers do not correspond to computers on a one-to-one basis. Many computers are connected to broadband providers that assign a different Internet address to a computer each time it connects to the network.

"We can't give any finer resolution than hundreds of thousands of computers," Manion said.

Enterprise antivirus firm Trend Micro reported that reports of worm infections had jumped threefold overnight from Wednesday to Thursday, but acknowledged that PC users may have only recently realized that performance issues with their computers were connected to the worm.

"People say, 'OK, maybe I am infected,' and then they go online to check," said Joe Hartman, director of North American antivirus research for Trend Micro. "We haven't seen all of it yet."

Hartman also stressed that it is very hard to estimate the number of computers that are actually infected at any given time, but believed that it's holding fairly steady.

"It isn't increasing all that much, because more people are using antivirus software and are using firewalls," he said. As more people become protected, the worm has fewer places to go.