Slapdash monster roams the Net

The latest threat to the stability of the Internet is a compilation of programs cobbled together to do a single job: spread far and wide.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
4 min read
Call it the Frankenworm.

"MSBlast," the latest threat to hit the Internet, is a piecemeal compilation of programs cobbled together to do a single job: spread across the Internet. The Frankenstein's monster of code stitches together a widely available file server, one of several public programs to exploit a widespread Windows flaw, and common techniques for compromising computers.

The combination is unoriginal, but effective. The worm--also known as W32/Lovsan.worm and W32.MSBlaster--is successful not because its creator was knowledgeable about programming, but because a great many people whose computers are connected to the Internet are still ignorant of security.

"I'm not going to give the guy who wrote it a lot of credit," said Vincent Gullotto, vice president of security firm Network Associates' antivirus emergency response team. "It was effective--it did what it set out to do."

In most countries, laws prohibit the release of self-propagating code onto the Internet. However, finding the authors of e-mail viruses and worms is extremely difficult, making harsh laws unlikely to dissuade the individuals who release the programs. Gullotto stresses that home users are going to have to pay more attention to security in the future and that corporations must better secure their networks if they are to dodge future worms, even those that are poorly written.

"I think education is a constant with anybody in that they need to understand that threats are evolving," he said.

The worm has infected at least 120,000 computers and has caused internal disruptions for many companies and Internet service providers. Gullotto said that a "few hundred" of Network Associates' clients had been infected with MSBlast.

However, computers connected to the Internet aren't the only target. Starting on Saturday, every computer infected with MSBlast is expected to start flooding Microsoft's Windows Update service with legitimate-looking connection requests. The denial-of-service attack could slow--and even halt--access to the primary way Microsoft customers receive updates for their computers.

Reader Resources
MSBlast worm facts
CNET Reviews

Unlike the common mass-mailing viruses that spread by hitching a ride on e-mail messages, Internet worms don't attach themselves to files and don't need user intervention to spread.

The MSBlast worm infects other computers by trying to connect to 20 different Internet addresses at the same time using methods identical to those of an exploit program refined by security researchers and hackers on the Internet. That program, known as dcom.c, attempts to use a vulnerability in a widely used component of the operating system that allows other computers to ask Windows systems to perform an action or service. Microsoft issued a warning about the flaw on July 16.

The component, known as the remote procedure call (RPC) process, facilitates activities such as sharing files and allowing others to use a computer's printer. By sending too much data to the RPC process, an attacker can cause the system to grant full access to its resources.

"Because they ripped off the exploit, the worm ended up looking just like hackers trying to break into computers," said Marc Maiffret, chief hacking officer for security software maker eEye Digital Security. "I think that people would have discovered the attack even sooner if it acted like a real worm."

How it works
Just like a hacker manually attacking a server, MSBlast installs a file-sharing program known as the Trivial File Transfer Protocol (TFTP) server and runs the program to download the MSBlast code to the compromised computer. But the way the worm causes the victim's computer to download the file is very inefficient, Maiffret said.

Moreover, even though MSBlast can detect whether a machine is already infected, it has to compromise the machine again before it can check. It also adds a registry key to ensure that the worm is restarted when the host computer is rebooted.

To infect other computers, the worm causes its host to scan for computers with the RPC vulnerability. Forty percent of the time, the program will scan the network to which it is attached, while 60 percent of the time, the worm will try a random network. Because the scanning process is not completely random, the worm will likely cause a lot of excess traffic on its local network.

The worm contains two messages in its code. One is a "greet"--an underground programmer greeting--to another person, which could be a lead for law enforcement agencies that pursue the worm's author. The greet reads, "I just want to say LOVE YOU SAN!!"

The other message is addressed to Microsoft founder Bill Gates: "billy gates why do you make this possible?" it says. "Stop making money and fix your software!!"

The company pointed out that another service exists for customers to get patches.

"We are working diligently to make sure that we are going to handle the increase in traffic from the worm," said Stephen Toulouse, security program manager for Microsoft's security response center, adding that customers can also download patches from the Microsoft Download Center.

Microsoft confirmed that it is working with law enforcement to find the person or group who released the worm.

MSBlast's first attack will last until the end of the year, said security researchers, adding that the coding of the worm will cause it to continue the attack in the latter half of each month for the first six months of 2004.

Maiffret said he expects the Saturday attack will fizzle.

"I don't think Windows Update is going down," he said. "Microsoft is usually good on the network side of things."