Windows worm starts its spread

"MSBlast," which takes advantage of what some security experts have called the most widespread Windows flaw ever, starts making its way around the Net.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
3 min read
A worm that takes advantage of what some security experts have called the most widespread Windows flaw ever has started spreading, fulfilling the predictions of many researchers.

Dubbed "MSBlast" by its author, the worm is spreading quickly, according to an initial analysis posted to the Internet Storm Center, a digital threat-tracking site. Ever since mid-July, when Microsoft announced a vulnerability in a widespread component of Windows, security experts have been waiting for some online vandal to create a worm that takes advantage of it.

"It is pretty widespread," said Johannes Ullrich, chief technology officer for the Storm Center. "It is sort of getting to the point where it is causing some slowdown."

Microsoft is investigating the worm but couldn't immediately comment on the program.

Some system administrators posting to a mailing list run by the North American Network Operators' Group, a popular forum for engineers who maintain large networks, believe that as much as 10 percent of the data coming into their networks has been created by the worm.

The worm contains two messages in its code. The first apparently is a "greet"--a message of greeting or recognition to a friend or peer--while the second takes aim at Microsoft: "billy gates why do you make this possible?" the second part of the message says. "Stop making money and fix your software!!"

Starting with a random Internet address, the worm sequentially scans for computers with the vulnerability.

MSBlast installs the Trivial File Transfer Protocol (TFTP) server, and runs the program to download its program code to the compromised server. It will also add a registry key to ensure that the worm is restarted when the host computer is rebooted.

The worm attacks Windows computers via a hole in the operating system, an issue Microsoft on July 16 had warned about. Nine days after the software giant announced the flaw, hackers from the Chinese X Focus security group publicly posted a program to several security lists designed to allow an intruder to break in to Windows computers. The Windows flaw has been characterized by some security experts as the most widespread ever found in Microsoft's operating system.

The flaw is in a component of the OS that lets other computers request that the Windows system perform an action or service. The component, known as the remote procedure call (RPC) process, facilitates activities such as sharing files and allowing others to use the computer's printer. By sending too much data to the RPC process, an attacker can cause the system to grant full access to the system.

The Chinese code worked on only three variants of Windows, but other hackers have since refined it. Nine days ago, a hacker posted an attack program to a security mailing list. Many facets of the current worm seem to be similar to that program.

Experts have feared that a worm created to take advantage of the Microsoft flaw could have an effect similar to that of the Slammer worm that downed corporate networks in January.

Slammer spread to corporate networks worldwide, causing databases to go down, bank teller machines to stop working and some airline flights to be canceled. Six months earlier, a researcher had released code that exploited the major Microsoft SQL vulnerability used by the worm to spread.

Security experts and network administrators are working to identify the worm and patch their networks.

Microsoft Windows users can update their operating systems through the company's Windows Update service. More information about the flaw and workarounds are available in the advisory posted online.