Flaw in Windows worm tips off defenders

The fast-spreading "MSBlast" worm seems to be crashing as many Windows computers as it's infecting, demonstrating to administrators that they need to patch their systems, security experts said Monday.

		Reader Resources MSBlast quick facts CNET Reviews

By midafternoon Monday, the worm had infected at least 7,000 computers in a matter of hours, according to data provided by security company Symantec. Still, security experts stressed that the program had several flaws that had slowed its spread.

"You are not going to see the rapid uptake of Slammer. However, it could easily be as large as Code Red," said Symantec's senior director of engineering, Alfred Huger, referring to the lightning-fast Slammer worm, which hit Microsoft SQL servers in January, and the Code Red worm, which gobbled up servers in July 2001.

The Code Red worm spread slowly at first, then quickly, after someone modified the program to fix a flaw in its code. Huger said it was likely that an online vandal would take on the task of modifying MSBlast as well.

"I think there is a really strong chance that this will be modified and re-released, if not today, then this week," Huger said. "It's very simple to unpack and very simple to modify."

The introduction of the MSBlast worm ends nearly a month of speculation over when a programmer would commit the obvious crime of writing a worm to take advantage of a vulnerability in a widely used feature of Microsoft Windows. The worm pieces together code to exploit the most recent major flaw in Windows with publicly available tools, such as the Trivial File Transfer Protocol (TFTP) server.

The worm is also known as W32.Blaster and W32/Lovsan.

Denial of service in the forecast
The worm could turn out to be quite an irksome bug for Microsoft. It reinforces the notion that despite the software giant's 18-month-old Trustworthy Computing initiative, Microsoft software still has security issues. And it also aims to attack the company's network directly. Starting on Aug. 16, every computer infected with MBlast will start flooding Microsoft's Windows Update service with legitimate-looking connection requests. The denial-of-service attack could slow down, and even halt access to, the primary way Microsoft customers receive updates for their computers.

MSBlast's first attack will last until the end of the year, security researchers said, adding that the coding of the worm will cause it to continue the attack in the latter half of each month for the first six months of 2004.

		Related Story Windows worm starts its spread "MBlast" exploits what some experts are calling the most widespread Windows flaw ever.

The worm contains two messages in its code. One is addressed to Microsoft founder Bill Gates: "billy gates why do you make this possible?" it says. "Stop making money and fix your software!!" The other message is a "greet"--an underground programmer greeting--to another person, which could be a lead for any law enforcement agencies that pursue the worm's author.

Microsoft may find a way to deflect the attack, as did the White House's technical staff when the Code Red worm aimed a denial-of-service attack at the whitehouse.gov Web site. The flaws in MSBlast may also slow it down.

"The worm is obviously messing things up, and it's going to get worse," said Marc Maiffret, chief hacking officer for security software maker eEye Digital Security. "But if it wasn't using (such poor methods), it would be much more effective."

The worm attacks Windows computers via a flaw in a component of the operating system that allows other computers to ask Windows systems to perform an action or service. Microsoft warned about the flaw July 16. The component, known as the remote procedure call (RPC) process, facilitates activities such as sharing files and allowing others to use a computer's printer. By sending too much data to the RPC process, an attacker can cause the system to grant full access to its resources.

MSBlast installs the TFTP server and runs the program to download the MSBlast code to the compromised server. But the way the worm causes a compromised computer to download the file is very inefficient, Maiffret said. Moreover, although MSBlast can detect whether a machine is already infected, it has to compromise the machine again before it can check.

Starting with a random Internet address, the worm sequentially scans for computers with the vulnerability. Because the scanning process is not completely random, the worm will likely cause a lot of excess traffic on the network. It also adds a registry key to ensure that the worm is restarted when the host computer is rebooted.

Experts have feared that a worm created to take advantage of the Microsoft flaw could have an effect similar to that of the Slammer worm that downed corporate networks in January.

That worm spread to corporate networks worldwide, causing databases to go down, bank teller machines to stop working and some airline flights to be canceled. Six months earlier, a researcher had released code that exploited the major Microsoft SQL vulnerability used by the worm to spread.

Much of the damage caused by Slammer was due to the high volume of traffic that it caused. MSBlast's slower infection rate will likely mean that it will not cause as much damage.

Security experts and network administrators continue to analyze the worm and patch their networks. Microsoft Windows users can update their operating systems through the company's Windows Update service. More information about the flaw and work-arounds are available in the advisory posted on Microsoft's site.