Microsoft posts "Bonk" patch

The giant posts a fix designed for the Windows NT server against the program, which allows users to wage denial-of-service attacks.

3 min read
Microsoft this morning posted a fix to protect its Windows NT servers from a malicious program that hackers can use to bring down computers hooked up to the Internet.

Microsoft still is working on a patch to protect Windows 95 from the program, which allows users to wage denial-of-service attacks.

Although the program has been making its way around the Web for a few days, if anyone has actually used it, Microsoft officials do not know about it.

The program has the potential to knock off just about any site directly connected to the Internet. When this happens, computers using a Microsoft operating system exeperience a blue screen of death, a term that refers to the blue screen that pops up on a computer when a Microsoft operating system experiences a "fatal" error.

The program, being called "Bonk" by hackers and "NewTear" by Microsoft, is based on another denial of service program simply called "Teardrop," which did the same thing but affected most servers.

Most of those who patched their servers to prevent Teardrop from being used were generally safe from NewTear, said Jiva DeVoe, a programmer who said he learned of the program while on Internet Relay Chat.

But, he said, Windows and NT servers appeared to be two exceptions, and remained vulnerable to the attack, he said.

DeVoe speculated that those who designed NewTear were specifically targeting Microsoft to punish the software giant for its sometimes unpopular Internet strategies.

While hackers--also known by some as "crackers"--are constantly working on code that can be used to take Web sites offline, DeVoe said some are working double-time since the Justice Department ramped up its investigation of Microsoft.

"Microsoft is invading Internet territory," DeVoe said. "That's fairly new. You have Microsoft damaging open standards that the Internet is based on, like the battles with Java. You have a lot of people very knowledgeable who work on the Internet who have based their entire careers on the Internet and open standards and non-Microsoft products, and they're pretty pissed off about that. The problem is, you have people who have access to the technology to hurt Microsoft being angry at Microsoft. As a result, you'll see more attacks of this kind."

But Jonathan Roberts, director of product management for Windows, said concluding the program was designed by anti-Microsoft hackers would be a "leap."

"There's no evidence to suggest this was based on specific malicious intent towards Microsoft," he said.

The program, however, had to be developed maliciously, he said. In other words, it couldn't have happened randomly, and anyone who used it would have to know that they were performing a denial-of-service attack.

He said any guess as to why someone developed it or to whom it might be directed was purely speculative.

Machines behind a good firewall and most desktops would not vulnerable, he said. But anyone with a direct Internet connection could face an outage due to the program.

The program basically works in the same way many denial-of-service attacks do. In layman's terms, it fools servers into thinking they're going to get one kind of packet and then sends a different kind. The server then hangs up, waiting for the kind of packet promised to it. That packet never comes.

In NewTear, the header describing the packet lies, saying the packet will either be larger or smaller than it really is, Roberts said. "Our TCP/IP gets this and gets confused."

"It would be like getting a book saying this is War and Peace and inside would be Tom Robbins," he said.

Roberts said that Microsoft had not received notification that the hack was used on them.

But, he added, Microsoft takes this and other malicious programs very seriously and is currently working to develop a fix for Windows.

Meanwhile, system administrators can block UDP packets, which is where the NewTear is carried, he said.