Windows users should download the necessary patch for the Remote Procedure Call (RPC) vulnerability as soon as possible, because the new worm that exploits the flaw is targeting Microsoft's patch download page.
The network worm, Blaster-A, emerged late Monday afternoon. It came on quite quickly and has a fertile pool of targets. The RPC vulnerability affects Windows NT, XP and 2000, as well as Windows Server 2003, though not all versions are susceptible to infection. The worm also goes by the names MSBlast and Lovsan.
While a patch has been available for three weeks, history has shown that many users don't patch immediately. The worm affects both home and business users. The former probably don't run personal firewalls or update their patches as often as they should. Companies, by contrast, probably have firewalls to prevent infection from outside. But just one infected laptop physically brought into the office can infect a company's systems, since most companies don't have personal firewalls on every workstation.
The worm came on strong Monday afternoon and evening but seemed to tail off at around 2 a.m. EST, said Charles Kaplan, information security officer at managed security services provider Guardent Inc., Waltham, Mass.
"We have seen major data centers install filters at the edge of their networks, which has impacted it some," Kaplan said. Cable companies have also taken measures to filter such traffic, which would help home broadband
But it's too early to count Blaster out. "We are liable to see a mini-spike as people come into work, especially when they bring their notebooks in from home," Kaplan said. "It's too early to say whether it will be a mini-spike or something more horrific."
The Department of Homeland Security has issued a warning on Blaster because of its ability to hamper patching procedures. The worm is set to launch a denial-of-service attack on Microsoft's update page starting Aug. 16. Users are instructed to download the patch as soon as possible because the update site may become inaccessible this Friday afternoon, when Aug. 16 begins in Asia.
"It's a fairly effective attack. It sends corrupt packets to [the] Windows update page," said Mikko Hypponen, manager of antivirus research for F-Secure, in Helsinki, Finland. "Given the pool of potential systems, such an attack could take down any site."
In 2001, another network worm, Code Red, targeted the White House's Web site, but in that case the worm writer used its IP addresses, Hypponen said. Federal officials were able to change the IP addresses just before the attack was set to commence. Blaster makes such a measure more difficult, since the Windows update domain name is coded in, he said.
There are some things Microsoft can do to lessen the effect of an attack, such as devoting more bandwidth to its patch Web site, said Dan Ingevaldson, engineering director for Internet Security Systems Inc.'s X-Force security monitoring operation. "But there are no technology or techniques that could stop the attack outright, as it uses the DNS look-up," he said.
Because it doesn't require human action, Blaster has spread very quickly. Blaster-A scans for port 135, which it then uses to exploit the RPC flaw. The worm has exploit offsets for Windows 2000 and Windows XP, but it's still unclear whether it can infect Windows NT machines.
The worm writer appeared to have targeted desktops more than servers because Blaster does a simple calculation when infecting a machine that determines whether it will infect a Windows 2000 or Windows XP machine, Ingevaldson said. Twenty percent of the time, it will use the Windows 2000 exploit offset. The rest of the time it targets Windows XP, which is a desktop-only operating system. Machines will crash if the wrong offset is injected.
If a machine is exploited, the worm starts a Trivial File Transfer Protocol (TFTP) session with the infesting host. An executable, msblast.exe, is downloaded and run. Once running, that file transforms systems into Blaster spewers, which then scan away looking for other machines to infect.
Blaster doesn't carry a destructive payload, but it can crash systems and, at worst, it can cause severe slowdowns on local networks. "It could suck up a massive amount of bandwidth, killing even a fat pipe at a company," Kaplan said.
FOR MORE INFORMATION: