Users of RPC-vulnerable systems who have made it through this week without getting the Blaster worm shouldn't get cocky. Two variants of the worm are in the wild and more may be forthcoming.
The variants aren't all that different from Blaster-A, with the exception of Blaster-B, which carries a remote-access Trojan. Each variant is packed with different utilities, as well. Researchers aren't sure whether the same author wrote all three or whether a copycat created the variants.
The variants pose the same damage threats as the original worm, antivirus experts said.
Some might wonder why worm writers would spend their time writing variants that target the same vulnerability as a waning worm. It sounds like trying a flimflam scheme that the public has been repeatedly warned about.
"Whether a worm spreads is not so much a technical issue," said Graham Cluley, senior technology consultant at Sophos PLC. "It really is a game of Russian roulette. A worm gets lucky or not."
Following that logic, Blaster-A, the first worm, was pretty darn lucky. Reports are beginning to filter out about whom it hit. J.C. Penney Co. was infected Wednesday morning and a 3M Corp. plant in Minnesota had to be shut down because of the worm.
No one can say definitively how much damage the worm actually caused. Computer Economics estimates the damages thus far at $500 million, and RedSiren pegs it at about $320 million. Those figures reflect the loss of productivity and downtime for organizations. The worm itself doesn't have a malicious payload to explicitly damage systems, but it could cause systems to crash and performance to lag.
One of its variants drops a backdoor Trojan into systems when infecting them. "It's just a standard backdoor Trojan with a couple of twists," said Vincent Gullotto, vice president of McAfee AVERT. Researchers are still trying to figure out the exact purpose of such a move.
There is no way to tell whether the same author is responsible for Blaster and its variants. Others may have written the new worms to "ride on the coattails of Blaster-A," Gullotto said. The writers may also try to send the worm using a different attack vector, namely by sending it as an attachment to an e-mail. Because "a lot of companies are blocking port 135, [authors] need a different mechanism to deliver the worm," he said.
Moreover, some users may think updating their antivirus signatures will be enough to protect them. But only patching for the RPC vulnerability will truly ward off future infections by Blaster and its descendents, experts say.
Blaster's big trick is that it tries to prevent people from patching systems; it's set to make infected machines launch a distributed denial-of-service attack on Microsoft's patch update page. The attack is set to start on Aug. 16, but computer users may experience slow site response times as many people finally get around to patching. "The denial-of-service attack has already begun in a way, as people go to the site to get the patch," Cluley said.
Yet experts stress the DDoS attack encoded in Blaster-A is limited to one page on Microsoft's site. "The key is to keep things in proportion; the Internet is not going to melt down," Cluley said. "There will be other places to get the patch if there are any problems. People don't need to worry."
There is another side to the DDoS attack. Companies that are infected may experience network performance issues as systems launch the attack, said Ted Julian, chief strategist and co-founder of Arbor Networks. Companies need to ascertain whether they have the worm. They may also want to take some proactive steps, such as shutting down the ports used by the attack. "It would only take 30 or 40 infected machines to seriously congest a T1 line," he said.
FOR MORE INFORMATION: