Microsoft avoided a potentially gruesome distributed denial-of-service attack over the weekend by the Blaster worm.
Microsoft reported no major traffic spikes associated with Blaster. It was unlikely the attack would have much substantive effect because the company took preventative maneuvers late last week.
Blaster was programmed to start sending corrupt data packets to Microsoft's patch update page on Aug. 16. Microsoft, however, took advantage of a flaw in the worm to avoid trouble. Blaster directs the DDoS attack at an old URL for its update page (http://windowsupdate.com). Microsoft had automatically redirected customers to a new URL (http://windowsupdate.microsoft.com). On Thursday, the company stopped the redirection, which meant the attack was targeted at a dead URL.
Microsoft compensated with plenty of links to the patch on its homepage. The worm, which is also called Lovsan and MSBlaster, emerged Aug. 11. It targeted the RPC vulnerability in Windows XP and 2000 machines.
Blaster's method of attack was a little savvier than that of past worms that launched DDoS attacks. For example, Code Red in 2001 targeted the White House Web site, but in that case the worm writer used its IP address. Preventing attack was as simple as changing the site's IP. Blaster, on the other hand, targeted an actual domain name, so DNS servers would route attacks as long as that name was still working.
The potential scope of the attack was huge.
Requires Free Membership to View
SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!
Michael S. Mimoso, Editorial Director
Experts estimated that as many as 1.4 million systems were infected by Blaster. It wouldn't be inconceivable that many of those systems were still infected as of Saturday.
There was a side effect to the DDoS attack that will take a little more time to ascertain, namely the effect of attacking machines on local networks. The worm is set to start the attack when the system clock reads Aug. 16. That means infected systems over the weekend would start attacking, which could eat up company's bandwidth. "It would only take 30 or 40 infected machines to seriously congest a T1 line," said Ted Julian, chief strategist and co-founder of Arbor Networks Inc.
If history is any guide, other worms will come along that take advantage of the RPC vulnerability. For example, a Code Red variant surfaced in March, almost two years after the original worm struck. The only real way to wipe Blaster out is for all users of susceptible systems to patch, which is not a small task, given the millions of systems affected. "I think it will take a year or more to get the word out to people," said David Perry, global director of education for antivirus software vendor Trend Micro Inc.
FOR MORE INFORMATION:
SearchSecurity.com Featured Topic: Blaster lessons learned
Ask a SearchSecurity.com expert about Blaster
FEEDBACK: Which worm made a bigger impact on your enterprise? Blaster (Lovsan) or Slammer?
Send your feedback to the SearchSecurity.com news team.