Malware writers have spawned multiple variants of the Blaster worm, the most dangerous of which installs a remote-access...
Trojan on infected systems.
"This attack is similar in magnitude to Code Red and Nimda, but its ramifications are much greater because it targets a wide range of Microsoft OSes instead of just Web servers -- the number of systems that could potentially be infected is much greater," said Forrester analyst Michael Rasmussen. "We could have some ramifications on this extending into weeks as road warriors connect to the corporate network or come into the office with infected machines."
Antivirus experts say that script-kiddies modified W32.Blaster.A to create two new variants: .B, which installs a remote-access Trojan and is packed using FSG, and .C, which is similar to the original worm and is packed with UPX. It's difficult to identify whether the variants were created by the same worm writer.
"There is nothing in the code, such as comments, to tell us either way," said Vincent Gullotto, vice president of McAfee AVERT.
And more variants are predicted -- with potentially damaging payloads.
"We will see many more modifications, the bad guys will most likely try to drop undetected backdoors so they will have another way in even after the patches have been applied," said Bruce Hughes, director of malicious code research at TruSecure/ICSA Labs.
Some may question the logic of writing new variants as users are patching and blocking port 135 to catch Blaster-A.
"It's still not completely under control. It will be another 24 hours before we see it drop 80% or so from its peak," Gullotto said.
Almost two years after Code Red struck, there were still variants of it being released despite a limited pool of systems it could infect. The vast majority of users had patched their systems. That network worm targeted Microsoft's IIS Web servers, the number of which is dwarfed by all the desktops and servers that have the RPC flaw.
"Pretty much the entire world will have to run the update to Windows XP and 2000," said David Perry, global director of education for antivirus software vendor Trend Micro. "I think it will take a year or more to get the word out to people."
Computer Economics estimates that Blaster-A has already caused $500 million globally and $100 million in the U.S. in damages and lost productivity.
The Blaster network worm targets the RPC vulnerability in Windows NT/XP/2000/Server 2003, though not all versions are susceptible to infection. The worm is also called MSBlast and Lovsan.