UPDATE: New worm poised to unleash hell on MS

Dubbed "MSBlast" by its author, the worm is spreading quickly, according to an initial analysis posted to the Internet Storm Center, a digital threat-tracking site. However the worm doesn't just target Internet users, it takes dead aim at Microsoft's windowsupdate.com Web site, where users download the latest security patches for the company's operating systems.

The 'time bomb' in the worm's code, discovered by anti-virus and security researchers, will turn every infected system into a DoS agent on 16 August, this Saturday. The systems will begin sending random strings of data to the windowsupdate.com Web site in an attempt to knock it offline. If the DoS attack is successful, administrators will be unable to patch their systems against the vulnerability exploited by MSBlast.

The worm also contains anti-Microsoft messages in its code: "billy gates why do you make this possible?" the second part of the message says. "Stop making money and fix your software!!"

Ever since mid-July, when Microsoft announced a vulnerability in a widespread component of Windows, security experts have been waiting for some online vandal to create a worm that takes advantage of it.

"[MSBlast] is pretty widespread," said Johannes Ullrich, chief technology officer for the storm centre. "It is sort of getting to the point where it is causing some slowdown."

Some system administrators posting to a mailing list run by the North American Network Operators' Group, a popular forum for engineers who maintain large networks, believe that as much as 10 percent of the data coming into their networks has been created by the worm.

Starting with a random Internet address, the worm sequentially scans for computers with the vulnerability.

MSBlast installs the Trivial File Transfer Protocol (tftp) server, and runs the program to download its program code to the compromised server. It will also add a registry key to insure that the worm is restarted when the host computer is rebooted.

The worm attacks Windows computers via a hole in the operating system, which Microsoft warned of 16 July. Nine days after the software giant announced the flaw, hackers from the Chinese X Focus security group publicly posted a program to several security lists designed to allow an intruder to break into Windows computers. The Windows flaw has been characterised by some security experts as the most widespread ever found in Microsoft's OS.

The flaw is in a component of the OS that lets other computers request that the Windows system perform an action or service. The component, known as the remote procedure call (RPC) process, facilitates activities such as sharing files and allowing others to use the computer's printer. By sending too much data to the RPC process, an attacker can cause the system to grant full access to the system.

The Chinese code worked on only three variants of Windows, but other hackers have since refined it. Nine days ago, a hacker posted an attack program to a security mailing list. Many facets of the current worm seem to be similar to that program.

Experts have feared that a worm created to take advantage of the Microsoft flaw could have an effect similar to that of the Slammer worm that downed corporate networks in January.

Slammer spread to corporate networks worldwide, causing databases to go down, bank teller machines to stop working and some airline flights to be cancelled. Six months earlier, a researcher had released code that exploited the major Microsoft SQL vulnerability used by the worm to spread.

Patrick Gray contributed to this report.

• Related stories

• Alerts

Add your opinion

I feel sorry for those users t ...Anonymous -- 12/08/03

I feel sorry for those users that have to run Windows OS. They seem so suffer so much at the hands of bad programming and virus/worm writters. To compound the problem more, suffering users have to patch and/or buy 3rd party virus software.

I see, on average, two viri pass through my mail client every day but it does not worry me. I even open them up and look at the attached virus executable.

Why am I not worried? because I run a Mozilla mail client on Linux (Slackware 9.0). They cannot be effected by the attached virus. If they did they would be contained very quickly.

So, you may have noticed, it doesn't have to be this way, there are alternatives to the Windows cycle.

• Reply to comment
• Reply to story
• Report offensive content

Kevin's comments are valid. Li ...Ben Aylett -- 13/08/03

Kevin's comments are valid. Linux and variants are pretty much untouched by the latest 'popular' threat but as a Linux/Windows user myself I also know that Linux is also short on security.
This is akin to blaming Ford (or Holden) for making one car more prone to fatal accidents than the other.
It comes down to maintenance. The facility is there to get your system patched automatically. It comes down to the nut behind the wheel.
This flaw has been published and we have had time to update our systems.
I only hope we get this patched before the deadline..

• Reply to comment
• Reply to story
• Report offensive content

I don't understand who they th ...Anonymous -- 13/08/03

I don't understand who they think they hurting by spreading this worm. It's unfortunate that there is a flaw in windows, but this virus isn't getting back at Bill Gates. It's hurting students like me who can barely afford a computer, but have to have it for school work. If my computer crashes, I won't be able to replace it. I had no idea I was vulnerable to this just by using windows. I'm not an advocate of MS, I'm just a poor student who is trying to get through school.

• Reply to comment
• Reply to story
• Report offensive content

I just wonder whats the point ...Al Somaton -- 13/08/03

I just wonder whats the point of these close minded programrs to make such worm.

people who try to say linux is better in security are wrong,the fact is that maybe 60% of compputers are windows operated,whie just 205 are using linux so it's natural that most worms and viruses and trojans...are targeted toward winowsed based pcs.

so think baouut it..if 60% or 50% of pcs where running linux,they you'll found how much security problems lunus realy has.

beside all these..acts like making such worms is something that further regular people.not the MS company.

so the whole target behind these acts is sick and stupid.

• Reply to comment
• Reply to story
• Report offensive content

I have the answer. MS Should s ...Anonymous -- 14/08/03

I have the answer.
MS Should stop treating an internet connection as a network connection. Restricting an internet connection to be only that, would help MS prevent many of these attacks, which are mostly network based.

An internet connection does not need all the functionality of a network connection, only protocols needed to send and receive data shold be used, RPC should not be available to an internet connection, what would be it's purpose, this goes for any other service that is not required by the internet.

MS need to go back to the early 90's, I used MS3.11 to connect to the internet, and it's limitation served me well, now With XP and WIN2K3, MS has just left dorrs open everywhere.

Simply fixed, just make an internet connection totaly independant of a network connection, people who need to share the internet of a network will have to enable it as a service.

These doors MS is leaving open should be closed unless a user needs them open, this will help reduce the spread of these type of worms, you can only stop them, if you know where they can get in.

Me, i turn off all non-essential services in XP, there is about 13 which the normal user does not require, and could leave the system open for these type of attacks. IF I could turn RPC I would , but it has other service, which can not be turned off.

MS, we don't need all these services and protocols, just to browse the internet, seperate an internet connection from a network connection for the general user, and these attacks wouldn't happen.

I never seen such things when I was using Win3.11 for my internet.

• Reply to comment
• Reply to story
• Report offensive content

The only really secure OS is M ...Neil -- 15/08/03

The only really secure OS is Mac OS X. Windows is full of holes that are patched by band-aids they should bite the bullet and design a completely new operating system like Apple did. Its only partly true that Windows is targeted because the majority of people use it, its just too damn easy to write viruses for it even an 12 year old child could write a Windows virus.

• Reply to comment
• Reply to story
• Report offensive content

Thanks for the info on MSBlast ...Anonymous -- 16/08/03

Thanks for the info on MSBlast. My home computer was infected and I was able to get rid of it. One thing, though, that I haven't heard anyone talk about is that I was on-line early this week and my phone rang... which was impossible because I was on-line (I don't have a dedicated computer line). I think that's when the worm got in. Have you heard anything like this from anyone else?

• Reply to comment
• Reply to story
• Report offensive content

Thanks for the info on MSBlast ...Anonymous -- 16/08/03

Thanks for the info on MSBlast. My home computer was infected and I was able to get rid of it. One thing, though, that I haven't heard anyone talk about is that I was on-line early this week and my phone rang... which was impossible because I was on-line (I don't have a dedicated computer line). I think that's when the worm got in. Have you heard anything like this from anyone else?

• Reply to comment
• Reply to story
• Report offensive content

• Just In

• Most Popular

• Most Discussed

Reader Services

Popular Topics

Essentials