Windows Threat Realized - Blaster Worm Spreads

Experts said the relatively simple "Blaster" worm -- also referred to as "LoveSan" -- was spreading at a steady pace Monday but was not infecting machines at the same rate as the earlier Nimda and Slammer worms, which quickly clogged corporate networks during those outbreaks.

While it might be slowing or stifling some corporate networks, the Blaster worm is not carrying a malicious payload to damage machines or data. However, antivirus experts are on the watch for variants of the threat that might be more destructive.

In addition, the worm includes a denial-of-service (DoS) component whereby infected machines will simultaneously flood the Microsoft Windows Update Web site on August 16th, Symantec (Nasdaq: SYMC) Security Response senior director of engineering Al Huger told TechNewsWorld.

"Even with proactive patching, there will be tens of thousands of hosts taking part in that attack," Huger said. "As long as the worm is circulating the Internet, it will be trying a denial-of-service on Windows Update."

Steady Spreader

The worm was expected following last month's announcement by Microsoft of a widespread weakness in Windows' Remote Procedure Call (RPC) protocol. Shortly after the announcement, exploit code was posted online to take advantage of the vulnerability.

Experts estimated hundreds of millions of machines were at risk because the vulnerability was present in all recent versions of Windows -– Windows NT 4.0, Windows 2000, Windows XP and Windows Server 2003.

However, the Blaster worm is not having nearly the same impact as earlier worms, likely because of the way it is written. "It's written a great deal more simply than the [other worms]," Huger said. "It's not the Corvette of worms."

Persistent Problem

While Blaster might not be spreading as quickly as Code Red did, Huger predicted it might actually be worse in terms of eradication.

"It will be with us for some time to come," he said. "There are just so many computers vulnerable, and this one is on a larger number of deployed hosts than Code Red was."

He noted that the worm is indeed causing disruptions around the Net. Some enterprise IT shops have reported that internal production systems are unavailable.

Advanced Billing

McAfee vice president Vincent Gullotto, who said there have been no reports of major network outages because of the worm, told TechNewsWorld that the spread might have been tempered by attention paid to the issue before the worm was released.

"The notice has certainly helped it not go as big as it might have," he said.

Symantec's Huger agreed that several potential victims were able to patch their systems -- by blocking port 135, for which the worm scans while looking for new hosts -- prior to being infected. However, he said, there are also many cases of corporations leaving their systems unprotected and thus winding up infected by the worm.

Offensive Offspring

Gullotto said that although the worm was designed to propagate without wreaking havoc on systems or data, there is a chance that a variant or copycat might deliver a more damaging payload. He added that a variant might not be obvious because it likely would have a different name or use a different technique to scan for vulnerable systems.

Huger said there is no question that there will be variants. Whether or not those variants will be designed to damage systems is the key factor.

"I think at this point, people should be concerned with how the children of this worm are going to look," he said.

DoS Delivery

Huger noted that as the worm spreads, it is gathering hosts for the DoS attack that is set for August 16th. Computers infected with the worm will be remotely directed to flood Microsoft's Windows Upadate with messages, rendering the site inaccessible.

Although the worm has the potential to cause Internet slowdowns, Microsoft would be most significantly affected by the DoS attack.

Still, Huger said, Microsoft probably will be able to mitigate that attack because of the advance warning.