As some antivirus vendors raised their alert rating on a Windows worm that has infected thousands of home and corporate computers, the spreading code continued to take over machines that might be used in an attack on Microsoft.
The worm — referred to as MS Blast, Blaster and LovSan — does not require that users inadvertantly launch any executable file for their systems to become infected. By Wednesday, the worm had spread over the Internet to thousands of Windows PCs – millions of which are likely vulnerable, according to experts.
There were reports of network outages and slowdowns, according to antivirus vendor Symantec, which raised its alert level on the worm from three to four on a one-to-five scale early Wednesday.
Meanwhile, the propagating worm has been dropping its payload on vulnerable machines to corral infected computers in a denial-of-service (DoS) attack on the Microsoft Update Web site beginning August 16th.
Steady Spread Stings
Antivirus experts said the worm’s spread was rapid but not particularly fast compared with previous worm outbreaks, such as the Slammer or SoBig worms.
However, the worm managed to cripple some corporate networks and slowed Internet connections to a standstill at some points as it continued to infect machines among the huge pool of potential targets.
Dan Ingevaldson, engineering manager for security firm ISS’s X-Force, told TechNewsWorld that estimates put the number of infected machines between 50,000 and 120,000 early Wednesday.
“We expected a slow burn with this because there were so many hosts that were available,” Ingevaldson said. “We’re definitely going to be dealing with this for quite a while.”
Ingevaldson also said ISS haw received information regarding variants of the worm, some of which reportedly dropped back doors — malicious code meant to take over a machine or destroy data.
He said the rumored variants are still under investigation. Variants of the worm might behave differently or carry different payloads.
“Some of the new worms might be modified, or there might be a whole new worm working off the same vulnerability,” he noted.
Symantec Security Response senior director of engineering Al Huger told TechNewsWorld that the worm, which is much simpler than previous spreading worms, such as Code Red or Slammer, mostly targeted corporate systems running Windows 2000.
The worm takes advantage of a vulnerability in all recent versions of Windows, including Windows NT 4.0, Windows 2000, Windows XP and Windows Server 2003. Huger said the worm is set to infect Windows XP systems 20 percent of the time and Windows 2000 systems 80 percent of the time.
He said the percentage of targeted machines might curb the worm’s spread among home users — who are expected to be hit hard by the outbreak because of the prevalence of unpatched systems — but it also means more enterprise infections are likely.
Patch, Block, Contain
The worm takes advantage of a vulnerability in the Windows Remote Procedure Call (RPC) interface, which enables remote control of machines. Although a patch was made available for the flaw when Microsoft announced the weakness on July 16th, the sheer number of affected machines means many have been left unprotected.
Application of the patch and use of eradication tools from antivirus vendors are among the steps users can take to defend against or deal with infection, but Gartner research vice president Richard Stiennon told TechNewsWorld that blocking the worm’s chosen path of port 135 probably will be necessary.
“The way to eradicate it is to have every router everywhere block port 135,” Stiennon said. “That’s how the outbreak will be curtailed.”
The worm, which delivers a taunting message to Microsoft founder Bill Gates, is set to use the machines it has infected to flood the Windows Update Web site in a DoS attack set to begin this Saturday.
Ingevaldson said that, if successful, the DoS attack might slow uptake of the patch from the Microsoft site. However, he pointed out that the Windows Update site is built for large bandwidth and that Microsoft is likely prepared for the onslaught because the company has had plenty of lead time.
“It’s safe to say we’re looking at every technology and architecture measure we can so customers will experience the same thing on Saturday as they experience any other day,” Microsoft spokesperson Sean Sundwall told TechNewsWorld.