MSBlast Worm Spreading Fast

MSBlast is quickly spreading across the Internet, and security experts warn that it's already infected roughly 57,000 vulnerable systems running popular Windows operating systems.

George V. Hulme, Contributor

August 11, 2003

3 Min Read
InformationWeek logo in a gray background | InformationWeek

Security vendors have raised their alerts concerning the newly discovered MSBlast worm, which started actively spreading Monday afternoon. Reports on various security mailing lists about the worm began surfacing about 3 p.m. EDT Monday.

Internet performance-monitoring company Keynote Systems Inc. issued a statement Monday evening saying its Internet Health Monitor observed "massive packet-loss problems." According to the statement, when measuring Internet traffic from services provider Level 3 Communications Inc. in San Diego to Sprint's services in Boston or New York, latency was consistently about 3 seconds and reached 9 seconds about 30% of the time. According to Keynote, normal Internet latency from these two points would be 95 milliseconds. "Under these network conditions, Web-page downloads will typically time out," Keynote said in its statement.

Keynote said it can't confirm that the Internet slowdown can be directly contributed to the MSBlast worm, but the timing of the latency closely coincides with reports of the worm's surfacing.

Security experts have been predicting that a worm would appear since July 16, the day Microsoft announced a vulnerability in its Distributed Component Object Service (DCOM) in its Remote Procedure Call (RPC) interface. The vulnerability affects Windows NT 4.0, 2000, XP, and Windows Server 2003.

"That's just too large of a target pool for them [virus writers] to ignore," said Russ Cooper, surgeon general of the security services firm TruSecure Corp. and editor of the security mailing list NTBuqtraq, in an interview late last month.

The Department of Homeland Security issued an alert on July 30 warning of a potentially significant impact on Internet operations as a result of the flaw in Microsoft operating systems.

Security vendor Symantec Corp. is reporting that its DeepSight Threat Management System has spotted more than 57,000 systems that have been infected with MSBlaster and are launching probes to infect other vulnerable systems against port 135. Symantec estimates that this worm is spreading at a rate of about 20% that of the Slammer worm, which struck in January and infected all of its targeted and vulnerable systems in less than 15 minutes.

According to Lurhq Corp., which says it has obtained a copy of the worm, MSBlast is designed to launch a denial-of-service attack, specifically a Syn Flood, against Microsoft's Windowsupdate.com Web site on Aug. 16.

Joe Stewart, senior security researcher at Lurhq, says the research on MSBlast is still preliminary, but the security firm believes that the worm doesn't have any payload other than the Microsoft denial-of-service attack.

Security vendor Internet Security Systems Inc. says successful worm outbreaks have been known to significantly diminish corporate networks and cause widespread denial-of-service interruptions as the worm tries to replicate itself.

Reports from several security vendors indicate failed attempts of MSBlaster to replicate itself also are causing systems to crash.

"Until this afternoon [Monday], most of the activity we saw was exploits being used for Internet relay chat distributed denial-of-service bots," Stewart says. "This is the first worm that attacks this RPC vulnerability."

Lurhq says it has seen scanning for vulnerable systems increase more than 300% since Sunday. "And scanning activity was already high," Stewart adds. He says the worm, MSBlast.exe, is about 6 Kbytes in size and takes about 20 seconds to infect a vulnerable system and begin scanning for new systems to infect.

Because this worm is attacking a vulnerability found in Windows NT 4.0, 2000, XP, and Windows Server 2003, security experts believe there will be no shortage of unpatched and at-risk systems. "It could easily be over a million," Stewart says.

Within the code of the worm is the following statement: "billy gates why do you make this possible? Stop making money and fix your software!!"

All users--consumers, small businesses, and large companies--are being urged to patch vulnerable systems if they haven't already done so.

Information on the Microsoft vulnerability the worm attacks is available here.

More information on the Microsoft vulnerability and how to secure systems is also available from the CERT Coordination Center.

About the Author

George V. Hulme

Contributor

An award winning writer and journalist, for more than 20 years George Hulme has written about business, technology, and IT security topics. He currently freelances for a wide range of publications, and is security blogger at InformationWeek.com.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights