Information Security News: Microsoft: 'Blaster' Virus Looks Like Dud

[InfoSec News <isn () c4i org>]

http://www.washingtonpost.com/wp-dyn/articles/A5774-2003Aug17.html

By Helen Jung
The Associated Press
Sunday, August 17, 2003

SEATTLE - The second wave of an Internet attack by the "blaster" worm 
barely caused a ripple Saturday.

Microsoft Corp. said it had no major problems from the worm's attempt 
to turn thousands of infected computers into instruments targeting the 
software company's Web site and network.

The Redmond-based company had not noticed any extraordinary network 
congestion, spokesman Sean Sundwall said. There were also no reports 
of customers having major problems accessing the targeted Web site, 
which houses a software patch that fixes the flaw exploited by the 
worm.

"So far we have seen no impact on our Web sites or any other Web sites 
due to the 'blaster' worm," Sundwall said.

Still, he urged people to take precautions to protect their computers.

The virus-like infection, also dubbed "LovSan" or "MSBlast," exploits 
a flaw in most current versions of Microsoft's Windows operating 
system for personal computers, laptops and server computers. Although 
Microsoft posted a software patch to fix the flaw July 16, many users 
failed to download it, leaving them vulnerable.

As of Saturday afternoon, the worm had infected more than 423,000 
computers around the world since Monday, according to security firm 
Symantec Corp.

Of those, about 50,000 were affected on Saturday, said Mike Bradsaw, a 
Symantec spokesman.

The infection caused computers to reboot frequently or disrupted 
users' browsing on the Internet. But it also packed a second punch.

Computer experts said starting at 12:01 a.m. local time Saturday, 
infected computers that have not cleaned up the virus would in effect 
turn into a legion of zombies instructed to repeatedly call up a 
Microsoft Web site that houses the software patch. If enough traffic 
flooded the network, the site could be rendered unreachable and 
computer users would be unable to access the patch.

But the exploiters of the Microsoft flaw made a mistake themselves. 
The worm instructed computers to call up http://windowsupdate.com - 
which is an incorrect address for reaching the actual Microsoft Web 
site that houses the software patch. Although Microsoft has long 
redirected those who visited that incorrect address to the real site - 
http://windowsupdate.microsoft.com - the company disabled the 
automatic redirection Thursday in preparation for the onslaught of 
infected computers.

That has helped Microsoft's real Web site stay accessible to users, 
Sundwall said. The company was taking other measures to keep its site 
up and running, he said. He declined to give specifics.

Vincent Weafer, senior director of security response for Symantec, 
warned that Microsoft's network and others across the country could 
see a slowdown in Internet traffic simply from the volume of activity 
the worm is expected to generate from its legion of infected 
computers.

But that slowdown didn't happen, Weafer said Saturday.

The rate of new infections has slowed in recent days, he said, though 
computer users who still have not downloaded the patch need to do so. 
He said the company expects new infections to continue for as long as 
two years.

The worm left behind a love note on vulnerable computers: "I just want 
to say LOVE YOU SAN!" It also carried a hidden message to taunt 
Microsoft's chairman: "billy gates why do you make this possible? Stop 
making money and fix your software!"

On the Net:
http://windowsupdate.microsoft.com



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.