A fast-spreading new computer worm tries to prevent vulnerable machines seeking protection by attacking a vital update server. The 鈥淏laster鈥 worm has already infected thousands of computers worldwide, security companies say.
The worm, also known as 鈥淟ovsan鈥, exploits a software bug affecting most versions of Microsoft鈥檚 Windows operating system. The bug was revealed on 16 July and Microsoft also released a software fix on the same day.
After infecting a vulnerable computer, the worm is programmed to send a volley of bogus traffic to Microsoft鈥檚 software update service, windowsupdate.com on 16 August. If enough machines are infected this will overwhelm the site, preventing system administrators from using it to download the software patches needed prevent other machines being infected.
Advertisement
鈥淚t鈥檚 an extremely devious trick by Blaster鈥檚 author,鈥 says Graham Cluley, of UK anti-virus company Sophos. 鈥淏laster attempts to knock Microsoft鈥檚 windowsupdate.com website off the internet.鈥
Switch targets
Jonathan Wignall, at the Data and Network Security Research Council, an independent think tank in the UK, says Microsoft could easily defeat the attack by making its software updates available from another of its sites or through a third party site.
Automatic software updating has been suggested as one way to patch software holes promptly, but Wignall warns that the approach used by Blaster could scupper this idea.
鈥淎utomatic updates contact one set of domain names or IP (Internet Protocol) addresses. That makes it easier to build into a worm the means to stop such systems,鈥 he told New Scientist.
Buffer overrun
To exploit the Windows flaw on a vulnerable system, Blaster sends irregular network packets of data that cause a 鈥渂uffer overrun鈥 error. This means the system鈥檚 normal security controls can be bypassed, allowing remote commands to be carried out.
Blaster scans for vulnerable machines via the standard network protocols TCP (Transmission Control Protocol) and UDP (User Datagram Protocol). Once a susceptible machine has been located it gains control of the machine and downloads a full executable copy of itself, 鈥渕sblaster.exe鈥, which it starts running. The worm also installs a TFTP (Trivial File Transfer Protocol) server so that it can pass more copies of itself to other hosts.
Some analysts say the worm may not spread as effectively as some other specimens because it relies on TFTP messages, which are automatically blocked by some firewalls.
Traffic spike
But US network security company TruSecure has already reported a fivefold increase in network traffic directed at computer ports associated with the data sent by the worm. Other security companies have issued alerts about the worm, as has the Computer Emergency Response Team (CERT), an organisation funded by the US government.
US company Network Associates says the worm 鈥渋s spreading quickly to thousands of machines around the globe,鈥 based on reports from the company鈥檚 customers.
The SANS Institute, a network administrators training organisation in the US, recommends blocking incoming requests that could come from the worm at a network鈥檚 firewall and physically disconnecting machines thought to have been infected.
The worm鈥檚 code also includes a brief insult aimed at Bill Gates, founder and chief software architect at Microsoft. The offending message says: 鈥渂illy gates why do you make this possible? Stop making money and fix your software!!鈥