August 12, 2003
Worm Blasts Windows Users Worldwide
By Mark Berniker
A new worm is spreading rapidly across the Internet, and experts warn that it may already have latched onto hundreds of thousands of computers, with more sure to be infected.
The 'Blaster' worm, also referred to as the 'Lovesan' or 'MSBlaster' worm, takes advantage of a vulnerability in Microsoft's Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface, widely publicized in July as the first 'critical' vulnerability in Microsoft's new Windows Server 2003 operating system, though it also affects Windows NT 4.0, Windows NT 4.0 Terminal Services Edition, Windows 2000, and Windows XP.
In addition to opening the door for remote code execution on infected systems, the worm probes for additional computers to infect and orchestrates a denial of service (DoS) attack on windowsupdate.com, the very site that hosts the patches for the vulnerability.
"An attacker who successfully exploited this vulnerability would be able to run code with Local System privileges on an affected system. The attacker would be able to take any action on the system as an Administrator, including installing programs, viewing, changing or deleting data, or creating new accounts with full privileges," security firm Global Hauri said Tuesday.
Text found within the worm's code seems to speak directly to Microsoft Chairman and Chief Software Architect Bill Gates: "Billy Gates why do you make this possible? Stop making money and fix your software!"
Just weeks after Microsoft published its security advisory, the U.S. Department of Homeland Security (DHS) joined its voice to the chorus of security experts asking those running the vulnerable operating systems to apply patches, because the flaw represented an "enormous threat."
At the time, the DHS confirmed the worst in its own advisory, warning that "several working exploits are now in widespread distribution on the Internet."
"These exploits provide full remote system level access to vulnerable computers...DHS and Microsoft are concerned that a properly written exploit could rapidly spread on the Internet as a worm or virus in a fashion similar to Code Red or Slammer," the agency added.
David Wray, a DHS spokesman, said at the time that the agency had been monitoring the situation and were in direct contact with the security community, as well as with industry. "We're seeing an Internet-wide increase in probing that could be a search for vulnerable computers. It could be a precursor and it bears continued watching... It certainly could be serious. It could lead to the distribution of destructive, malicious code and it could cause considerable disruption," Wray added.
Blaster, first discovered in the wild by security experts on Monday, appears to be one of the first bits of malicious code to attack the vulnerability. Patches continue to be available on Microsoft's Web site, and many security tool vendors are now offering up removal tools.
While it isn't entirely clear how many computers have been infected by this worm, there is no question that it is a fast-spreading worm that is causing major headaches for Windows users worldwide, and experts are genuinely concerned.
Officials from the CERT Coordination Center, the government-sponsored group at Carnegie Mellon University that monitors the spread of viruses, worms and other insidious computer programs, says it believes the Blaster worm has already grabbed onto hundreds of thousands of computers, and it may not be done.
"Lab testing has confirmed that the worm includes the ability to launch a TCP SYN flood denial of service attack against windowsupdate.com," CERT said in a security advisory issued late Monday. "We are investigating the conditions under which this attack might manifest itself."
Security firm Symantec moved quickly to raise the threat rating on the worm to a Category 4 threat, citing the number of submissions it had received from customers as well as information from its Deepsight Threat Management System.
While Microsoft and security firms, as well as DHS, have been warning about the vulnerability and advising Windows users to apply patches for nearly a month, Eric Kown, CEO of Global Hauri, said it is not surprising the worm is still finding vulnerable systems.
"Although Microsoft and other security companies recently warned against the vulnerability issue, we are living in a world with ubiquitous security patch and service pack information overflow," he said. "Customers respond more slowly to security issues because of the burden IT departments bear with the maintenance of mission-critical application updates. To be prepared for the impact of security updates on their network environment in order to prevent unpredictable damage without disrupting the level of service required is very hard."
Several published reports say the Blaster worm is spreading through Windows-based computers in Europe, and it is still unclear how widespread the worm will become.
And in Asia, Reuters reported Tuesday that South Korea's Ministry of Information and Communication confirmed close to 1,700 infections had been reported since early Tuesday, a very small percentage of the more than 15 million personal computers in South Korea that use versions of the Windows operating systems.
"Early this morning we took steps to block the port 4444 and I think that helped prevent the worm from spreading massively," Kim Jeong-won, an official at the ministry's Critical Infrastructure Assurance Team, told Reuters. He was referring to one of 65,000 ports a computer can use to exchange data over the Internet. The Blaster worm can be stopped by blocking port 4444, which it uses as its mechanism for proliferation."
source
Archived topic from Iceteks, old topic ID:1216, old post ID:10747
