Worm blasts across the web
A Windows worm dubbed MSBlast is quickly spreading across
the net and swamping net connections as it looks for more vulnerable
machines to infect.
On infected machines the malicious program also launches an attack against
the Microsoft site that holds a software patch that keeps the worm out.
Security firms say the design of the worm is hampering its spread but
warn that tens of thousands of computers could fall victim to it.
The vulnerability exploited by the worm has been known about for almost
a month and net security organisations have been warning that it would
soon be exploited.
MSBlast is known as a worm because it can spread across the net by itself.
Once installed on a machine MSBlast, also called Lovsan, starts scanning
for other vulnerable machines and this can swamp local net connections.
Network Associates said that many home broadband users were reporting
heavy traffic on their net connection as a result of being infected
by the worm.
Security firm Symantec said that it had already found MSBlast on more
than 57,000 machines.
The worm is likely to find a lot of hosts on the net as it exploits
a vulnerability found in many different versions of Microsoft Windows.
The vulnerability exists in the way that Windows shares files across
networks. The carefully crafted code of the worm swamps a memory buffer
which forces a machine to carry out instructions hidden in the tail
of the file.
As well as scanning for more machines to infect, MSBlast also launches
an attack on Microsoft's Windows Update website where many people go
to get software patches that close software vulnerabilities.
The vulnerability exploited by MSBlast was first discovered on 16 July
and since then security firms, governments and alert services have been
warning people that an attack was imminent.
Warnings grew more shrill as security firms reported that malicious
hackers were starting to seek out machines that suffered the vulnerability
that is now being exploited.
"The time between vulnerabilities being disclosed and exploits
being created is decreasing, companies must have an efficient patch
management process if they are to protect critical networks," said
Graeme Pinkney, operations manager for Symantec. "Time is no longer
on their side."
Those most likely to be affected are home users and small firms that
tend not to be as diligent about computer security as large companies.
Security firms said that the worm is unlikely to spread as far the recent
Slammer worm but said it could rival 2001's Code Red worm which managed
to infect 200,000 machines.
Symantec said that it was spreading about 20% of the speed of the Slammer
worm when measured by the number of unique machines it was finding and
Hidden inside the worm are two messages. One taunts Microsoft chairman
Bill Gates and reads: "billy gates why do you make this possible?
Stop making money and fix your software!" The other is more cryptic
and says: "I just want to say LOVE YOU SAN!"