13 August 2003

Search all issues

powered by FreeFind

Send Your Feedback!

Worm blasts across the web

A Windows worm dubbed MSBlast is quickly spreading across the net and swamping net connections as it looks for more vulnerable machines to infect.
On infected machines the malicious program also launches an attack against the Microsoft site that holds a software patch that keeps the worm out.
Security firms say the design of the worm is hampering its spread but warn that tens of thousands of computers could fall victim to it.
The vulnerability exploited by the worm has been known about for almost a month and net security organisations have been warning that it would soon be exploited.
Damage control
MSBlast is known as a worm because it can spread across the net by itself.
Once installed on a machine MSBlast, also called Lovsan, starts scanning for other vulnerable machines and this can swamp local net connections.
Network Associates said that many home broadband users were reporting heavy traffic on their net connection as a result of being infected by the worm.
Security firm Symantec said that it had already found MSBlast on more than 57,000 machines.
The worm is likely to find a lot of hosts on the net as it exploits a vulnerability found in many different versions of Microsoft Windows.
The vulnerability exists in the way that Windows shares files across networks. The carefully crafted code of the worm swamps a memory buffer which forces a machine to carry out instructions hidden in the tail of the file.
As well as scanning for more machines to infect, MSBlast also launches an attack on Microsoft's Windows Update website where many people go to get software patches that close software vulnerabilities.
The vulnerability exploited by MSBlast was first discovered on 16 July and since then security firms, governments and alert services have been warning people that an attack was imminent.
Warnings grew more shrill as security firms reported that malicious hackers were starting to seek out machines that suffered the vulnerability that is now being exploited.
"The time between vulnerabilities being disclosed and exploits being created is decreasing, companies must have an efficient patch management process if they are to protect critical networks," said Graeme Pinkney, operations manager for Symantec. "Time is no longer on their side."
Those most likely to be affected are home users and small firms that tend not to be as diligent about computer security as large companies.
Security firms said that the worm is unlikely to spread as far the recent Slammer worm but said it could rival 2001's Code Red worm which managed to infect 200,000 machines.
Symantec said that it was spreading about 20% of the speed of the Slammer worm when measured by the number of unique machines it was finding and infecting.
Hidden inside the worm are two messages. One taunts Microsoft chairman Bill Gates and reads: "billy gates why do you make this possible? Stop making money and fix your software!" The other is more cryptic and says: "I just want to say LOVE YOU SAN!"

Copyright © Newsworks Ltd. Malta.
Editor: Saviour Balzan
The Malta Financial & Business Times, Newsworks Ltd, Vjal ir-Rihan, San Gwann
Tel: (356) 21382741-3, 21382745-6 | Fax: (356) 21385075 | E-mail