Security experts are questioning whether a massive denial-of-service attack from machines affected by the W32.Blaster...
internet worm, scheduled for Saturday, will succeed.
The worm, also known as the DCOM worm or Lovsan worm, first appeared on the internet late Monday and spread quickly, infecting machines running the Windows XP and Windows 2000 operating systems.
Blaster takes advantage of a known vulnerability in a Windows component called the DCOM (Distributed Component Object Model) interface, which handles messages sent using the RPC (Remote Procedure Call) protocol.
By yesterday, the Blaster worm had infected between 250,000 and one million computers, according to Vincent Gullotto, vice president of the Avert anti-virus response team at Network Associates.
But the worst may still be coming. Blaster is poised to launch a denial-of-service attack against a Microsoft website tomorrow.
Infected machines worldwide will send a constant stream of phony connection requests to the windowsupdate.com internet domain in an manoeuvre known as a TCP (Transmission Control Protocol) SYN flood attack.
Microsoft uses windowsupdate.com to distribute software patches to Windows customers.
The machines will begin their attack at 12am. local time, with each infected computer judging the time by consulting its system clock, creating a cascading attack that will cross the globe as clocks in each time zone roll over to the new day, according to Mikko Hyppönen, antivirus research director at F-Secure in Helsinki.
Once launched, the attack will continue, unabated, through to the end of December, then begin again on 16 January 2004, according to an analysis of the worm code by security company eEye Digital Security.
Experts said that If the attack proved successful, it would be difficult for Microsoft to stop.
Gullotto estimated that more than 100,000 infected machines could be involved in the attack, creating a massive flood of traffic to Microsoft's windowsupdate servers.
Attack traffic will come from computers using thousands of different IP addresses, making it impossible to deploy a blocking list. In addition, attack traffic will arrive on Port 80, a vital computer communications port used to access the World Wide Web, Hyppönen said.
But experts agree that all may not be lost.
By mistake or design, Blaster's author provided the incorrect domain address for windowsupdate. The address specified in the worm's code, windowsupdate.com, simply forwards users to the actual Windows update site, windowsupdate.microsoft.com, Hyppönen said.
Microsoft can easily change the DNS (Domain Name System) configuration for windowsupdate.com to stop it forwarding traffic to the actual site, sidestepping Saturday's Blaster DOS attack, he added.
The windowsupdate.com DNS record could be changed to point to a phony IP address such as 0.0.0.0, or to point attack traffic back to the attacking machine itself, Hyppönen said. Either of those changes would spare the internet from a flood of spurious attack traffic, he said.
Finally, the Blaster code only checks the date when the worm code begins running. Machines that are not infected and have already been running, or that do not reboot on 16 August may not check the date and would not launch an attack.
"I think nothing is going to happen," Hyppönen said.
Microsoft has said nothing about how it plans to address the DOS attack this weekend.
For now, the company is assuming that a high volume of attack traffic will be coming its way tomorrow, and is taking steps to ensure that customers will continue to receive software updates.
"We take this threat very seriously and are working diligently to prepare for what the worm might do," Stephen Toulouse, security program manager at Microsoft.
Toulouse declined to speculate on possible strategies for avoiding Blaster's wrath.
Microsoft is posting patches at multiple locations on its website to make sure that customers can access necessary software updates even if windowsupdate.com is crippled by an attack.
Customers can obtain patches from download.microsoft.com, which is not targeted by Blaster.
Information on Blaster was also posted at www.microsoft.com/security.
F-Secure has monitored windowsupdate.com for two days and says that, for now, the site shows no signs of disruption.
The only increase in traffic to the site Microsoft has noticed comes from customers rushing to get the software patch to block Blaster.
Gullotto recommended that infected systems should be cleaned and patched.
Paul Roberts writes for IDG News Service