Worse Windows worms to come, warn experts

Despite infecting tens of thousands of computers worldwide, the W32.Blaster worm is poorly written and inefficient, according to...

Despite infecting tens of thousands of computers worldwide, the W32.Blaster worm is poorly written and inefficient, according to security experts. However, they warned that future versions of the worm could cause far greater harm.

Blaster, which is also known as the MSBlast, the Lovsan Worm and the DCOM Worm, surfaced on Monday and quickly spread to computers worldwide by exploiting a known security vulnerability in Microsoft's Windows operating system.

By Tuesday morning, the worm, which targets a Windows component for handling Remote Procedure Call (RPC) protocol traffic called the Distributed Component Object Model (DCOM) interface, spread to more than 30,000 systems, according to Johannes Ullrich, chief technology officer of the SANS Internet Storm Center.

However, security experts familiar with Blaster said that close inspection of its code revealed shoddy workmanship.

"It's a pretty bad worm. I keep calling it the 'half a worm'," said Marc Maiffret, chief hacking officer at security company eEye Digital Security.

Rather than write new code, Blaster's author or authors copied and pasted a well-known exploit for the vulnerability which was available on the internet.

Whereas the vulnerability affects almost every computer running Microsoft Windows, the DCOM exploit used by Blaster works only on Windows XP and Windows 2000 systems, greatly reducing the number of machines affected. 

Unlike other successful worms, the Blaster code is unable to detect what kind of operating system is installed on the machine it is attacking and chooses randomly between the exploit for Windows XP systems and Windows 2000 systems, according to security company F-Secure.

Blaster frequently uses the wrong exploit for the installed operating system, which causes Windows XP machines to reboot with an error message that mentions RPC, F-Secure said.

Maiffret warned that sophisticated worm writers would create their own exploit code that works for more flavours of Windows and add features to detect the operating system and prevent telltale crashes.

Similarly, Blaster's authors created a noisy and an inefficient method for spreading the worm code from an infected machine to a vulnerable, but uninfected machine. The worm requires the vulnerable machine to establish a separate connection to the infected machine to copy over the worm code,  making the worm easier to notice on a network and providing multiple avenues to block the worm's spread.

That was the experience of IT administrators at the University of Florida, said Jordan Wiens, a network security engineer.

While Blaster uses port 135 to spread from computer to computer, it also opens a back door to the computer on port 4444 which is used to issue commands that download the worm code.

University administrators quickly stopped the worm from spreading without affecting other applications in use on campus by blocking traffic to port 4444, Wiens said.

"They [the hackers] were clueless," said Maiffret. "A real worm writer with any type of skill wouldn't have needed to connect back [to an infected machine] in order to get infected."

Ullrich agreed, calling Blaster's infection method "a bit primitive" and pointing to the worm's habit of stopping after it scans only 20 or so machines to check for infections.

"Code Red scanned 100 or 200 machines at a time," he said.

Maiffret, Ullrich and others agreed that future versions of the Blaster worm are likely, as are new worms which exploit the RPC vulnerability.

Those variants might patch the holes in Blaster's code or modify it. For example, the worm's programmed denial-of-service attack against Microsoft's windowsupdate.com site could be redirected  to a different internet domain or internet protocol address, Maiffret said.

Ullrich said the Internet Storm Center had not received reports of any Blaster variants on Tuesday.

Despite its many faults, Blaster did do one thing right, security experts agreed, by targeting an easily exploitable and ubiquitous security flaw that affects home users more than just closely monitored servers.

"Even as poorly written as it is, Blaster's still having an effect and we're seeing a lot of impact from the worm right now. That's really the scariest part," Maiffret said.

And the worm's programmed DOS attacks against Microsoft could still cripple the networks used to launch the attack, even if they do not bring down the the company's Windows update servers.

"We're still fighting Code Red from 2001, so Blaster will keep spreading for a very long time. I expect it will still be scanning networks in 2005," said F-Secure antivirus research director Mikko Hyppönen.

In the end, however, the emergence of a serious, but not devastating, worm like Blaster might help inoculate the internet community against more virulent variants, spurring users to patch vulnerable systems and install other protective measures such as firewalls, Maiffret said.

Paul Roberts writes for IDG News Service

Read more on IT strategy