Blaster worm targets key Microsoft site

The Blaster worm, which exploits a vulnerability in Microsoft's Windows operating system, is the most serious since the SQL...

The Blaster worm, which exploits a vulnerability in Microsoft's Windows operating system, is the most serious since the SQL Slammer worm in January, according to security experts.

The worm is programmed to launch a denial-of-service attack against Microsoft's automated Windows update website starting on 16 August.

Blaster, also known as the DCOM worm or Lovsan worm, first appeared on the internet late on Monday and spread quickly, infecting machines running the Windows XP and Windows 2000 operating systems.

It takes advantage of a known vulnerability in a Windows component called the DCOM (Distributed Component Object Model) interface, which handles messages sent using the RPC (Remote Procedure Call) protocol.

RPC is a common protocol that software programs use to request services from other programs running on servers in a networked environment.

Vulnerable systems can be compromised without any interaction from a user, according to Johannes Ullrich, chief technology officer at the SANS Internet Storm Centre, which monitors threats to the Internet infrastructure.

A spate of warnings from anti-virus and computer security firms around the world appears to have had some effect.

"The worm has pretty much levelled out now. ISPs (Internet service providers) blocked port 135, which the worm used for propagation and we're seeing a limited spread," said Ullrich, adding that a flaw in the worm's code that governs which type of exploit to use when compromising a vulnerable machine may also account for the slowdown.  

Even though the worm's spread has slowed, the number of infected hosts is still very large and new infections are likely as users in Europe and the US connect to the internet from unprotected home machines, according to Mikko Hyppönen, manager of anti-virus research at F-Secure.

The large base of infected machines also has experts worried about a denial-of-service attack that the worm is programmed to launch against Microsoft's automated Windows update website starting 16 August.

Traffic directed at the site,, from so many hosts could, effectively, shut down the service, which is used to distribute software updates and security patches to Microsoft Windows users.

Unlike the Code Red worm, which contained code for a similar attack against the internet protocol address of the White House's main web server, Blaster targets the domain, preventing Microsoft from changing the address of the domain to sidestep the attack,.

Microsoft is aware of the denial-of-service threat and is looking at ways to make more resilient, both to protect against the Blaster worm and future threats.

However, the windowsupdate site is "extremely resilient" and has never suffered a complete denial of service, a Microsoft spokesman said. "If there's an attack on Saturday, the worst case scenario is that the site is slower than normal but not brought to its knees."

Security experts will be holding their breath and waiting for the pre-programmed attacks to start, but those infected by Blaster must now cope with the daunting task of cleaning up affected systems.

Blaster's code is small and can be quickly removed using free tools provided by F-Secure as well as other anti-virus suppliers, Hyppönen said.

However, customers should patch their systems before removing Blaster to prevent reinfection from the worm,.

Security experts also recommended installing firewall and anti-virus software to prevent future attacks.

Paul Roberts writes for IDG News Service

Read more on IT risk management