August 11, 2003 2:55 PM PDT

Windows worm starts its spread

A worm that takes advantage of what some security experts have called the most widespread Windows flaw ever has started spreading, fulfilling the predictions of many researchers.

Dubbed "MSBlast" by its author, the worm is spreading quickly, according to an initial analysis posted to the Internet Storm Center, a digital threat-tracking site. Ever since mid-July, when Microsoft announced a vulnerability in a widespread component of Windows, security experts have been waiting for some online vandal to create a worm that takes advantage of it.

"It is pretty widespread," said Johannes Ullrich, chief technology officer for the Storm Center. "It is sort of getting to the point where it is causing some slowdown."

Microsoft is investigating the worm but couldn't immediately comment on the program.

Some system administrators posting to a mailing list run by the North American Network Operators' Group, a popular forum for engineers who maintain large networks, believe that as much as 10 percent of the data coming into their networks has been created by the worm.

The worm contains two messages in its code. The first apparently is a "greet"--a message of greeting or recognition to a friend or peer--while the second takes aim at Microsoft: "billy gates why do you make this possible?" the second part of the message says. "Stop making money and fix your software!!"

Starting with a random Internet address, the worm sequentially scans for computers with the vulnerability.

MSBlast installs the Trivial File Transfer Protocol (TFTP) server, and runs the program to download its program code to the compromised server. It will also add a registry key to ensure that the worm is restarted when the host computer is rebooted.

The worm attacks Windows computers via a hole in the operating system, an issue Microsoft on July 16 had warned about. Nine days after the software giant announced the flaw, hackers from the Chinese X Focus security group publicly posted a program to several security lists designed to allow an intruder to break in to Windows computers. The Windows flaw has been characterized by some security experts as the most widespread ever found in Microsoft's operating system.

The flaw is in a component of the OS that lets other computers request that the Windows system perform an action or service. The component, known as the remote procedure call (RPC) process, facilitates activities such as sharing files and allowing others to use the computer's printer. By sending too much data to the RPC process, an attacker can cause the system to grant full access to the system.

The Chinese code worked on only three variants of Windows, but other hackers have since refined it. Nine days ago, a hacker posted an attack program to a security mailing list. Many facets of the current worm seem to be similar to that program.

Experts have feared that a worm created to take advantage of the Microsoft flaw could have an effect similar to that of the Slammer worm that downed corporate networks in January.

Slammer spread to corporate networks worldwide, causing databases to go down, bank teller machines to stop working and some airline flights to be canceled. Six months earlier, a researcher had released code that exploited the major Microsoft SQL vulnerability used by the worm to spread.

Security experts and network administrators are working to identify the worm and patch their networks.

Microsoft Windows users can update their operating systems through the company's Windows Update service. More information about the flaw and workarounds are available in the advisory posted online.

2 comments

Join the conversation!
Add your comment
Gates and viruses
The vulnerability flaws in Microsoft software are NOT!! NOT!! NOT!! flaws. They are gates installed to allow Gates and company to meddle in YOUR machine.

Every time he closes one gate he opens another. It takes the hackers who write the viruses about five minutes to hack their own patched systems and rewrite a few lines of code to use the new gates.

Get smart. If you use Microsoft, don't update it or patch it with their patches. Get third party patches. These close the gates without opening new ones.
Posted by (1 comment )
Reply Link Flag
All I can say about all the problems SP3 has is this, It's all true. beware of alerts that pop up and say danger u are under attack. looks like Microsoft warning but it's the worms,hackers etc.stop and think before you react,because in that moment of oh my god the after math of it all is please god help me.
Posted by fruityrb (1 comment )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.