Microsoft tries to shut out MSBlaster

Microsoft tries to shut out MSBlaster

Microsoft Corp. has removed the IP address for the Web site targeted by the MSBlaster worm, trying to foil a denial-of-service attack threatened for tomorrow while still leaving online a more-used site for software updates.

'Microsoft has pulled the Blaster's teeth,' said Lloyd Taylor, vice president of technology at the Internet monitoring firm Keynote Systems Inc. of San Mateo, Calif. 'We do not expect any major Internet impact today.'

The Aug. 16 trigger date for the worm arrived in Australia at 10 a.m. today, Eastern time.

But Taylor warned that Microsoft's action was a spot fix that does nothing to impede the continued spread of the worm that appeared earlier this week.

'The worm is still very active and continues to spread,' he said. 'Only by updating every machine in the world are we going to defeat this thing.'

The worm exploits a vulnerability in Windows operating systems that was revealed last month. Microsoft posted a patch for it on July 16. The MSBlaster worm appeared Monday and spread rapidly, infecting an estimated 300,000 or more unpatched machines.

The worm carries a payload that instructs infected computers to direct a denial-of-service attack on Aug. 16 against a Microsoft site, windowsupdate.com, where the patch can be downloaded.

Microsoft disassociated that uniform resource locator from its IP address, so that when attack packets seek the URL from Internet Domain Name System servers, they will not be delivered.

But the IP address is still good for windowsupdate.microsoft.com, the URL to which Windows operating systems connect for updates.

The widespread infection still could cause localized network congestion as the worm generates denial-of-service packets. Alan Paller, director of the SANS Institute of Bethesda, Md., predicted even before Microsoft took action that the attack probably would be a nonevent.

He said that not all the compromised computers would attack at once because each must be rebooted after the start date to begin generating packets. Also, Microsoft distributes traffic to its update sites through a global network of servers, which could further dilute the impact. Finally, many Internet providers have had time to identify the attacking packets and make plans to drop them from their networks, Paller said.

Taylor said the worm, which includes a text message taunting Microsoft founder Bill Gates, probably was not intended to take down Microsoft as a whole. The attack targets the lesser-used URL for updates and was timed exactly one month after Microsoft's announcement of the vulnerability.

'It's most likely the intent was to embarrass not to damage,' Paller said.

Variants of the worm already have appeared, however. So far they differ little from the original worm and have the same target. A cleverer worm or one with a different target could still do damage to unprotected computers, Taylor said.

About the Author

William Jackson is a Maryland-based freelance writer.

inside gcn

  • When cybersecurity capabilities are paid for, but untapped

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group