15 August 2003 Software giant Microsoft is bracing itself for a distributed denial of service (DDoS) attack this weekend on its Windows Update web site, driven by the spread of the MS-Blaster worm.
The worm takes advantage of a critical flaw revealed last month in one of the communications technologies built in to Windows NT, 2000, XP and Server 2003 — Windows 95, 98 and Millennium Edition are not affected.
Unlike most Microsoft viruses and worms, MS-Blaster does not exploit the security shortcomings of Microsoft’s Outlook and Outlook Express email clients. Instead, it passes from computer to computer using normal Internet connections in a similar way to the SQL Slammer worm that attacked Microsoft’s SQL Server database earlier this year.
The worm works by exploiting a buffer overflow vulnerability in Windows’ remote procedure call (RPC) module. The payload of the worm downloads further code from an already infected machine that will send 50 SYN packets per second to windowsupdate.com from midnight tonight.
It then seeks further computers to infect by trying to communicate with the hosts at randomly generated IP addresses. Only Microsoft-based machines are at risk.
Windows XP users will also find that their PCs become unstable and will have to download software from another machine if they want to disinfect their machine. While Windows XP has a built in firewall, this is turned off by default.
However, experts are divided about how widely the worm has spread and how much damage it has done — and will do.
Many IT departments across have belatedly started to apply the patch that Microsoft rushed out in July, as well as updating the rules on their corporate firewalls.
In Finland, the Nordea financial services chain had to close 40 of its 400 branches after a number of office PCs were infected.
Nevertheless, the worm has not caused the same level of corporate carnage last seen with the SQL Slammer worm, although it did contribute to a slowing of network traffic across the Scandinavian region — where always-on broadband Internet is particularly popular.
Indeed, the growth of broadband has eased the worm’s passage among home users.
As a result, analysts suggest that home users have been harder hit than corporate users, either because they have been slow to update their anti-virus software or, more likely, because they have no anti-virus or firewall software running on their machines.
Overall, security software vendor Network Associates estimates that some 1.2 million computers have been infected worldwide and Microsoft says that it has taken measures to limit the impact of the DDoS attack on Windows Update.
Links:
Sophos virus analysis – W32/Blaster-A
Sophos disinfection instructions and FAQ
Security experts fear major attack on Windows systems (4 August 2003)