WebCrime
MSBLASTER
Home
THE PROFIT MOTIVE: MyDoom Redux:
MALICIOUS CODE
HORROR STORIES
SPYWARE
SPOOFING
ANTHRAX
VIRUSES BY OTHER NAMES
PROGRAMMING VIA BIOLOGICAL ENGINEERING TECHNIQUES
MYDOOM
WORMS
KEYLOGGER
SPYWARE
HYBRIDS
ANTHRAX ON THE INTERNET
ANTHRAX CHATTER
CELLPHONE VIRUS CHATTER
VIRUS CHATTER
ANTHRAX CHATTER
MICROSOFT CHATTER
"link=bacillus"
MSBLASTER
PHISHING
SWEN
FIREWALLS
TERMS GLOSSARY
MALICIOUS SCRIPTS: THE STATE OF THE ART DELIVERY METHOD
RESOURCES: FIGHTING BACK - FREE UTILITIES
CODE RED
WHAT'S IN A NAME
MICROSOFT
NIMDA
ANTHRAX-NIMDA CONNECTION
SCRIPT KIDDIES VRS ENGINEERS
THE UNLIKELY LADDS
VIRUS ALLERTS
IDENTITY THEFT
HEADS OFF
HEADSUP

 
MSBlast echoes across the Net
 
Worm exploits a widespread Windows vulnerability

The latest worm to torment Internet users underscores the limitations of getting patches in place.

In just 24 hours, "MSBlast" exploded onto some 120,000 computers around the world, in spite of what some experts say was a less-than-spectacular programming job. A big part of the problem was that inattentive home users, and overbooked IT staffs, hadn't been able to put a patch in place, even though Microsoft had made it available in July. The Web will be watching over the weekend to see if Microsoft can dodge a denial-of-service attack expected to be launched by the worm.

Network operators: Worm still squirming
Earlier reports that network traffic caused by the MSBlast worm dropped 30 percent to 40 percent may not mean that the worm is slowing, a major provider of network services says.
August 15, 2003

Microsoft kills Net address to foil worm
The software giant eliminates the Windowsupdate.com address that the self-propagating MSBlast worm was set to attack.
August 15, 2003

Squashing the next worm
Another worm, another epidemic. Can companies find ways to halt the spread of self-propagating code?
August 15, 2003

Cleanup dampens Blaster worm
The MSBlast worm's infection rate is slowing as people and businesses disinfect compromised computers, say antivirus companies--though not everyone agrees it's all over yet.
August 14, 2003

Microsoft prepares to be Blasted
The giant hopes to be ready when hundreds of thousands of computers infected with the MSBlast worm start pelting its Windows Update service with data requests on midnight Friday.
August 13, 2003

Users race against worm, variants
As the "MSBlast" worm spreads to about 2,500 new computers per hour, antivirus firms say a new variant has been released and that patching is crucial.
August 13, 2003

Slapdash monster roams the Net
The latest threat to hit the Internet is a compilation of programs cobbled together to do a single job: spread far and wide.
August 13, 2003

Worm's spread shows holes in patch system
"MSBlast" supports the view that patches, while necessary to increase the security of specific computers, can't be relied upon to protect large networks.
August 12, 2003

IT hustle mutes impact
The "MSBlast" worm is forcing information technology staffs to work overtime, but the damage to systems and networks seems to be somewhat contained, at least in the working world.
August 12, 2003

'MSBlast' widespread but slowing
update The worm infects as many as 120,000 computers in 24 hours, but its pace drops off because of poor programming, security researchers say Tuesday.
August 12, 2003

Viruses, hackers hit a third of Net users
Almost one in every three surfers in the United States has been hit by either a computer virus or a hacker in the past two years, a new survey says.
August 12, 2003

Here we go again
perspectives CNET News.com's Charles Cooper says that after two decades' worth of Swiss cheese software security, the world's biggest supplier of operating system software has run out of excuses.
August 12, 2003

Flaw in Windows worm tips off defenders
update The fast-spreading "MSBlast" worm seems to be crashing as many Windows computers as it's infecting--a sign that administrators need to patch their systems.
August 11, 2003

Windows worm starts its spread
A worm that takes advantage of what some security experts have called the most widespread Windows flaw ever has started spreading, fulfilling the predictions of many researchers.
August 11, 2003

previous coverage
Patchwork security
special report Software makers routinely release "fixes" designed to plug holes and reassure worried customers, but these antidotes are often ignored.
January 24, 2001

Waiting for the worm to turn up
reporter's notebook Security researchers gathered in Las Vegas for two hacking conferences are focusing on the Internet and whether a feared worm will appear.
August 1, 2003

Microsoft warns of critical Windows flaw
The software giant issues a patch to plug a critical security hole that could let an attacker take control of computers running almost any version of Windows.

 

Microsoft's blast from the past

By Robert Lemos CNET News.com August 12, 2004, 4:00 AM PT

A year ago, the author of the MSBlast computer worm taunted Microsoft with a message in the fast-spreading program: "billy gates why do you make this possible? Stop making money and fix your software!!"

Bill Gates and company apparently took up the challenge. On Friday, Microsoft released to PC manufacturers Windows XP Service Pack 2, an update aimed at locking down customers' computers. SP2 took more than nine months to complete and contains significant security changes to the flagship operating system.

Microsoft's overhaul of the software underwent a fast shift in direction--from a focus on features to an overwhelming concentration on security--after the rapid spread of MSBlast last summer threw doubt on the operating system's protections.

The worm compromised more than 9.5 million Windows PCs by exploiting a flaw in the software that not many customers had actually patched, even though Microsoft had made a fix available.

"This time last year was a really exciting time," said Amy Carroll, director of product management in Microsoft's Security Business and Technology Unit. "There wasn't a lot of sleep involved."

The MSBlast worm hit the Internet on Aug. 11, 26 days after Microsoft published a patch for the vulnerability that the worm used to spread. But many Windows users failed to vaccinate their systems, even though there was widespread expectation that a virus would emerge from the security hole. The result: The malicious program caused enough havoc to play some part in a major power failure that affected as many as 50 million homes in the United States and Canada, though it did not cause the outage.

A year later, the release of SP2 means that Carroll and her Redmond cohorts may get at least a few hours more winks. Through changes to the Windows XP code and configuration, the update adds better security to the operating system's handling of network data, program memory, browsing activity and e-mail messages.

Some security companies are tentatively hopeful that the XP software fix will bolster security in the average PC.

"It is probably too early to say whether SP2 will meet its promise," said Alfred Huger, senior director of engineering at Symantec, a security company. "That said, it's a great step in the right direction. We still have all the same fears as before, but we are in a better place to deal with them."

Those that install the update will be better protected against MSBlast-type network worms. The security revamp has multiple layers of redundancy that would have stopped MSBlast and the more recent Sasser worm from spreading, Microsoft's Carroll said.

For example, the flaw in the Remote Procedure Call (RPC) component in Windows that allowed MSBlast to spread has now been fixed, she said. Even if it hadn't, SP2 has an automatic update feature that would have installed the Microsoft patch before MSBlast propagated. Then, if a user turned off that update feature, SP2's improved firewall would have blocked the worm. And if the firewall had been turned off, Microsoft has changed the way that Windows XP interacts with such viruses, so that MSBlast's attempts to infect computers would have failed.

"There is a whole cascade of defenses that make the operating system more resilient overall," Carroll said.

Now Microsoft has to persuade consumers and corporate network administrators to apply the SP2 changes. The company has repeatedly learned that customers are less than assiduous about applying updates to their systems. The Slammer worm, which exploited a 6-month-old security hole in Microsoft SQL Server, spread widely because many companies failed to patch the flaw during that half-year.

"This is the most secure version of Windows that we have shipped yet," said Carroll, who issued a plea for customers to apply the patch. "That said, it is not a 'silver bullet,' and we are doing a lot of other things to address security."

Complicating matters, the update could cause problems with corporate homegrown applications, Microsoft has acknowledged. IBM, for one, has told employees to wait for the go-ahead from management before installing the update. To allow companies time to test how the update will affect their users, Microsoft has published a tool to enable businesses to block people from downloading and installing the update.

Giving companies a choice is one of the lessons learned by Microsoft. A handful of major worm and virus attacks in the past three years have taught the software giant that security is not simple. The result is that the company pushes for security on multiple fronts.

The Code Red and Nimda worms led the company to embark on its 10-year Trustworthy Computing initiative, designed to focus Microsoft employees on building better security into products and on improving customer response. The Slammer worm convinced the software giant to stress patching and to find ways to defend systems that are not patched. And the MSBlast worm helped lead Microsoft to create Service Pack 2 and to finance a reward program for informants who help pinpoint virus writers.

Although it is harder to create network worms that can penetrate Windows XP SP2's defenses, it can be done, Symantec's Huger warned.

"It would stop the old MSBlast. I don't know if it would stop a new one," he said. "This isn't the end of the network worm, but it makes more sense (for attackers) to focus on other methods."

Security researchers are already picking apart SP2, looking for flaws. Thor Larholm, a senior security researcher with PivX Solutions, downloaded the software last Friday and continues to analyze it. The true test for the update will likely come in the next few months, once those researchers' efforts bear fruit.

"Give it a few weeks, or a few months, and you will see the first vulnerability announcements regarding Service Pack 2," Larholm said.

HOME

Enter supporting content here

HOME