Feeds

Blaster worm spreading rapidly

Exploiting Remote Procedure Call flaw

  • alert
  • submit to reddit

Protecting users from Firesheep and other Sidejacking attacks with SSL

A worm that exploits a critical Remote Procedure Call (RPC) flaw to infect vulnerable Windows machines is spreading rapidly across the Internet this morning.

Although serious, the effects of the Blaster worm are expected to be less than that caused by the infamous Nimda worm.

The Blaster worm (AKA Lovsan, MSBlast or Poza), which began spreading yesterday, is programmed launch an attack against windowsupdate.com on 16 August.

Microsoft last month issued a patch to guard against the problem but uptake has been predictably slow, allowing malicious code writers to come up with software that is having a severe effect on many Windows users.

Mac, Linux and Unix computers are immune to this Microsoft-specific vulnerability.

According to a preliminary analysis of the worm by F-Secure, the worm spreads in a 6176 byte executable named MSBLAST.EXE to Windows 2000 and Windows XP systems unless recent Windows security patches have been applied. Windows NT 4 and Windows 2003 might also be affected but these systems appear to be playing a lesser role in the spread of the worm.

The worm launches a command shell and uses TFTP to connect to other infected systems to download the worm's executable. Blaster will scan addresses in the Internet to locate vulnerable Windows machines using TCP/TDP port 135. Once found, it will copy itself over and modify the system so the worm will be executed every time the machine is started. The worm will keep on replicating from every infected machine.

Unsuccessful propagation attempts may crash vulnerable computers, or render them unstable. Successful worm outbreaks are causing localised network latency.

Blaster contains the following text strings:

I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!!

Security experts have been predicting the arrival of the worm, or something like it, for some weeks.

TruSecure, which has been prominent in these warnings, has published an informative advisory on the worm, which gives some indication of its likely spread.

The alert states: "TruSecure does not expect LANs to suffer from denial of service conditions due to this infection, even if it becomes infected. This is because internal infections will only propagate if outbound TFTP requests are allowed. If a source is found it can be blocked at either the firewall or router."

For these reasons, TruSecure "does not expect this to be as bad as Code Red, Nimda or SQL Slammer".

However, the company notes that there has been "numerous problems with Windows Update and St. Bernard's Update Expert - both of which showed that MS patch was installed when it wasn't". It is expecting more trouble ahead.

The SANS institute has issued the following advice on guarding against the spread of the worm:

  • Close port 135/TCP (and if possible 135-139, 445 and 593)
  • Monitor TCP Port 4444 and UDP Port 69 (tftp) which are also used by the worm
  • Ensure that all available patches have been applied, especially a fix for the flaw at the centre of the spread of Blaster
  • Pull infected machines from a network pending a complete rebuild of the system

Let's be careful out there. ®

The next step in data security

More from The Register

next story
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.