Blaster rewrites Windows worm rules
The worm that turned on home users
Analysis The Blaster worm, which continues to create chaos by crashing numerous vulnerable Windows machines across the Net, has changed the rules on malicious code attacks.
Unlike Slammer or Nimda, home users have borne the brunt of the attack - although businesses of all sizes have also suffered.
Blaster shatters the partially reassuring notion that email-borne nasties are the most significant threat for Harry Homeowner. Now updating patches and using perimeter security, always good ideas, have become prerequisites for Windows users.
With the appearance of new variants of Blaster already appearing on the Net, its worth reviewing the nature of Blaster, the damage it caused and the steps people can take to guard against infection.
As we reported on Tuesday, Blaster exploits a critical Remote Procedure Call (RPC) DCOM flaw to infect vulnerable Windows machines. Even at the time we realised this flaw was out of the ordinary and potentially devastating.
Microsoft last month issued a patch to guard against the problem but uptake has been predictably slow. This allowed a vulnerable base to flourish until unknown VXers came up with the Blaster worm (AKA Lovsan, MSBlast or Poza) which began spreading on Monday evening. Spread was particularly rapid across vulnerable Windows 2000 and Windows XP machines, though Windows 2003 and NT machines might also be infected. Windows 95 and 98 installations appear safe.
And Mac, Linux OS/2, eComStation, and Unix computers are immune to this Microsoft-specific vulnerability.
The Blaster worm will infect vulnerable Windows PCs, often causing them to repeatedly crash as soon as they are connected to a network. The worm will attempt to download malicious code and run it. The worm has no mass-mailing functionality.
Blaster is programmed to commandeer infected machines to launch a DDoS attack against windowsupdate.com on 16 August.
An analysis of Blaster by the Internet Storm Centre, which is generally credited as being the first to spot the problem, can be found here. An advisory by security clearing house CERT can be found here.
Estimates of the number of machines infected by Blaster vary but its generally reckoned hundreds of thousands of machines have caught the worm. Symantec, for example, reckons that 188,000 machines were infected by yesterday afternoon, with the US and UK leading the way in pox-ridden PCs.
How much damage is it causing?
A picture is beginning to emerge of the problems caused by Blaster, and its general behaviour.
According to a report by the Washington Post, the Maryland Motor Vehicle Administration authority shut its offices for the day because its systems were so severely affected by Blaster that it could no longer continue as normal.
Some may see this as a precautionary shutdown that does more harm than good.
However, in many instances companies are taking systems offline in order to deploy patches, which is not quite the same as systems being knocked out or abandoning the Internet "as a precaution" (ie. a self-actuated DoS attack).
Other organisations reportedly suffering network slowdowns or worse because of the worm include German car manufacturer BMW, Swedish telco TeliaSonera, the Federal Reserve Bank of Atlanta and Philadelphia's City Hall.
Russ Cooper, Chief Scientist at security company TruSecure, who has been predicting a worm like Blaster since the original Microsoft vulnerability emerged, said some companies are seeing sporadic infections while others are seeing more concerted attacks from Blaster. Cooper attributes to this variation in behaviour to the way the worm generates new IP addresses to attack.
Numerous Reg readers, many home users or workers in smaller businesses, report that their machines have crashed because of the worm.
Although some large enterprise have been affected, mitigation strategies involving blocking Blaster-associated traffic at the corporate gateway can give companies some breathing space while they update their systems to deal with the worm. Many home users and small business don't really have this option and so they have to problem of getting patches while Blaster is trying to crash their machines using mechanisms that will be a mystery to most home users. This wouldn't be such a problem if the firewall in Windows XP was enabled by default - which it isn't - further exacerbating the problem. Microsoft is reportedly planning to change this practice.
And users are being assaulted by malicious traffic coming in through their network connection - not the more familiar route email-borne nasties - further complicating matters. The system instability effects of Blaster - rather than its scheduled attempt to launch a denial of service attack on windowsupdate.com - are causing the most concern.
It could be worse
So how bad is Blaster, on the general scale of things?
Vincent Weafer, Senior Director at Symantec Security Response Centre, said that Blaster was having nowhere near as severe an effect as the infamous Slammer worm, which took out much of Korea's ADSL network and made a limited number of bank ATMs temporarily unavailable earlier this year.
Weafer said Blaster could be accurately be compared to Code Red. Both worms relied on exploiting fairly recent security flaws, Blaster (like Code Red) tries to perform a DDoS attack and both worms were followed by variants. Neither is Blaster generating the rapid rate of infections seen with Nimda.
Weafer said the rates of new infections from Blaster was slowing down as users apply patches, put up firewalls and update AV tools. Also, and we suspect this might prove to be an even more significant factor, the worm is starting to run out of steam (its finding it more difficult to find fresh, vulnerable but as-yet-uninfected hosts).
TruSecure's Cooper rated Blaster as a more serious threat than Symantec's Weafer.
"Blaster is a slow moving worm - a kind of slug," Cooper told us.
"It has to open a command shell, suck down files and wait for machine to crash to work - that's a lot of attack effort gone to waste. Slammer found infectable hosts quickly.
"But Blaster is three times more prevalent than Slammer and much more damaging to the infected machine. Slammer really only clogged bandwidth.
"With Blaster the rate of attacks has gone down from a peak late on Monday but it's still spreading," he added.
Depressingly Cooper predicted that Blaster will likely stick "around for a long time", perhaps up to two years or above. More destructive variants are likely, he added.
Windows Update likely to stay up
One of the most publicised aspects of Blaster is that it is programmed to flood windowsupdate.com with a DDoS attack from infected machines this Saturday (16 August). Neither Cooper nor Symantec's Weafer thought this attack was likely to succeed mainly because Microsoft has time to put mitigation strategies in place so that, for instance, it can change the way it redirects traffic to the servers that actually run Windows Update.
Despite this apparent confidence that all will be well at Redmond on Saturday, neither Cooper nor Weafer were prepared to offer us odds on Windows Update being live and kicking on the big day.
What's to be done
Fortunately there's plenty of advice on the Net on how to protect your machine against Blaster. There's also tips on what to do if you get infected but as usual prevention is easier than cure.
Essentially you need to follow a multi-stage process involving: a) setting up a firewall to block malicious traffic; b) updating your machine with patches from Microsoft; and c) updating AV signatures.
Full Register coverage: Internet worms
Blaster worm spreading rapidly
Panel probes the half-life of bugs
Microsoft issues doubleplus critical security fix
The Hackers Who Broke Windows
SQL worm slams the Net
ATMs, ISPs hit by Slammer worm spread
Slammer: Why security benefits from proof of concept code
Nimda worm runs riot on IT sites
Firms hit in Nimda mutant outbreak
Internet survives Code Red
Code Red busting code gets cool reception
Code Blue targets Red China
The Code Red hype Hall of Shame