- Is the Cisco MARS mission going to abort?
- First iPhone worm spreads Rick Astley wallpaper
- 10 stunning 3D buildings made with Google SketchUp
- Open source software ready for big business
- Four reasons to buy (and one reason to avoid) the Droid
As if last week's Blaster worm didn't cause enough damage, there are now reports of a worm that breaks into Windows-based computers to try to delete any trace of the Blaster worm infection, and then downloads the patch Microsoft developed to fix the vulnerability that Blaster exploits.
First spotted in Asia, the worm is being called Nachi, Welchia or MSBlast.B, according to at least three antivirus firms that have analyzed its code. Ian Hameroff, security strategist at Computer Associates, which has named the worm Nachi, said it can break into any Windows XP, 2000, NT or 2003 machine that hasn't been patched for the Remote Procedure Call (RPC) vulnerability identified last month. This is the technique exploited by the Blaster worm first seen last week, which infected hundreds of thousands, if not millions, of computers worldwide.
Blaster's main purpose was to launch a denial-of-service attack against Microsoft's Windows Update site via compromised machines. But that had very limited success since Microsoft disabled the windowsupdate.com URL that Blaster specifically targeted. This URL was a redirect link to the main Microsoft site windowsupdate.microsoft.com, which Microsoft protected.
Chris Thompson, vice president of marketing at Network Associates, noted that the Blaster worm couldn't start a DoS attack when it couldn't find the target URL, and would instead try to hit an IP address 255.255.255.255 five times afterward. But Windows machines aren't prepared to handle that request anyway, he added.
The Blaster worm failed to affect Microsoft substantially. However, many corporate networks have faced paralyzing congestion due to scanning caused by Blaster infections of unpatched machines.
Now, a new worm is on the loose to infect vulnerable machines in the same way Blaster does. But its purpose is thought to be to find Blaster code, eradicate it, and install the Microsoft patch. However, trying to install a patch without the network administrator’s oversight can "have repercussions," such as causing machines to fail, noted David Perry, Trend Micro's global director on education issues. It represents a break-in of a different sort that must be prevented through proper patching and other means, such as antivirus software.
The Nachi/Welchia/MSBlast worm does not seem to be moving fast, but security firms are keeping a close eye on evidence of its spread since it could also become a problem this week as Blaster was last week.
Rss FeedRss Feed
The Leader in Network Knowledge
Comment