Worm programmed to blast Microsoft’s patch site

Security experts are warning about the spread of a new worm that exploits the so-called remote procedure call vulnerability discovered last month in Microsoft XP, 2000 and NT operating systems. The worm, dubbed MSBlast, uses scanning on port 135 to spread. It is set to launch a continuous denial-of-service attack against the Microsoft site, windowsupdate.com, starting Aug. 16.

Security experts are warning about the spread of a new worm that exploits the so-called remote procedure call (RPC) vulnerability discovered last month in Microsoft XP, 2000 and NT operating systems. The worm, dubbed MSBlast, uses scanning on port 135 to spread. It is set to launch a continuous denial-of-service attack against the Microsoft site, windowsupdate.com, starting Aug. 16.

The worm spreads by infecting unpatched Microsoft systems for which it scans at the speed of about 20 hosts per second, according to some security professionals analyzing samples of MSBlast. The MSBlast worm was apparently written by someone whose main purpose is to infect machines and have them launch DoS attacks using SYN Flooding against the Microsoft site.

According to Joe Stewart, senior security researcher at Myrtle Beach, S.C.-based managed security services provider LURHQ, the MSBlast code contains the message “Billy Gates, why do you make this possible? Fix your software!”

From what Stewart can tell about the code, which began spreading Monday, the worm’s author has designed the worm to attack only the site where Microsoft makes software patches available for problems such as the RPC vulnerability.

Although no major widespread disruptions or DoS attacks on the Internet are known to have taken place since the RPC vulnerability was discovered a few weeks ago, many security experts are expecting a number of isolated attacks or break-ins to occur.

Last week, Stanford University reported that 2,500 campus computers were broken into because of the RPC exploit, and the University of California at Berkeley also reported similar problems which caused the campus to shut down some network ports, interfering with campus-wide communications. UC Berkeley systems administrators have been spending considerable time tracking down infected PCs, according to sources there.

Stewart said he believes the MSBlast worm is fairly easy to find on infected computers, but antivirus software will need to be updated to recognize the MSBlast signature.

Some antivirus security experts are objecting to the name MSBlast since that’s the author’s name for it, and tradition holds not to honor virus writers by following their given name for their viruses.

“We’re calling it ‘LoveSan’ or maybe ‘Blaster,'” commented Russ Cooper, TruSecure’s “surgeon general” for worm-related security matters.

Vincent Gullotto, vice president at Avert Labs, the antivirus research arm of Network Associates, said MSBlast — or “Blaster”– is based on exploit code seen on the Internet last week that showed how a worm could spread.

Since this proof-of-concept code is part of Blaster/MSBlast, the antivirus signature updates that McAfee made available last Wednesday to protect against the proof-of-concept code would also identify and eradicate this new worm.