Update: Blaster worm infections spreading rapidly

The Blaster worm – also known as MSBlast or LoveSAN – has spread rapidly since it was first noticed on Monday. It has infected an estimated 188,000 systems running Microsoft operating systems, including Windows XP, Windows 2000, Windows 2003 and NT, that are unpatched for the so-called RPC vulnerability discovered last month, according to a security firm tracking the worm.

Alfred Huger, senior director of engineering in Symantec’s Security response division, says the 188,000 number as of Wednesday afternoon is a good-faith estimate based on information Symantec is receiving worldwide from a range of sources and tracking systems. He notes that 188,000 infected hosts is a fairly substantial rate of infection, though it still falls far below the several hundred thousand infections attributed to other computer worms in the past, including Slammer, Code Red and Nimda. Like those worms, Blaster is causing disruptions because of its wild and destructive scanning to hunt for new victims. This scanning causes massive congestion inside corporate networks it manages to infect.

“We are getting reports of network congestion caused by this,” Huger notes, pointing out that companies are having to shut down computers to clean out the Blaster worm. However, he adds: “We have more to fear from the children of this worm than the worm itself.”

There are concerns that any new variation of Blaster, whose main purpose is to infect computers in order to launch a denial-of-service attack on the Microsoft windowsupdate.com site on Aug. 16, could be much more dangerous. For example, a new variant could carry a payload that destroys files while it’s taking over computers – something that Blaster doesn’t do.

Huger predicts that Microsoft will be able to successfully defend its Web site against any on-going DoS attack that begins on Aug. 16, given the advance notice Microsoft is getting. But other security experts are not so sure.

Dan Ingevaldson, engineering manager at the X-Force rapid-response division of Internet Security Systems, says Microsoft may find it hard to ward off an attack since the Blaster worm is not programmed to look for a specific IP address, unlike the infamous Code Red worm which targeted the White House Web site. Blaster is programmed to search for the windowsupdate.com domain name itself. An IP address could be easily changed, but this process is not so simple to protect a domain name.

Although Blaster is travelling fairly quickly, Huger pointed out it could be infecting at a higher rate if the Blaster code were better designed.

“The worm is poorly written,” said Huger. It sometimes takes down computers instead of infecting them, and when it does infect them, sometimes the Blaster code simply fails to do anything else.

Microsoft has made patches available for the RPC vulnerability, which was identified last July, but the spread of Blaster’s infection shows many Microsoft-based computers remain unpatched.

The worm spreads via port 135, and some security advisories have recommended shutting off port 135 at the network perimeter. However, many say that’s not an advisable approach inside the network if an infection breaks out.

“Shutting down port 135 can cause some serious problems in terms of interruptions between Windows machines,” says Symantec’s Huger, noting that Windows-based machines probably wouldn’t be able to see other Windows machines on the network. Mark Shavlik, president and CEO of Shavlik Technologies, also says he wouldn’t recommend turning off port 135 inside the corporate network because that could greatly interfere in uncertain ways with Microsoft-based applications.

Microsoft last month released a software patch for Windows XP, 2000, NT and 2003 to fix the RPC buffer-overflow vulnerability that the Blaster worm exploits.

However, the online computer-security forum NTBugtraq this week debated whether the Microsoft software patch will work for Windows 2000 running Service Pack 2 (SP2), a version of Windows no longer officially supported by Microsoft.

Microsoft now officially supports Service Packs 3 and 4, the latest of which came out in June. The Microsoft security bulletin on the RPC vulnerability had only referred to the patch working on SP3 and SP4, although Microsoft now acknowledges it was aware the patch would also work on SP2. And Microsoft’s Web site, Windows Update, did not offer the ability to install the patch – known as MS03-026 – on Windows 2000 SP2 systems.

NTBugtraq conducted the discussion on SP2 and the software patch because many organizations are confused about whether the Microsoft patch would work on their older SP2-based Windows 2000 systems. Russ Cooper, “surgeon general” in worm matters at security firm TruSecure, pointed out on NTBugtraq that the MS03-026 software patch does protect Windows 2000 SP2 systems. The ongoing discussion on NTBugtraq this week brought attention to the issue and got Microsoft back-peddling on it.

“To be honest, our security bulletin applied to the supported versions of SP3 and SP4,” said Stephen Toulouse, security program manager for Microsoft Security Response Center. “The patch itself wasn’t tested for Service Pack 2.”

Microsoft has a “life-cycle policy” in which it doesn’t officially support patches for outdated releases, but the fact of the Blaster worm and the pressure to take a stand compelled Microsoft to alter its official stance.

“The patch will install on SP2,” said Toulouse. He said it was unusual for Microsoft to alter its patching support relative to life-cycle management, but in this case it was making an exception.

“It’s taken them 27 days to officially say it will work on a platform they design it for,” pointed out TruSecure’s Cooper, who noted the lack of official support by Microsoft and some patch-management vendors for a patch for SP2 had people working on homegrown methods to apply the patch some way on their own.