Experts: more, better Windows worms likely

Despite infecting tens of thousands of computers worldwide, the recent W32.Blaster worm is poorly written and inefficient, blunting its impact, according to security experts.

However, future versions of the worm could correct Blaster's flaws and spread much more quickly, resulting in service outages on infected networks and causing far greater harm to businesses and individuals users on the Internet, experts warn.

Blaster, which is also known as the MSBlast, the Lovsan Worm and the DCOM Worm, surfaced on Monday and quickly spread to computers worldwide by exploiting a known security vulnerability in Microsoft Corp.'s Windows operating system.

By Tuesday morning, the worm, which targets a Windows component for handling RPC (Remote Procedure Call) protocol traffic called the Distributed Component Object Model (DCOM) interface, spread to more than 30,000 systems, according to Johannes Ullrich, chief technology officer of the SANS Internet Storm Center.

However, security experts familiar with the new worm say that close inspection of its code reveals shoddy workmanship.

"It's a pretty bad worm. I keep calling it the 'half a worm'," said Marc Maiffret, chief hacking officer at security company eEye Digital Security Inc. in Aliso Viejo, California.

Rather than write new code, Blaster's author or authors copied and pasted a well-known exploit for the vulnerability which was available on the Internet, Maiffret said.

Whereas the vulnerability affects almost every computer running Microsoft Windows, the DCOM exploit used by Blaster works only on Windows XP and Windows 2000 systems, greatly reducing the number of machines affected, according to Maiffret.

Unlike other successful worms, the Blaster code is unable to detect what kind of operating system is installed on the machine it is attacking and chooses randomly between the exploit for Windows XP systems and Windows 2000 systems, according to security company F-Secure Corp. of Helsinki.

In doing so, Blaster frequently uses the wrong exploit for the installed operating system, which causes Windows XP machines to reboot with an error message that mentions RPC, F-Secure said.

Sophisticated worm writers would create their own exploit code that works for more flavors of Windows and add features to detect the operating system and prevent telltale crashes, Maiffret said.

Similarly, Blaster's authors created a noisy and an inefficient method for spreading the worm code from an infected machine to a vulnerable, but uninfected machine. The worm requires the vulnerable machine to establish a separate connection to the infected machine to copy over the worm code, making the worm easier to notice on a network and providing multiple avenues to block the worm's spread, Maiffret said.

That was the experience of IT administrators at the University of Florida (UF), according to Jordan Wiens, a network security engineer.

While Blaster uses port 135 to spread from computer to computer, it also opens a back door to the computer on port 4444 which is used to issue commands that download the worm code.

UF administrators were quickly able to stop the worm from spreading without affecting other applications in use on campus by blocking traffic to port 4444, Wiens said.

"They were clueless," said Maiffret. "A real worm writer with any type of skill wouldn't have needed to connect back (to an infected machine) in order to get infected."

Ullrich agreed, calling Blaster's infection method "a bit primitive" and pointing to the worm's habit of stopping after it scans only 20 or so machines to check for infections.

"Code Red scanned 100 or 200 machines at a time," he said, referring to the devastating worm of 2001.

Maiffret, Ullrich and others agree that future versions of the Blaster worm are likely, as are new worms that exploit the RPC vulnerability.

Those variants might patch the holes in Blaster's code or modify it, for example: redirecting the worm's programmed DOS (denial of service) attack against Microsoft's windowsupdate.com site to a different Internet domain or IP (Internet Protocol) address, Maiffret said.

The Internet Storm Center had not received reports of any Blaster variants Tuesday, Ullrich said.

Despite its many faults, Blaster did do one thing right, according to Maiffret and others: target an easily exploitable and ubiquitous security flaw that affects home users more than just closely monitored servers.

"Even as poorly written as (Blaster) is, it's still having an effect and we're seeing a lot of impact from the worm right now. That's really the scariest part," Maiffret said.

And the worm's programmed DOS attacks against Microsoft could still cripple the networks used to launch the attack, even if they don't bring down the Redmond, Washington software company's Windows update servers, Maiffret said.

Like any worm, Blaster will also be hard to eradicate, according to Mikko Hyppnen, antivirus research director at F-Secure.

"We're still fighting Code Red from 2001, so (Blaster) will keep spreading for a very long time. I expect it will still be scanning networks in 2005," he said.

In the end, however, the emergence of a serious -- but not devastating -- worm like Blaster might help inoculate the Internet community against future variants that are more virulent, spurring users to patch vulnerable systems and install other protective measures like firewalls, Maiffret said.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Paul Roberts

IDG News Service
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?