Experts ponder coming Blaster attack

While Internet users and corporations dig out from the havoc caused by the new W32.Blaster Internet worm, security experts are questioning whether a massive denial of service attack from infected machines, scheduled for Saturday, will succeed.

The worm, referred to alternately as the DCOM worm or Lovsan worm, first appeared on the Internet late Monday and spread quickly, infecting machines running the Windows XP and Windows 2000 operating systems.

Blaster takes advantage of a known vulnerability in a Windows component called the DCOM (Distributed Component Object Model) interface, which handles messages sent using the RPC (Remote Procedure Call) protocol.

As of Thursday, the Blaster worm infected between 250,000 and one million computers, according to Vincent Gullotto, vice president of the AVERT antivirus response team at Network Associates Inc.

But the worst may still be coming.

In addition to being programmed to seek out and infect vulnerable Windows computers, Blaster is set to launch a denial of service attack against a Microsoft Web site on August 16.

Infected machines worldwide will begin sending a constant stream of phony connection requests to the Internet domain in an maneuver known as a TCP (Transmission Control Protocol) SYN flood attack.

Microsoft uses to distribute software patches to Windows customers.

The machines will begin their attack at 12:00 a.m. local time, with each infected computer judging the time by consulting its system clock.

That will create a cascading attack that will cross the globe as clocks in each time zone roll over to the new day, according to Mikko Hyppnen, antivirus research director at F-Secure Corp. in Helsinki.

Once launched, the attack will continue, unabated, through the end of December, then begin again on January 16, 2004, according to an analysis of the worm code by security company eEye Digital Security Inc.

If successful, the attack would be difficult for Microsoft to stop, according to experts.

More than 100,000 infected machines could be involved in the attack, creating a massive flood of traffic to Microsoft's windowsupdate servers, according to Gullotto.

Attack traffic will come from computers using thousands of different IP (Internet Protocol) addresses, making it impossible to deploy a blocking list. In addition, attack traffic will arrive on Port 80, a vital computer communications port used to access the World Wide Web, Hyppnen said.

But experts agree that all may not be lost.

By mistake or design, Blaster's author provided the incorrect domain address for windowsupdate. The address specified in the worm's code,, simply forwards users to the actual Windows update site,, Hyppen said.

Microsoft can easily change the DNS (Domain Name System) configuration for to have it stop forwarding traffic to the actual site, sidestepping Saturday's Blaster DOS attack, he said.

The DNS record could be changed to point to a phony IP address like or to point attack traffic back to the attacking machine itself, Hyppönen said. Either of those changes would also spare the Internet from a flood of spurious attack traffic, he said.

Finally, the Blaster code only checks the date when the worm code begins running. Machines that are not newly infected and have already been running, or that do not reboot on August 16 may not check the date and, thus, would not launch an attack, Hyppnen said.

"I think nothing is going to happen," he said.

Microsoft is keeping mum about how it plans to address the DOS attack this weekend.

For now, the Redmond, Washington, software giant is assuming that a high volume of attack traffic will be coming its way on August 16, and is taking steps to ensure that customers will continue to receive software updates, according to Stephen Toulouse, security program manager at Microsoft.

"We take this threat very seriously and are working diligently to prepare for what the worm might do," he said.

Toulouse declined to speculate on possible strategies for avoiding Blaster's wrath.

The company is posting patches at multiple locations on its Web site to make sure that customers can access necessary software updates even if is crippled by an attack, he said.

In addition to, customers can obtain patches from, which is not targeted by Blaster, he said.

Information on Blaster was also posted at, Toulouse said.

F-Secure has been monitoring for two days and says that, for now, the site shows no signs of disruption, according to Hyppnen.

The only increase in traffic to the site Microsoft has noticed comes from customers rushing to get the software patch and block Blaster, Toulouse said.

While experts can debate what might happen, the world can best prevent disruptions from Blaster by cleaning and patching infected systems, Gullotto said.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Paul Roberts

IDG News Service
Show Comments


James Cook University - Master of Data Science Online Course

Learn more >


Victorinox Werks Professional Executive 17 Laptop Case

Learn more >



Back To Business Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?