[ISN] Microsoft: 'Blaster' Virus Looks Like Dud

From: InfoSec News (isnat_private)
Date: Sun Aug 17 2003 - 22:41:05 PDT

  • Next message: InfoSec News: "[ISN] Inside the Ring: Edwards shut down"

    http://www.washingtonpost.com/wp-dyn/articles/A5774-2003Aug17.html
    
    By Helen Jung
    The Associated Press
    Sunday, August 17, 2003
    
    SEATTLE - The second wave of an Internet attack by the "blaster" worm 
    barely caused a ripple Saturday.
    
    Microsoft Corp. said it had no major problems from the worm's attempt 
    to turn thousands of infected computers into instruments targeting the 
    software company's Web site and network.
    
    The Redmond-based company had not noticed any extraordinary network 
    congestion, spokesman Sean Sundwall said. There were also no reports 
    of customers having major problems accessing the targeted Web site, 
    which houses a software patch that fixes the flaw exploited by the 
    worm.
    
    "So far we have seen no impact on our Web sites or any other Web sites 
    due to the 'blaster' worm," Sundwall said.
    
    Still, he urged people to take precautions to protect their computers.
    
    The virus-like infection, also dubbed "LovSan" or "MSBlast," exploits 
    a flaw in most current versions of Microsoft's Windows operating 
    system for personal computers, laptops and server computers. Although 
    Microsoft posted a software patch to fix the flaw July 16, many users 
    failed to download it, leaving them vulnerable.
    
    As of Saturday afternoon, the worm had infected more than 423,000 
    computers around the world since Monday, according to security firm 
    Symantec Corp.
    
    Of those, about 50,000 were affected on Saturday, said Mike Bradsaw, a 
    Symantec spokesman.
    
    The infection caused computers to reboot frequently or disrupted 
    users' browsing on the Internet. But it also packed a second punch.
    
    Computer experts said starting at 12:01 a.m. local time Saturday, 
    infected computers that have not cleaned up the virus would in effect 
    turn into a legion of zombies instructed to repeatedly call up a 
    Microsoft Web site that houses the software patch. If enough traffic 
    flooded the network, the site could be rendered unreachable and 
    computer users would be unable to access the patch.
    
    But the exploiters of the Microsoft flaw made a mistake themselves. 
    The worm instructed computers to call up http://windowsupdate.com - 
    which is an incorrect address for reaching the actual Microsoft Web 
    site that houses the software patch. Although Microsoft has long 
    redirected those who visited that incorrect address to the real site - 
    http://windowsupdate.microsoft.com - the company disabled the 
    automatic redirection Thursday in preparation for the onslaught of 
    infected computers.
    
    That has helped Microsoft's real Web site stay accessible to users, 
    Sundwall said. The company was taking other measures to keep its site 
    up and running, he said. He declined to give specifics.
    
    Vincent Weafer, senior director of security response for Symantec, 
    warned that Microsoft's network and others across the country could 
    see a slowdown in Internet traffic simply from the volume of activity 
    the worm is expected to generate from its legion of infected 
    computers.
    
    But that slowdown didn't happen, Weafer said Saturday.
    
    The rate of new infections has slowed in recent days, he said, though 
    computer users who still have not downloaded the patch need to do so. 
    He said the company expects new infections to continue for as long as 
    two years.
    
    The worm left behind a love note on vulnerable computers: "I just want 
    to say LOVE YOU SAN!" It also carried a hidden message to taunt 
    Microsoft's chairman: "billy gates why do you make this possible? Stop 
    making money and fix your software!"
    
    On the Net:
    http://windowsupdate.microsoft.com
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Aug 18 2003 - 01:05:27 PDT