[ISN] Worm aims to eradicate Blaster

From: InfoSec News (isnat_private)
Date: Tue Aug 19 2003 - 05:09:27 PDT

  • Next message: InfoSec News: "[ISN] Patching Becoming a Major Resource Drain for Companies"

    By Ellen Messmer
    Network World Fusion
    As if last week's Blaster worm didn't cause enough damage, there are
    now reports of a worm that breaks into Windows-based computers to try
    to delete any trace of the Blaster worm infection, and then downloads
    the patch Microsoft developed to fix the vulnerability that Blaster
    First spotted in Asia, the worm is being called Nachi, Welchia or
    MSBlast.B, according to at least three antivirus firms that have
    analyzed its code. Ian Hameroff, security strategist at Computer
    Associates, which has named the worm Nachi, said it can break into any
    Windows XP, 2000, NT or 2003 machine that hasn't been patched for the
    Remote Procedure Call (RPC) vulnerability identified last month. This
    is the technique exploited by the Blaster worm first seen last week,
    which infected hundreds of thousands, if not millions, of computers
    Blaster's main purpose was to launch a denial-of-service attack
    against Microsoft's Windows Update site via compromised machines. But
    that had very limited success since Microsoft disabled the
    windowsupdate.com URL that Blaster specifically targeted. This URL was
    a redirect link to the main Microsoft site
    windowsupdate.microsoft.com, which Microsoft protected.
    Chris Thompson, vice president of marketing at Network Associates,
    noted that the Blaster worm couldn't start a DoS attack when it
    couldn't find the target URL, and would instead try to hit an IP
    address five times afterward. But Windows machines
    aren't prepared to handle that request anyway, he added.
    The Blaster worm failed to affect Microsoft substantially. However,
    many corporate networks have faced paralyzing congestion due to
    scanning caused by Blaster infections of unpatched machines.
    Now, a new worm is on the loose to infect vulnerable machines in the
    same way Blaster does. But its purpose is thought to be to find
    Blaster code, eradicate it, and install the Microsoft patch. However,
    trying to install a patch without the network administratorís
    oversight can "have repercussions," such as causing machines to fail,
    noted David Perry, Trend Micro's global director on education issues.  
    It represents a break-in of a different sort that must be prevented
    through proper patching and other means, such as antivirus software.
    The Nachi/Welchia/MSBlast worm does not seem to be moving fast, but
    security firms are keeping a close eye on evidence of its spread since
    it could also become a problem this week as Blaster was last week.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Aug 19 2003 - 11:02:44 PDT