Security threats Toolkit

Microsoft gears up for worm's blast

Tags:
Prepared,
Attack,
Saturday,
Windows Update

Published: 14 Aug 2003 08:40 BST

Microsoft hopes to be ready when hundreds of thousands of computers infected with the MSBlast worm start pelting its Windows Update service with data requests at midnight on Friday.

Click here for help on beating the worm.

The company has taken steps to try to dodge the denial-of-service attack, but it's also begun educating Windows users about other ways to get updates and patches in the event that the update service is made unavailable.

"We are preparing," said Stephen Toulouse, security program manager for Microsoft's security research centre. "We are working diligently to make sure that our customers can get the patch."

The primary payload of the MSBlast worm, which began infecting systems on Monday, is a denial of service attack against the service from which most Windows users get their updates. If successful, the manoeuvre would frustrate efforts to patch the Windows vulnerability the worm exploits. The strategy is also a way of simply harassing the software giant; the worm's code contains a message for the company's founder: "billy gates why do you make this possible? Stop making money and fix your software!!"

Named after the msblast.exe file that contains the program, MSBlast continued to spread across the Net on Wednesday, infecting nearly 228,000 computers by midmorning, according to data gathered by security company Symantec.

Computers infected with the worm will start sending connection requests to the Windows Update service at midnight on Friday, according to the clock on a given user's computer.

Although Toulouse was mum on the specific steps the software giant is taking to prepare for the attack, Microsoft is advertising alternative ways to get downloads and information from its site. The company has put more than 10 links on its main Web site to send people to more information and alternative channels for downloading updates.

Toulouse also stressed that consumers can and should get the latest patches from the company's Download Centre.

Lloyd Taylor, the vice president of technology and operations Keynote Systems, which evaluates network performance, said that Microsoft's service will likely fall victim to the attack.

"I don't think any network in the world would be accessible with the amount of traffic that is going to be thrown at it," Taylor said.

Taylor also said that the amount of traffic directed at the Microsoft site could take down small local networks. But a similar prediction a few years ago fell flat.

In 2001, after Code Red infected some 350,000 computers, it aimed a similar DoS attack at whitehouse.gov. The network administrators were able to move the site from the targeted Internet address and sidestep the attack. Moreover, despite hundreds of thousands of PCs flooding the Internet with data, local network outages didn't happen.

Marc Maiffret, chief hacking officer for security software maker eEye Digital Security, said the amount of data sent from each infected computer would be small and that it would be unlikely to overwhelm any networks. Each compromised computer should send 50 packets of data every second -- about 16kbps. That's quite low for such attacks.

"I doubt Windows Update will go down," Maiffret said. "They have a big network, and it's very distributed."