Security threats Toolkit

MSBlast spawns variants as users race to patch

Tags:
W32.blast,
Blast.exe,
Lovesan,
Microsoft Windows Flaw

Published: 14 Aug 2003 08:45 BST

As the MSBlast worm continues its spread -- to approximately 2,500 new computers each hour -- antivirus firms said that a new variant had been released.

Click here for information on protecting your PC.

Security company Symantec, which directly measures the spread of the worm via sensors distributed throughout the Internet, said the number of computers compromised by MSBlast -- aka W32/Lovsan and W32.Blaster -- had reached 228,000 by midmorning on Wednesday.

Alfred Huger, senior director of engineering for the company's security response team, estimated that millions of computers may still be vulnerable to the flaw, leaving administrators scrambling to patch systems before they fall victim to the worm's relentless spread.

"If people don't patch, there could be millions of infections," Huger said.

Symantec and rival antivirus companies Network Associates, Kaspersky Labs and Central Command all warned users of a modified version of the worm that apparently differs by only a few file names but otherwise is identical to the original. Network Associates also discovered a third version of the worm that apparently changes a file name and a registry key.

Because the variants don't repair the worm's flawed method of selecting new targets, they won't change the overall properties of the current epidemic, Huger said. "The variant spreads roughly at the same speed" as the original worm, he said.

The introduction of the MSBlast worm ended nearly a month of speculation over when a programmer would commit the obvious crime of writing a worm that takes advantage of a vulnerability in a widely used feature of Microsoft Windows. The worm pieces together code to exploit the most recent major flaw in Windows with publicly available tools such as the Tiny, or Trivial, File Transfer Protocol (TFTP) server.

Estimates of the size of the MSBlast epidemic vary widely.

The Computer Emergency Response Team (CERT) Coordination Centre, a clearinghouse for information on Internet threats, said as many as 1.4 million Internet addresses seemed to be the home of computers the worm -- or an earlier attack program on which the worm was based -- had compromised.

But Art Manion, an Internet security analyst with the CERT Coordination Centre, said the media widely equated the data with the total number of computers infected. In reality, the number could be less, because the dynamic address assignment broadband providers use for home users could significantly inflate the apparent number of infections.

"One million (infections) is probably an order of magnitude too high," Manion said. Instead, "hundreds of thousands" of compromised computers is far more realistic."

Symantec and threat-tracker Internet Storm Centre -- two organisations that based their data on direct Internet measurements -- each recorded less than 250,000 infected computers by midmorning Wednesday.

"The spread is stabilising," said Johannes Ullrich, chief technology officer for Internet Storm Centre.

During the past 12 hours, Symantec has detected from 420 to nearly 4,000 infections per hour, with an average of about 2,500 new computer compromised hourly. The worm, which security experts believe started spreading early on Monday, scans for vulnerable computers so widely that an unpatched Windows XP computer on the Internet could be infected in just 25 minutes, according to Symantec studies.

Still, the infection rate is much slower than that of the Code Red v.2 worm, which -- at its fastest -- compromised 100,000 computers in about five hours and about 350,000 computers in a day.

If the rate holds, the MSBlast worm could infect a million computers in less than two weeks.