Advertisement
Promo

Security management Toolkit in association with http://ad.doubleclick.net/clk;214682528;14505427;f?http://uk.blackberry.com/ataglance/security/

Why did MSBlast fail to take down Microsoft?

Jonathan Yarden

Published: 28 Aug 2003 13:30 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

I'd like to say that most identified worms will eventually go away. But from what I've seen, once released onto the Internet, worms continue to infect new hosts. I still see a great deal of older worm signatures hanging out on the Internet, including SQL Slapper and Nimda. I'm sure that MSBlast and its variations will be eating away at Internet traffic for a long time.

Like clockwork, most worms are released after a known vulnerability is announced. MSBlast, like most other worms, came shortly after the announcement of a DCOM Remote Procedure Call (RPC) vulnerability in Windows NT, 2000, and XP systems. MSBlast does the typical things worms today do: it scans for IP addresses and then infects the vulnerable machines that it finds.

On 16 August, MSBlast began flooding Windowsupdate.com with a denial of service attack. One important difference between MSBlast and previous worms is that MSBlast uses DNS. This minor enhancement means that simply changing the IP address for Windowsupdate.com wasn't sufficient to keep it from being targeted.

The good news was that MSBlast didn't hurt Microsoft because it didn't have the correct hostname for the Windows Update Web site. In fact, MSBlast was programmed to attack the wrong Web site.

The Windows Update Web site is Windowsupdate.microsoft.com, not Windowsupdate.com. Microsoft had been redirecting HTTP requests from Windowsupdate.com to the correct location but wisely stopped this. As an added bonus, it removed DNS for this entirely so the MSBlast worm wouldn't issue requests and clog up Internet traffic. The result was that MSBlast basically did nothing to affect Microsoft, except perhaps infect new machines and generally cause headaches for network and system administrators worldwide.

We'll probably never know whether the authors of MSBlast intended to have their worm thwarted like this, but I find it difficult to believe this was a mistake. Anyone who's clever enough to release a worm onto the Internet isn't likely to make such a ridiculous error. And you can be sure the next worm from whoever wrote this one isn't going to be easily sidestepped.

Next

Previous

1 2


  • Email
  • Trackback
  • Clip Link
  • Print friendlyPrint with EPSON

Did you find this article useful?
112 out of 191 people found this useful


Company/Topic Alerts

Create a new alert from the list below:



Video icon

Video

Sentry Posts Blog

DNA details of innocent will be kept f...

The government has announced that it plans to keep innocent people's DNA details for up to six years. In response to a consultation it launched last December, the government said... More

5 comments

Motorola Droid Drops Today: Happy Droi...

Motorola Droid Drops Today: Happy Droid Day America! Author: Eric Everson, Mobile Security Expert If you’re wondering what all of the buzz is about with words like Droid and Android... More

Post a comment

Mobile Security Profile: BlackBerry St...

Mobile Security Profile: BlackBerry Storm2 Author: Eric Everson BlackBerry handsets are a staple of office culture; from syncing calendars to sharing business-related data,... More

Post a comment

Featured Talkback

In association with Network Liberation Movement
It seems to me this is a burden being placed on the wrong shoulders. There is not an It system in the world that can stop an individual taking information in their heads and spewing out at the nearest undesirable third party.

By: RonaldWilkins

Read full story:
Deloitte: People are still weakest security link


Skip Sub Navigation Links to CNET Brand Links

Help

Become part of the ZDNet community.

Newsletters