BNET UK
silicon.com
ZDNet UK

Home
News
Blogs
Reviews
Videos
Jobs
Resources
Community

Leader
Comment
White Papers
Downloads
Special Reports

Hardware
Software
Communications
Internet
Security
IT Management
Emerging Tech
Leader

Group Blogs
News Blog
Post Room
Rupert's Diary

Hardware Reviews
Software Reviews
Editors' Choice
Buyer's Guides
Tech Guides
Competitions

Dialogue Box
Security threats
Server platforms
Mobile devices
Application development
Full video index

Articles
White Papers
Downloads
Companies
Broadband Speed Test

People
Competitions
Post Room
FAQ

You are here: ZDNet UK > News > Security

Security management Toolkit

Why did MSBlast fail to take down Microsoft?

Tags:
Windowsupdate,
Fail,
,
Virus

Jonathan Yarden Tech Republic

Published: 28 Aug 2003 13:30 BST

I'd like to say that most identified worms will eventually go away. But from what I've seen, once released onto the Internet, worms continue to infect new hosts. I still see a great deal of older worm signatures hanging out on the Internet, including SQL Slapper and Nimda. I'm sure that MSBlast and its variations will be eating away at Internet traffic for a long time.

Like clockwork, most worms are released after a known vulnerability is announced. MSBlast, like most other worms, came shortly after the announcement of a DCOM Remote Procedure Call (RPC) vulnerability in Windows NT, 2000, and XP systems. MSBlast does the typical things worms today do: it scans for IP addresses and then infects the vulnerable machines that it finds.

On 16 August, MSBlast began flooding Windowsupdate.com with a denial of service attack. One important difference between MSBlast and previous worms is that MSBlast uses DNS. This minor enhancement means that simply changing the IP address for Windowsupdate.com wasn't sufficient to keep it from being targeted.

The good news was that MSBlast didn't hurt Microsoft because it didn't have the correct hostname for the Windows Update Web site. In fact, MSBlast was programmed to attack the wrong Web site.

The Windows Update Web site is Windowsupdate.microsoft.com, not Windowsupdate.com. Microsoft had been redirecting HTTP requests from Windowsupdate.com to the correct location but wisely stopped this. As an added bonus, it removed DNS for this entirely so the MSBlast worm wouldn't issue requests and clog up Internet traffic. The result was that MSBlast basically did nothing to affect Microsoft, except perhaps infect new machines and generally cause headaches for network and system administrators worldwide.

We'll probably never know whether the authors of MSBlast intended to have their worm thwarted like this, but I find it difficult to believe this was a mistake. Anyone who's clever enough to release a worm onto the Internet isn't likely to make such a ridiculous error. And you can be sure the next worm from whoever wrote this one isn't going to be easily sidestepped.

1 2

Did you find this article useful?
112 out of 191 people found this useful

Share this article:
Digg
Slashdot
Del.ici.ous
Stumble
Reddit

In association with Network Liberation Movement

Company/Topic Alerts

Create a new alert from the list below:

microsoft,msblast,blaster,worm,virus,windowsupdate,fail,

Related BlackBerry Resources

Protecting the BlackBerry Device Platform Against Malware

BlackBerry Devices with Bluetooth - Security Overview

BlackBerry Enterprise Server IT Policy

BlackBerry Enterprise Solution - Security Technical Overview

BlackBerry Enterprise Solution and RSA SecurID

CIO's Guide to Mobile Security

See All White Papers

Video

Install Flash Player plugin

Find out more: Microsoft exec outlines...

All videos
Most popular videos
Latest videos

Featured Talkback

It seems to me this is a burden being placed on the wrong shoulders. There is not an It system in the world that can stop an individual taking information in their heads and spewing out at the nearest undesirable third party.