ZDNet UK

CNET NETWORKS UK BUSINESS SITES:
atlarge.com
BNET UK
silicon.com
SmartPlanet.com
ZDNet.co.uk

ZDNet.co.uk - Winner of Best Business Website 2007

You are here: ZDNet.co.uk > News > Security

Security management Toolkit

Why did MSBlast fail to take down Microsoft?

Jonathan Yarden Tech Republic

Published: 28 Aug 2003 13:30 BST

I'd like to say that most identified worms will eventually go away. But from what I've seen, once released onto the Internet, worms continue to infect new hosts. I still see a great deal of older worm signatures hanging out on the Internet, including SQL Slapper and Nimda. I'm sure that MSBlast and its variations will be eating away at Internet traffic for a long time.

Like clockwork, most worms are released after a known vulnerability is announced. MSBlast, like most other worms, came shortly after the announcement of a DCOM Remote Procedure Call (RPC) vulnerability in Windows NT, 2000, and XP systems. MSBlast does the typical things worms today do: it scans for IP addresses and then infects the vulnerable machines that it finds.

On 16 August, MSBlast began flooding Windowsupdate.com with a denial of service attack. One important difference between MSBlast and previous worms is that MSBlast uses DNS. This minor enhancement means that simply changing the IP address for Windowsupdate.com wasn't sufficient to keep it from being targeted.

The good news was that MSBlast didn't hurt Microsoft because it didn't have the correct hostname for the Windows Update Web site. In fact, MSBlast was programmed to attack the wrong Web site.

The Windows Update Web site is Windowsupdate.microsoft.com, not Windowsupdate.com. Microsoft had been redirecting HTTP requests from Windowsupdate.com to the correct location but wisely stopped this. As an added bonus, it removed DNS for this entirely so the MSBlast worm wouldn't issue requests and clog up Internet traffic. The result was that MSBlast basically did nothing to affect Microsoft, except perhaps infect new machines and generally cause headaches for network and system administrators worldwide.

We'll probably never know whether the authors of MSBlast intended to have their worm thwarted like this, but I find it difficult to believe this was a mistake. Anyone who's clever enough to release a worm onto the Internet isn't likely to make such a ridiculous error. And you can be sure the next worm from whoever wrote this one isn't going to be easily sidestepped.

1 2

Did you find this article useful?
112 out of 191 people found this useful

Post a comment

Full Talkback thread

2 comments

Also, and notible is that Microsoft ducked behind... Anonymous
I certainly hope you're joking when you're stating... Peter Theill

More In Security management

Company/Topic Alerts

Create a new alert from the list below:

Featured Talkback

It seems to me this is a burden being placed on the wrong shoulders. There is not an It system in the world that can stop an individual taking information in their heads and spewing out at the nearest undesirable third party.