Blaster worm set to attack Microsoft's update service

By Alun Williams

Posted on 15 Aug 2003 at 16:49

The world is watching this weekend to gauge the full effect of the Blaster worm. Already widespread, the worm is timed to attack Microsoft's Windows update service after midnight tonight.

The Blaster worm first appeared Tuesday 12 August 2003 - New worm infects with an eye on Windows Update site. Also known as Lovsan, MSBlaster or Poza, it exploits Microsoft's well-known DCOM RPC vulnerability. This is a flaw in Windows (from NT to XP) that occurs through an error in the way malformed messages received over the Remote Procedure Call (RPC) protocol.

As part of its malicious behaviour, the worm is setting up a distributed denial-of-service attack on Windows Update, which will take place after 15 August. Note however that the worm targets the URL www.windowsupdate.com, which seems to have already been taken down by Microsoft. The alternative URL of windowsupdate.microsoft.com is healthy and up and running.

Graham Cluley, senior technology consultant for Sophos Anti-Virus, said on the arrival of Blaster: 'By attempting a denial of service attack on the windowsupdate.com website, the virus author is deliberately trying to make it difficult for computer users to download the patch they need to secure their copies of Windows against the worm. It's an extremely devious trick by Blaster's author.'

He added: 'System administrators should note that Blaster doesn't spread by email - so Internet email scanning services will not be able to detect this worm, and an absence of reports at your email gateway does not mean you can rest on your laurels.'

The Microsoft homepage - itself temporarily off-line this morning - highlights the security issues, and repeats the advice to enable firewall protection and ensure that software is kept up to date with patches. You can find the detailed steps for securing your computer at www.microsoft.com.

See also

Critical hole in Microsoft's Windows