Microsoft Prepares To Be 'blasted'

[Scarthy © ® ™]

Hi all ;),

Well this new worm is really playing havok on the web. As well as the Blaster version there is reportedly a new version.

KASPERSKY LABS claimed this afternoon that there's already a new version of the Blaster/Lovesan worm on the loose. And it says that's likely to mean a repeat of the outbreak we've seen during this week. The new variety of Lovesan/Blaster exploits the same vulnerability. Kaspersky says that the number of infected systems is around the 300,000 mark, and the new variety may double this number.

The worm, which has not yet been named, is a near doppelganger of MSBlast, with only slight changes. The name of the primary worm-carrier file MSBLAST.EXE in the original is now TEEKIDS.EXE. The variation's code has also been compressed with FSG rather than UPX, and a new string of text buried within the code takes different potshots at both Microsoft and anti-virus developers.

The danger is that while the two worms are very similar and exploit the same RPC vulnerability in Windows it's possible for both to co-exist on the same computer.

"In other words, all computers infected by the original will soon be attacked by its revamped version," said Eugene Kaspersky, the head of anti-virus research at the Russian company.

Microsoft is preparing for this onslaught...

Microsoft hopes to be ready when hundreds of thousands of computers infected with the MSBlast worm start pelting its Windows Update service with data requests on midnight Friday.

The company has taken steps to try to dodge the denial-of-service attack, but it's also begun educating Windows users about other ways to get updates and patches in the event that the update service is made unavailable.

"We are preparing," said Stephen Toulouse, security program manager for Microsoft's security research center. "We are working diligently to make sure that our customers can get the patch."

The primary payload of the MSBlast worm, which began infecting systems Monday, is a DoS attack against the service from which most Windows users get their updates. If successful, the maneuver would frustrate efforts to patch the Windows vulnerability the worm exploits. The strategy is also a way of simply harassing the Redmond, Wash.-based software giant; the worm's code contains a message for the company's founder: "billy gates why do you make this possible? Stop making money and fix your software!!"

View - Full Story

It's urgent that you patch your Windows NT/2000/XP/2003 systems now, as the number of users suffering from this exploit has risen dramatically today. It's also a good idea to implement a firewall system (hardware/software) and to keep your virus definitions up-to-date to prevent malicious attacks in future.

;)

[andsome]

Useful info. I updated this morning

[Scarthy © ® ™]

Blaster worm set for massive attack Saturday.

With the internet populace reeling after a malicious worm continues to infect thousands of PC’s worldwide, the situation is set to worsen as we can expect a massive denial of service attack sometime tomorrow. The virus commonly referred to as W32.Blaster first appeared on the Internet late Monday and has spread quickly, infecting machines running both Microsoft Windows XP and Windows 2003 Server operating systems. With the worm showing little signs of slowing, it makes this outbreak perhaps the most serious since the appearance of the SQL Slammer worm back in January.

Recent statistics released by anti-virus firm, Network Associates, has estimated the amount of infected machines world-wide to be somewhere between 250,000 and 1,000,000 as of Thursday with thousands of new cases reported daily.

The real fear was that these infected machines would launch a massive denial of service attack against its Windows update site which is reportedly, already feeling the sting as millions of internet users scramble to download the patch that protects them against the MSBlast worm before attacks begin Saturday.

In response to this threat, Microsoft has since “killed off” the Windowsupdate.com address with the changes having been made this Thursday. Because the worm is programmed to attack only that address and not the site that it redirects to, the software giant has decided to eliminate the Windowsupdate.com address. The move is one of a series of efforts that Microsoft has undertaken to try to thwart an attack on its servers that was expected to be launched by msblast infected computers.

The worm is programmed to start attacking Windowsupdate.com at 12 a.m PST Saturday.

The effects of the worm are being felt worldwide. In Holland a Dutch ISP, “UPC” has threatened to block any connection affected by the worm, which could mean whole segments of Holland’s internet subscribers could be without access within 24 hours if they do not get their systems patched up. With Holland taking the threat so seriously it will be only a matter of time before other regions will be forced to follow suit.

So exactly how much of a threat is W32. Blaster? Perhaps the most troubling aspect of this worm is that as well as being self propagating, the worm installs a "back door" program on infected systems and reports back to an Internet relay chat server that the system has been compromised. A malicious hacker could use that information to identify a compromised system and then attempt to delete or access data stored on it.

Microsoft has advised its users to update their computers with the latest patches and turn on Auto update to simplify the process for installing future updates. Users are instructed to install and use antivirus software and to use a firewall.

Who Is Vulnerable?

W32.Blaster takes advantage of a known vulnerability in a Windows component called the DCOM (Distributed Component Object Model) interface, which handles messages sent using the RPC (Remote Procedure Call) protocol. RPC is a common protocol that software programs use to request services from other programs running on servers in a networked environment.

This exploit is specific to users of the following operating systems:

• Microsoft® Windows NT® 4.0

• Microsoft Windows® 2000

• Microsoft Windows XP

• Microsoft Windows Server™ 2003

News Source

;)

[Scarthy © ® ™]

Update...

Microsoft Outwits Blaster Worm

The second wave of an Internet attack by the "blaster" worm barely caused a ripple Saturday. Microsoft Corp. said it had no major problems from the worm's attempt to turn thousands of infected computers into instruments targeting the software company's Web site and network. The Redmond-based company had not noticed any extraordinary network congestion, spokesman Sean Sundwall said. There were also no reports of customers having major problems accessing the targeted Web site, which houses a software patch that fixes the flaw exploited by the worm. "So far we have seen no impact on our Web sites or any other Web sites due to the 'blaster' worm," Sundwall said.

Still, he urged people to take precautions to protect their computers. The virus-like infection, also dubbed "LovSan" or "MSBlast," exploits a flaw in most current versions of Microsoft's Windows operating system for personal computers, laptops and server computers. Although Microsoft posted a software patch to fix the flaw July 16, many users failed to download it, leaving them vulnerable. As of Saturday afternoon, the worm had infected more than 423,000 computers around the world since Monday, according to security firm Symantec Corp. Of those, about 50,000 were affected on Saturday, said Mike Bradsaw, a Symantec spokesman. The infection caused computers to reboot frequently or disrupted users' browsing on the Internet. But it also packed a second punch.

Taken from HERE.

News Source.

;)