Blane
1
A new computer worm spread rapidly through the Internet on Tuesday, exploiting a Microsoft vulnerability that security experts have warned about for several weeks.
Damage to corporate networks and home computers has been limited at this point, observers say, mainly because security experts have been bracing for this type of attack.
Working with Microsoft, the Department of Homeland Security since mid-July has twice issued warnings to Internet users about the flaw. Security software firms have also been sending out alerts.
Dubbed "LoveSAN" or "MSBlaster," the worm does not use e-mail to send itself. Rather it is considered self-propagating, meaning that it independently searches for unprotected computers to infect.
Because of its invisible nature, users may not be aware of its existence.
If a machine is sluggish or crashing, it might be infected. In some cases, computers are forced to reboot. Otherwise, people will need to search for specific files and clean their system; details are available on most security firm Web sites.
Microsoft operating systems that are affected include newer versions such as Windows 2000, NT 4.0 and XP. Users must download a Microsoft patch in order to be protected.
The worm does not allow remote access by a hacker, though security experts say that a variation on it may make that possible in the future.
Network Associates (McAfee) and TrendMicro list the worm as "medium" risk, while Symantec gives it a 4 out of a possible 5 in terms of its threat potential.
Time bomb
"MSBlaster" is considered a time bomb.
Its code directs infected computers to assault Microsoft's support Web page with a barrage of requests beginning this Saturday. This type of attack is referred to as "denial of service." The attacks are also programmed to occur any day from September to December, then the 16th to the 31st of each month starting next year.
Because this hole in Microsoft's software was first reported nearly a month ago, experts believe that most large corporations have managed to defend themselves by installing the necessary patch. Internet service providers are also now working to slow its movement.
However, some tech analysts worry that if "MSBlaster" is able to find enough vulnerable computers, its spread could slow the performance of the Internet by bogging it down.
While a few users might notice poor Web access, CERT's team leader for incident handling says the Internet overall is holding up well -- so far. CERT is a center of Internet security expertise based at Carnegie-Mellon University in Pittsburgh.
"This is very serious," CERT's Marty Lindner said. "People need to patch. That's without a doubt. But in terms of the overall pain the Internet backbone is seeing, I don't think it's very much."
The exact origin of the worm is unknown, though its creators seem to have a sense of humor.
According to security firm TrendMicro, the following message aimed at Microsoft's chairman Bill Gates is embedded in the text:
"I just want to say LOVE YOU SAN!! Billy Gates why do you make this possible? Stop making money and fix your software!!"
Lindner adds that while the new worm needs to be taken seriously, he doesn't believe it's cause for massive alarm. "I don't think the world's coming to an end."
He says security experts will continue to monitor its progress for significant changes.
The worm exploits something called a buffer run overflow, allowing hackers to overwhelm a program.
To download the patch, people are asked to visit windowsupdate.microsoft.com -- the same site the worm's denial-of-service attack will attempt to shut down on Saturday.
Due to the number of people now attempting to get the patch, Microsoft's site was slow to load Tuesday.
Damage to corporate networks and home computers has been limited at this point, observers say, mainly because security experts have been bracing for this type of attack.
Working with Microsoft, the Department of Homeland Security since mid-July has twice issued warnings to Internet users about the flaw. Security software firms have also been sending out alerts.
Dubbed "LoveSAN" or "MSBlaster," the worm does not use e-mail to send itself. Rather it is considered self-propagating, meaning that it independently searches for unprotected computers to infect.
Because of its invisible nature, users may not be aware of its existence.
If a machine is sluggish or crashing, it might be infected. In some cases, computers are forced to reboot. Otherwise, people will need to search for specific files and clean their system; details are available on most security firm Web sites.
Microsoft operating systems that are affected include newer versions such as Windows 2000, NT 4.0 and XP. Users must download a Microsoft patch in order to be protected.
The worm does not allow remote access by a hacker, though security experts say that a variation on it may make that possible in the future.
Network Associates (McAfee) and TrendMicro list the worm as "medium" risk, while Symantec gives it a 4 out of a possible 5 in terms of its threat potential.
Time bomb
"MSBlaster" is considered a time bomb.
Its code directs infected computers to assault Microsoft's support Web page with a barrage of requests beginning this Saturday. This type of attack is referred to as "denial of service." The attacks are also programmed to occur any day from September to December, then the 16th to the 31st of each month starting next year.
Because this hole in Microsoft's software was first reported nearly a month ago, experts believe that most large corporations have managed to defend themselves by installing the necessary patch. Internet service providers are also now working to slow its movement.
However, some tech analysts worry that if "MSBlaster" is able to find enough vulnerable computers, its spread could slow the performance of the Internet by bogging it down.
While a few users might notice poor Web access, CERT's team leader for incident handling says the Internet overall is holding up well -- so far. CERT is a center of Internet security expertise based at Carnegie-Mellon University in Pittsburgh.
"This is very serious," CERT's Marty Lindner said. "People need to patch. That's without a doubt. But in terms of the overall pain the Internet backbone is seeing, I don't think it's very much."
The exact origin of the worm is unknown, though its creators seem to have a sense of humor.
According to security firm TrendMicro, the following message aimed at Microsoft's chairman Bill Gates is embedded in the text:
"I just want to say LOVE YOU SAN!! Billy Gates why do you make this possible? Stop making money and fix your software!!"
Lindner adds that while the new worm needs to be taken seriously, he doesn't believe it's cause for massive alarm. "I don't think the world's coming to an end."
He says security experts will continue to monitor its progress for significant changes.
The worm exploits something called a buffer run overflow, allowing hackers to overwhelm a program.
To download the patch, people are asked to visit windowsupdate.microsoft.com -- the same site the worm's denial-of-service attack will attempt to shut down on Saturday.
Due to the number of people now attempting to get the patch, Microsoft's site was slow to load Tuesday.
