Wednesday, August 13, 2003

Blaster Worm on the Move
The Blaster worm continued to tear through the Internet Tuesday morning as security experts struggled to find and fix infected systems. The worm is presenting a unique problem for security specialists because it is infecting a large number of PCs owned by home users, many of whom may be unaware that their machines are compromised.

And because Blaster's scanning algorithm tends to start by looking for IP addresses that are close to the infected machine's, the worm can rattle around inside a local network for quite a while, consuming bandwidth.

Officials at the CERT Coordination Center estimated that the number of infected machines is in the hundreds of thousands and will continue to grow. "A large number of the compromised machines are those of home users. In this case it isn't as easy as downloading a patch because they can't get enough bandwidth to get online and get the patch," said Marty Lindner, team leader for incident handling at CERT, based at Carnegie Mellon University in Pittsburgh.


"The compromise has a harder time getting out of the local network, so it's harder to measure how many machines are infected."

Blaster began spreading early Monday afternoon Eastern time and quickly gained momentum. The worm exploits the RPC DCOM (Distributed Component Object Model) vulnerability in all of the current versions of Windows, except ME. The worm scans the Internet and attempts to connect to TCP port 135. After establishing a connection, Blaster spawns a remote shell on port 4444 and then uses TFTP (Trivial File Transfer Protocol) to download the actual binary containing the worm. The worm is self-extracting and immediately begins scanning for other machines to infect.

For users who cannot free up enough bandwidth to download the patch from Microsoft Corp., CERT recommends an alternative remedy. Users should physically disconnect the infected machine from the Internet or network. Then, kill the running copy of "msblast.exe" in the Task Manager utility. Users should then disable DCOM and reconnect to the Internet and download the patch.

Instructions for disabling DCOM are available at Microsoft's Knowledge Base Web site.
http://support.microsoft.com/default.aspx?scid=kb;[LN];825750

http://www.eweek.com/article2/0,3959,1217020,00.asp
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)