MSBlast's Toll MountsMSBlast's Toll Mounts

Some call it MSBlast; others know it as LovSan. Regardless of the name, the latest infection to attack Microsoft's Windows operating systems has disabled tens of thousands of computers worldwide, though there's been a fix available for nearly a month.

The worm snarled business networks Tuesday, inundating them with data packets and frustrating home computer users. It forced Maryland's motor vehicle agency to close for the day and kicked Swedish Internet users offline as it spread.

Security experts say the world was lucky this time around because LovSan is comparatively mild and doesn't destroy files, but they fear a subsequent attack exploiting the same flaw could be much more damaging.

Internet performance-monitoring company Keynote Systems Inc. says its Internet Health Monitor observed "massive packet-loss problems" Monday after the worm struck. According to Keynote, when measuring Internet traffic from services provider Level 3 Communications Inc. in San Diego to Sprint Corp.'s services in Boston or New York, latency was consistently about 3 seconds and reached 9 seconds about 30% of the time. According to Keynote, normal Internet latency from these two points would be 95 milliseconds. "Under these network conditions, Web-page downloads will typically time out," Keynote said in its statement.

Keynote said it couldn't confirm that the Internet slowdown can be directly contributed to the MSBlast worm, but the timing of the latency closely coincides with reports of the worm's surfacing.

Security experts have been predicting that a worm would appear since July 16, the day Microsoft revealed a vulnerability in its Distributed Component Object Service in its Remote Procedure Call interface. The vulnerability affects Windows NT 4.0, 2000, XP, and Windows Server 2003.

"That's just too large of a target pool for them [virus writers] to ignore," said Russ Cooper, surgeon general of the security services firm TruSecure Corp. and editor of the security mailing list NTBuqtraq, in an interview late last month.

The Department of Homeland Security issued an alert July 30 warning of a potentially significant impact on Internet operations as a result of the flaw in Microsoft operating systems. Two weeks earlier, on July 16, Microsoft posted on its Web site a free patch that prevents MSBlast and similar infections. The underlying flaw affects nearly all versions of the vendor's flagship Windows operating system.

However, many businesses did not install the patches and scrambled Tuesday to shore up their computers. Security experts say patches often stay on to-do lists until outbreaks occur.

Security vendor Symantec Corp. reported that its DeepSight Threat Management System has spotted more than 57,000 systems that have been infected with the worm and are launching probes to infect other vulnerable systems against port 135. Symantec estimates that this worm is spreading at a rate of about 20% that of the Slammer worm, which struck in January and infected all of its targeted and vulnerable systems in less than 15 minutes.

According to Lurhq Corp., which says it has obtained a copy of the worm, MSBlast is designed to launch a denial-of-service attack, specifically a Syn Flood, against Microsoft's Windowsupdate.com Web site on Aug. 16.

Joe Stewart, senior security researcher at Lurhq, says the research on MSBlast is still preliminary, but the security firm believes the worm doesn't have any payload other than the Microsoft denial-of-service attack.

Security vendor Internet Security Systems Inc. says successful worm outbreaks have been known to significantly diminish corporate networks and cause widespread denial-of-service interruptions as the worm tries to replicate itself.

Reports from several security vendors indicate failed attempts of MSBlast to replicate itself also are causing systems to crash.

"Until [Monday] afternoon, most of the activity we saw was exploits being used for Internet relay chat distributed denial-of-service bots," Stewart says. "This is the first worm that attacks this RPC vulnerability."

Lurhq says it has seen scanning for vulnerable systems increase more than 300% since Sunday. "And scanning activity was already high," Stewart adds. He says the worm, MSBlast.exe, is about 6 Kbytes in size and takes about 20 seconds to infect a vulnerable system and begin scanning for new systems to infect.

Because this worm is attacking a vulnerability found in Windows NT 4.0, 2000, XP, and Windows Server 2003, security experts believe there will be no shortage of unpatched and at-risk systems. "It could easily be over a million," Stewart says.

Within the code of the worm is the following statement: "billy gates why do you make this possible? Stop making money and fix your software!!"

All users--consumers, small businesses, and large companies--are being urged to patch vulnerable systems if they haven't already done so.

Information on the Microsoft vulnerability the worm attacks is available here.

More information on the Microsoft vulnerability and how to secure systems is also available from the CERT Coordination Center.