Microsoft Stymies Blaster AttackMicrosoft Stymies Blaster Attack

Microsoft has stymied the expected attack of the Blaster worm by taking the novel step of eliminating the windowsupdate.com address and unlinking it from its WindowsUpdate service, said an Internet performance-monitoring firm Friday. The result: there should be no major Internet overloads caused by Blaster during the day.

Lloyd Taylor, VP of KeyNote, an Internet monitoring company, said Microsoft's approach, while unusual, was fairly straightforward.

"Microsoft's pulled the teeth from Blaster," he said, by altering the domain name service servers that are the Internet's address book. Normally, windowsupdate.com, the target address embedded in the Blaster worm, links to Microsoft's WindowsUpdate service, which provides patches for the company's products, including those necessary to fix the flaw in Windows NT 4.0, 2000, XP, and Server 2003, which Blaster exploits.

With the windowsupdate.com address eliminated, that link has been removed and the worm has no target. "When the worm tries to attack, it gets the address as nothing. And when it gets the address as nothing, it doesn't know what to attack," Taylor said.

Confirming the elimination of the address and the unlinking is easy. Entering www.windowsupdate.com in a Web browser results in a "The page cannot be found" error message within Internet Explorer, for instance. Earlier, typing in that address would have brought users to the WindowsUpdate site.

The WindowsUpdate service, which is actually at the address of windowsupdate.microsoft.com, is still functioning. It's this URL, which Windows refers to when the Update Windows icon is selected from the operating system's Start menu. Users can thus reach WindowsUpdate either by typing in the windowsupdate.microsoft.com address manually, or as Microsoft recommends, selecting the icon from within Windows.

Taylor noted that it was only the relatively crude construction of the worm which allowed Microsoft to use this tactic to prevent a denial-of-service attack on windowsupdate.com, while still keeping the WindowsUpdate service up and running.

"The worm's maker could have made it harder to do this," he said.

That led him to speculate that the real goal of the worm's writer was not to do damage, but only to embarrass Microsoft. Other evidence, he said, includes the fact that the attack was scheduled to begin exactly one month after the vulnerability was first disclosed.

The bottom line, said Taylor, is that "we don't expect any major Internet overloads or outages today."

Microsoft has taken other unusual steps against Blaster, including a flurry of warnings on its Web sites of the worm's possible impact, the steps that users can take to ward off the worm, and if they're infected, how to clean their systems.

Notices about Blaster have been spread across the massive Microsoft Web site, including several on its home page, as well as additional alerts on sub-sections, including that dedicated to Microsoft Office, Windows, and Windows Server.

Microsoft also encouraged users to go directly to the Security section of its Web site, where it's posted guidelines for preventing infection by the worm and what steps to take if their systems become infected.

"Many resources have been deployed to help ensure that customers have the guidance and tools they need," said Jeff Jones, senior director of Microsoft's Trustworthy Computing. "Our goal is to offer customers a comprehensive set of resources to both combat the Blaster worm and to arm them with the security best practices needed to keep their PCs more secure in the future."

Microsoft's guide outlined four steps that users could take, including:

• Enable a firewall, either the Internet Connection Firewall built into Windows XP and Server 2003, a third-party firewall for Windows NT 4.0 and 2000

• Update Windows by applying the patch for the RPC vulnerability that Blaster exploits

• Use antivirus software religiously, and keep it updated

• Remove the worm using one of several free-for-the-downloading tools available from major security vendors such as Symantec and Trend Micro.