 |
• August 21, 2003 •
You have (or should have) heard about the MSBlaster worm by now. This worm took advantage of a buffer overrun in the RPC interface, which was fixed by Microsoft on July 16th, nearly a month before the worm first struck on August 11th.
I hope that this worm did not infect most Windows-Help.NET visitors. I have been trying to get people to realize that it takes more than just keeping your anti-virus tools up-to-date to stay safe on the Internet. Your first line of defense is to stay current on all Microsoft updates for your operating system!
It amazes me every time that worms taking advantages of Microsoft vulnerabilities can spread so quickly. According to Symantec, well over 350,000 computers where infected within a few days. This means that the people who got infected are the people who are online (nearly) every day, and I would have expected these people to be more savvy and aware of the dangers of the Internet by now. Lets face it, it's not really the first time something like this has happened now, is it?
I would expect some less experienced users to get infected on an ongoing basis, but I would have thought that regular Internet users were more educated by now... guess I was proven wrong again.
Despite the fact that Microsoft makes it easier then ever to get Windows updates to your system using AutoUpdate, Windows Update, and their email service alerts you to vulnerabilities and their respective fixes, many users are still not paying attention, it seems.
Many of these users are those who are religious in getting their new anti-virus software definitions on a daily basis. But they are unfortunately forgetting that a virus first has to be discovered & analyzed before your AV software can implement detection for it.
If you check out the more "nasty" viruses listed on Symantec's Security Response Web site, you will see that (under "top virus threads" listed) from 6 listed viruses, 5 use a vulnerability patched by Microsoft in the past.
The main function of MSBlaster was a denial of service (DoS) attack on Microsoft's Windows Update Web site. But the worm was hard-wired to look for the address windowsupdate.com, which is an obsolete address Microsoft hasn't used in a long time. All current Microsoft operating systems are wired to use windowsupdate.microsoft.com as their Windows Update address. So Microsoft just removed windowsupdate.com from its DNS systems. Now when the worm asks for that address, it will just receive a "domain not found" message, and will not generate any further network traffic.
If you did get infected, I suggest you get your system cleaned out using Symantec's instructions, and let this be an eye-opener! The function of this worm was quite benign, it could have had much more serious repercussions. So get educated, and stay updated! Hackers and virus writers are writing new variations of the MSBlaster worm than will likely do more damage than the original version. You've been warned (again).
