Worm aims to eradicate Blaster

[InfoSec News <isn () c4i org>]

http://www.nwfusion.com/news/2003/0818unblast.html

By Ellen Messmer
Network World Fusion
08/18/03

As if last week's Blaster worm didn't cause enough damage, there are
now reports of a worm that breaks into Windows-based computers to try
to delete any trace of the Blaster worm infection, and then downloads
the patch Microsoft developed to fix the vulnerability that Blaster
exploits.

First spotted in Asia, the worm is being called Nachi, Welchia or
MSBlast.B, according to at least three antivirus firms that have
analyzed its code. Ian Hameroff, security strategist at Computer
Associates, which has named the worm Nachi, said it can break into any
Windows XP, 2000, NT or 2003 machine that hasn't been patched for the
Remote Procedure Call (RPC) vulnerability identified last month. This
is the technique exploited by the Blaster worm first seen last week,
which infected hundreds of thousands, if not millions, of computers
worldwide.

Blaster's main purpose was to launch a denial-of-service attack
against Microsoft's Windows Update site via compromised machines. But
that had very limited success since Microsoft disabled the
windowsupdate.com URL that Blaster specifically targeted. This URL was
a redirect link to the main Microsoft site
windowsupdate.microsoft.com, which Microsoft protected.

Chris Thompson, vice president of marketing at Network Associates,
noted that the Blaster worm couldn't start a DoS attack when it
couldn't find the target URL, and would instead try to hit an IP
address 255.255.255.255 five times afterward. But Windows machines
aren't prepared to handle that request anyway, he added.

The Blaster worm failed to affect Microsoft substantially. However,
many corporate networks have faced paralyzing congestion due to
scanning caused by Blaster infections of unpatched machines.

Now, a new worm is on the loose to infect vulnerable machines in the
same way Blaster does. But its purpose is thought to be to find
Blaster code, eradicate it, and install the Microsoft patch. However,
trying to install a patch without the network administrator’s
oversight can "have repercussions," such as causing machines to fail,
noted David Perry, Trend Micro's global director on education issues.  
It represents a break-in of a different sort that must be prevented
through proper patching and other means, such as antivirus software.

The Nachi/Welchia/MSBlast worm does not seem to be moving fast, but
security firms are keeping a close eye on evidence of its spread since
it could also become a problem this week as Blaster was last week.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.