Blaster worm exploits Windows hole

12 Aug 2003

A new internet worm that takes advantage of a recently discovered hole in most of Microsoft’s Windows software is spreading itself across the world, crashing computers and congesting networks in its wake.

Dubbed LoveSan, Blaster or MSBlaster, the worm exploits a vulnerability in the Distributed Component Object service that is hosted by a Remote Procedure Call feature in Windows NT, 2000, XP and Server 2003.

Once it gets onto a vulnerable computer, the program downloads code from a previously infected machine that enables it to propagate itself and scans the internet for other vulnerable machines and attacks them.

According to Dermot Williams, managing director of Dublin-based security and communications specialist Systemhouse Technology, the worm spreads by directly communicating with target systems on TCP Port 135 on most computers, in an attempt to exploit the “DCOM RPC buffer overflow” security vulnerability which affects multiple versions of Windows.

This security hole enables an attacker to upload and execute code of their choice on vulnerable systems. Microsoft disclosed details of this vulnerability in a security bulletin on 16 July and issued hotfix security patches for each affected operating system.

According to Williams, companies that have failed to download the fix or patch and that allow individuals to contact or communicate with the company network without a virtual private network or firewall in place are wide open to danger.

The worm also appears to instruct computers to launch a distributed denial of service (DDOS) attack on 16 August against a Microsoft website. The worm contains code that includes a phrase: “Billy Gates why do you want to make this possible? Stop making money and fix your software!”

“This is very much a wake-up call for companies to download and install the patch on their computers,” said Williams. “It is the first widespread threat to make use of this particular security hole in Windows. As a result networks are becoming overloaded and computers are crashing. There is no reason why this attack couldn’t have been designed to do something far more vicious,” he cautioned.

By John Kennedy.