Blaster Worm and Sobig Virus

When the recent discovery of a new vulnerability in Windows forced Microsoft to issue yet another patch on July 16th for its beleaguered operating system, millions of Windows users simply ignored the warning.

Then, only weeks later on August 11th, the Blaster (or Lovsan) worm exploited that vulnerability in the Windows Remote Procedure Call interface to start remote shell accounts on unprotected machines. As a result of a buffer overflow condition caused by incorrect handling of malformed messages, an attacker who successfully exploited this vulnerability could potentially run code with administrative privileges on an affected system.
The worm had no mass-mailing functionality, but instead was programmed to commandeer infected machines to launch a DDoS (Distributed Denial of Service) attack against Microsoft's windowsupdate.com site.

Computers throughout the Internet quickly became infected because the worm takes advantage of a flaw in Windows NT, 2000 and XP operating systems to drop a malicious program on your computer. This time Windows 95/98/Me were unaffected. Unlike viruses that usually arrive as email attachments, Internet worms attack open communication ports on vulnerable systems, often without the operator's knowledge. By taking advantage of a Windows vulnerability, the worm was able to spread without requiring any action on the part of the user.

Home Users Hit Hardest

The Blaster worm created chaos by crashing hundreds of thousands of vulnerable Windows machines worldwide, and this time home users bore the brunt of the attack. Forty-five percent of the infected computers were in North America. Business networks with firewall protection and support staff were quickly able to take infected machines off-line to clean, update, and patch them. Even so, major organizations reportedly suffering network slowdowns or worse because of the worm included as diverse companies as German car manufacturer BMW, Swedish telco TeliaSonera, the Federal Reserve Bank of Atlanta, Maryland Motor Vehicle Administration, Air Canada's reservation center, Lockheed Martin, and Philadelphia's City Hall. The entire CSX freight train signaling system was affected, covering 23 states east of the Mississippi River.

But many home users and small businesses struggled to get patches applied while Blaster tried to crash their machines using mechanisms that were a mystery to most of them. The fact that the weak firewall built into Windows XP is not enabled by default further exacerbated the problem. Matters were also complicated by the fact that users were assaulted by malicious traffic coming in through their network or Internet connections, and not the more familiar email-borne route. The widespread system instability effects of Blaster caused more concern than the scheduled denial of service attack and prevented an easy remedy.

Symantec Removal Tool: securityresponse.symantec.com/avcenter/ venc/data/w32.blaster.worm.removal.tool.html

Trend Micro Removal Tool: www.trendmicro.com/download/tsc.asp

F-Secure Removal Tool: www.f-secure.com/v-descs/msblast.shtml

Computer Associates Removal Tool: www3.ca.com/virusinfo/virus.aspx?ID=36265

McAfee/NAI Removal Tool: vil.nai.com/vil/stinger/

The behavior of the worm was hard to predict as it attempted to infect both Windows 2000 and Windows XP systems. One of the offsets used by the worm was OS-specific, in order for the exploit to be successful. Since the worm didn't know which operating system the target machine was running, it guessed, with an 80% chance it would be Windows XP, and a 20% chance it would be Windows 2000. If the worm guessed incorrectly and the remote machine was vulnerable, the process svchost.exe on the target machine crashed. The system become unstable, but the infection failed. When svchost.exe crashed, an error message appeared, and some Windows XP systems automatically rebooted. In antivirus laboratory testing, when the worm disconnected from the remote Windows 2000 machines, there was no obvious effect on them except that they no longer listened on port 135. This provided a small window of opportunity to patch these uninfected machines in a single step, preventing infection or any further problems as a result of the DCOM-RPC flaw.

Subsequent variants B and C of the Blaster RPC-worm took advantage of the same vulnerability as their predecessor, so users who had already updated their Windows operating system with the correct Microsoft patch were not vulnerable to the new threats. The new variants again scanned for open 135 ports like the original variant A and were able to use exactly the same exploit to obtain access to any vulnerable machine if the port was found open. The MSBLAST.D worm infected Windows XP and 2000 systems, attempting to disinfect the original worm from those machines and apply the Microsoft patch to close the RPC hole. The attempt to download the patch from eight different URLs in 4 language versions did not always install the patch successfully. These variants mirrored the behavior of the first worm, using different file names and denial-of-service attack targets. According to news reports, several authors of the variant worms were arrested, including one in the US and another in Romania.

Security experts agree that even a "good" Internet worm like MSBlast.D still creates an enormous amount of traffic that slows systems when coupled with a malicious mass-mailing computer virus. Early versions of MSBlast tried to spread to 20 different network addresses at a time but had to wait for each attempt to fail, if no computer was at that address. The MSBlast.D variant (also called Welchia or Nachi worm) tried to spread to 300 different addresses at a time and didn't wait, allowing it to spread much faster.

Double Whammy

Soon after the worm compromised computers and disrupted corporate networks with its aggressive scans for vulnerable hosts, a new variant of the mass-mailing Sobig virus (W32/SoBig.F) took off, swamping many companies' mail servers, overwhelming email systems at the Massachusetts Institute of Technology and many others. Sobig.F quickly became the fastest-spreading virus ever, surpassing the infamous LoveBug and Klez viruses. Email service provider MessageLabs stopped more than 100,000 messages carrying the latest Sobig virus in the first few hours of the attack, and more than a million in the first 24 hours. The Postini E-mail-management and screening company intercepted 1.9 million Sobig-generated E-mails intended for its customers on Aug. 19 and 3.5 million the next day.

The SoBig.F virus was able to spread by harvesting email addresses from document files, cached Web pages and Outlook address databases of infected Windows computers. It sent a copy of itself to those addresses in an email message with subject lines such as "Your Details" "Re: Approved," and "Thank you!" The virus also spread by copying itself to shared network hard drives that were accessible to the infected computer. Despite warnings and publicity about previous similar problems, people still opened the attachment and infected their computers.

Security researchers warn that this Windows mass mailer virus could be used by spammers to launch bulk mail blizzards from computers they don't own. The first Sobig-A was implicated in assisting spammers by installing proxy servers on machines it infected. Sobig-B posed as a message from support@microsoft.com.

It's Not Over

Security analysts warn that the Blaster worm may "stick around for a long time," and more destructive variants are likely. This is certainly true as long as there are unpatched and vulnerable Windows machines on the Internet. The analysts also believe that the current crop of viruses and worms may be a sort of proof of concept that will eventually be leveraged by more damaging or stealthy attacks directed at specific companies, industries or geographic locations. You can contribute information or track their progress at www.hackerwatch.org.

Prevention is far easier than the cure, and you can never let your guard down, because more malicious and covert payloads could be delivered with the next attack. We've already seen how worms can spread faster through the Internet than anti-virus signature updates can be distributed. You'll need to follow a multi-stage process to be protected, including the following:

  1. Block malicious traffic and worms by setting up a firewall like ZoneAlarm Pro or the free version, ZoneAlarm. Hardware firewalls are even better.
  2. Continually update your Windows operating system with patches from Microsoft. Allow critical system updates, which can be done with Windows XP's Automatic Update Wizard. Microsoft is forced to release frequent updates to patch system bugs as they are reported. The company is making a long-overdue change to update more products in a single vehicle, and last month initiated a beta test of the latest Windows update system. "The vision for Windows Update V5 is to provide an efficient and effective means to keep all Microsoft products secure and up to date with the latest patches, starting with Windows, Office, SQL, and Exchange," Microsoft wrote in an email to beta nominees.
  3. Update your antivirus signature files regularly. Most major antivirus manufacturers post alerts and updates to capture and clean the most recent worms and viruses. If you are a Windows user and you don't have any antivirus software, get it now, you're on borrowed time.
  4. Filter all incoming email and attachments. HALNet's Postini filtering service successfully prevented delivery of nearly 17,000 infected messages to HALNet users during the first 3 days of the Sobig virus distribution. Postini processes 100 million email messages a day for 4 million email users worldwide in milliseconds, using heuristic rules-based technology to filter spam and other email-borne attacks in real-time. If you don't have this kind of protection, you must judge the attachments for yourself - and you should never open email from unknown senders, even if the subject lines look enticing. Turn off your Preview Pane in Outlook to prevent trojans from launching. (From the Outlook menu bar, select View and then Preview Pane.) When you sign up for HALNet's Postini filter service, you can create a list of acceptable email senders and use filters to move spam and potential virus-laden email to the trash folder. An average of 55 infected messages a day were trapped before reaching my mailbox, and other users reported as high as 200 an hour.

The overwhelming volume of mail doesn't only affect Windows users, as it turns out. While Mac, Linux OS/2, and Unix computers are technically immune to this kind of Microsoft-specific vulnerability, those users still have email accounts that are bombarded with the "infected" messages anyway, along with others bearing spoofed return addresses, and rejections for messages they never even sent. This happens to them because an infected Windows user has their name and address in local address books, documents or cached web pages where their address appears. The lost time and productivity affects everyone because email inboxes are OS neutral. If a substantial minority of systems get infected, the Internet still gets swamped with useless traffic or flooded with virus-laden email - a nuisance even for people using systems immune to the original infection.