Happy Anniversary MSBlast

MSBlast hit the Net August 11, 2003, just 26 days after Microsoft released a fix for the vulnerability the worm exploited. Even though users had nearly a month to get ready -- and were warned ahead of time by security experts to expect a major attack -- MSBlast found plenty of victims. By Microsoft's count, nearly 10 million of them.

During MSBlast's rampage, it was difficult to get perspective. A year later, said security analysts Friday, it's easier to see the full impact of the worm.

"MSBlast was definitely a wake-up call," said Michael Cherry, an analyst with Directions On Microsoft, a research firm that specializes in topics concerning the Redmond, Wash.-based developer. "I think it was a very important event in that it made everyone aware as to how widespread and fast these things could move."

Oliver Friedrichs, the senior manager of Symantec's security response teams, agreed with Cherry that MSBlast was a Big Deal, but for a different reason.

"MSBlast was unique in that it targeted both consumer and enterprise computers connected to the Internet, and didn't need human interaction to infect machines," said Friedrichs. Previously, major worms that spread on their own targeted enterprise; Nimda and Code Red attacked Microsoft Web server software, for instance, while Slammer took aim at SQL Server.

Some analysts, however, now look back at MSBlast and see it less than a watershed event and more of a just another blip -- a big blip, to be sure -- on the security screen.

"The seminal events were really Code Red and Nimda in 2001," said John Pescatore, a vice president at Gartner. "MSBlast continued this real sea change where worms search out vulnerabilities, find one to use to attack, and spread. What was different about MSBlast was that it attacked significant basic functions in Windows, not just one specific Microsoft product."

The wake-up call that MSBlast gave everyone is behind a whole host of changes in how enterprises approach security, and what Microsoft itself has put on the front burner.

While some analysts denied that there was a direct correlation between MSBlast and the appearance last week of Windows XP Service Pack 2, a long-touted security upgrade to Microsoft's flagship OS, Pescatore had no such hesitation.

"A lot of that [work in SP2] you can trace right to MSBlast, and since then to other worms like Sasser," he said. "MSBlast is what started Microsoft on the path to making major major changes in Windows XP."

Others pointed out different changes that MSBlast wrought.

"It really forced enterprises to either install patches faster or find some other method of protecting their systems," said Friedrichs. The former, however, is becoming more and more difficult as post-MSBlast worms squeeze the patch window even further. "I think the security industry as a whole is realizing we have to be more proactive. We have to solve these vulnerabilities before they're manifested in the form of worms."

One technique, he said, is in the developing area of intrusion prevention technologies, which look for core vulnerabilities rather than sniff out specific malicious code variants by matching code with signatures.

Another result, said Gartner's Pescatore, is what his firm dubs "scan and block."

"When the vulnerability [exploited by MSBlast] came out, everyone who could spell 'security' said it was going to be bad," Pescatore said. "Enterprises patched early, and a lot of them felt pretty good when the worm hit. But then someone with a laptop, an infected laptop, connected via VPN or brought it back into the office and plugged it into the docking station, and the enterprise network was infected from within."

To stymie this kind of infection vector, enterprises have demanded, and vendors have crafted, technologies that check systems before they're allowed to access the network. If they're infected, or not protected by defenses that would have deflected the worm, they're blocked out.

"Administrators realized that they could save the network by denying access to a few systems," Pescatore said.

But as bad as MSBlast was, it wasn't bad enough to convince enterprises to do everything possible to protect their networks. Every expert, it seems, has a burr under his or her saddle.

"All of us are ignoring the danger of spyware," said Cherry. "We treat it as a minor inconvenience when it really can be severely malicious." He was especially critical of the lack of attention spyware's gotten from Microsoft's Protect Your PC program, which launched after MSBlast hit. "Spyware's missing from Microsoft's three steps," he noted. "They should be recommending that people need to prevent [spyware] from getting onto machines, just as they do with virus by using anti-virus software."

Pescatore had another recommendation with roots in MSBlast. "Enterprises have to put intrusion prevention software on every single Windows machine," he said, in order to protect against the walk-in-the-door vector that the worm used to infect corporate networks via compromised laptops. "But so far, only the earliest adopters have done that."

A year later, MSBlast still makes waves (and still, believe it or not, infects machines). But like every story, there is a silver lining.

"One of the remarkable things about MSBlast that a lot of people overlook," said Laura Koetzle, a senior analyst with Forrester Research, "is that its payload was relatively harmless.

"If it had been a worm that infected everything like MSBlast did, but carried a destructive payload, think about how much much worse things would have been."

For more on security, see CRN's Security News Center.