Blaster Winding Down But More Trouble Ahead

The worm, which exploits a flaw in the Remote Procedure Call (RPC) interface used by Microsoft Windows, took off Monday. By Tuesday, it had forced Maryland's motor vehicle agency to close for the day and kicked Swedish Internet users offline.

Although the worm continued to scan the Internet for vulnerable systems Tuesday, it hasn't been replicating as fast as the prior day, said Charles Kaplan, senior director of research at Guardent, a managed security-services provider. ISPs had by Tuesday installed filters that thwarted the worm's replication process, he said.

Still, Kaplan and other security experts have seen signals that another worm attack is probably on the horizon.

"The good news is it looks like at the moment, it's really calmed down. ... The flip side is that it's only Tuesday midday and there's a really good chance that something else could creep up by the end of the week," he said.

Discussions among hacker groups on the Internet indicate that another piece of code that exploits the same RPC vulnerability could be in the works, he said.

Blaster scans random ranges of IP addresses on port 135 for vulnerable systems and instructs those systems to download and execute the file MSBlast.exe via TFTP.

The flaw--a buffer overflow that affects Windows NT 4.0, 2000, XP, and Server 2003--made big news when it was revealed last month. Even the U.S. Department of Homeland Security issued an alert. (See story.)

Kaplan said many of Guardent's customers had firewalls that blocked Blaster and the firm had been advising clients to patch their systems for the flaw since Microsoft issued an alert about it July 16. But some corporations still had not implemented the patch, despite warnings.

According to a release issued by Symantec Tuesday afternoon, the number of systems infected by Blaster--also known as Blast and Lovsan--more than doubled in the last 12 hours. Symantec said more than 127,000 systems were infected.

The worm is programmed to launch a distributed denial-of-service attack against Microsoft's windowsupdate.com on Aug. 16.

Many corporate networks were infected when employees who worked remotely via VPN or dial-up connections returned to the office, said Joe Stewart, senior security researcher at Lurhq, a managed security-services provider. Although most corporations have firewalls that block the worm, users can become infected when they take their laptops home, then infect the corporate network when they come back to the office, he said

Blaster is dangerous because it spreads automatically, said Gary Morse, president of Razorpoint Security Technology, a New York-based security-services firm.

"It's a very efficient exploitation device," he said. "It's a successful worm."

Moreover, a relatively inexperienced hacker could easily add functionality to the worm that makes its payload more dangerous, he added.

Razorpoint advises clients to be proactive instead of reactive and waiting for the next patch, Morse said. Proactive steps include hardening operating systems, segmenting the network, and installing firewalls that are more intelligent about applications, he said.

The associated press contributed to this report