Blaster worm spreading rapidly

Exploiting Remote Procedure Call flaw


A worm that exploits a critical Remote Procedure Call (RPC) flaw to infect vulnerable Windows machines is spreading rapidly across the Internet this morning.

Although serious, the effects of the Blaster worm are expected to be less than that caused by the infamous Nimda worm.

The Blaster worm (AKA Lovsan, MSBlast or Poza), which began spreading yesterday, is programmed launch an attack against windowsupdate.com on 16 August.

Microsoft last month issued a patch to guard against the problem but uptake has been predictably slow, allowing malicious code writers to come up with software that is having a severe effect on many Windows users.

Mac, Linux and Unix computers are immune to this Microsoft-specific vulnerability.

According to a preliminary analysis of the worm by F-Secure, the worm spreads in a 6176 byte executable named MSBLAST.EXE to Windows 2000 and Windows XP systems unless recent Windows security patches have been applied. Windows NT 4 and Windows 2003 might also be affected but these systems appear to be playing a lesser role in the spread of the worm.

The worm launches a command shell and uses TFTP to connect to other infected systems to download the worm's executable. Blaster will scan addresses in the Internet to locate vulnerable Windows machines using TCP/TDP port 135. Once found, it will copy itself over and modify the system so the worm will be executed every time the machine is started. The worm will keep on replicating from every infected machine.

Unsuccessful propagation attempts may crash vulnerable computers, or render them unstable. Successful worm outbreaks are causing localised network latency.

Blaster contains the following text strings:

I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!!

Security experts have been predicting the arrival of the worm, or something like it, for some weeks.

TruSecure, which has been prominent in these warnings, has published an informative advisory on the worm, which gives some indication of its likely spread.

The alert states: "TruSecure does not expect LANs to suffer from denial of service conditions due to this infection, even if it becomes infected. This is because internal infections will only propagate if outbound TFTP requests are allowed. If a source is found it can be blocked at either the firewall or router."

For these reasons, TruSecure "does not expect this to be as bad as Code Red, Nimda or SQL Slammer".

However, the company notes that there has been "numerous problems with Windows Update and St. Bernard's Update Expert - both of which showed that MS patch was installed when it wasn't". It is expecting more trouble ahead.

The SANS institute has issued the following advice on guarding against the spread of the worm:

  • Close port 135/TCP (and if possible 135-139, 445 and 593)
  • Monitor TCP Port 4444 and UDP Port 69 (tftp) which are also used by the worm
  • Ensure that all available patches have been applied, especially a fix for the flaw at the centre of the spread of Blaster
  • Pull infected machines from a network pending a complete rebuild of the system

Let's be careful out there. ®


Other stories you might like

  • Talos names eight deadly sins in widely used industrial software
    Entire swaths of gear relies on vulnerability-laden Open Automation Software (OAS)

    A researcher at Cisco's Talos threat intelligence team found eight vulnerabilities in the Open Automation Software (OAS) platform that, if exploited, could enable a bad actor to access a device and run code on a targeted system.

    The OAS platform is widely used by a range of industrial enterprises, essentially facilitating the transfer of data within an IT environment between hardware and software and playing a central role in organizations' industrial Internet of Things (IIoT) efforts. It touches a range of devices, including PLCs and OPCs and IoT devices, as well as custom applications and APIs, databases and edge systems.

    Companies like Volvo, General Dynamics, JBT Aerotech and wind-turbine maker AES are among the users of the OAS platform.

    Continue reading
  • Despite global uncertainty, $500m hit doesn't rattle Nvidia execs
    CEO acknowledges impact of war, pandemic but says fundamentals ‘are really good’

    Nvidia is expecting a $500 million hit to its global datacenter and consumer business in the second quarter due to COVID lockdowns in China and Russia's invasion of Ukraine. Despite those and other macroeconomic concerns, executives are still optimistic about future prospects.

    "The full impact and duration of the war in Ukraine and COVID lockdowns in China is difficult to predict. However, the impact of our technology and our market opportunities remain unchanged," said Jensen Huang, Nvidia's CEO and co-founder, during the company's first-quarter earnings call.

    Those two statements might sound a little contradictory, including to some investors, particularly following the stock selloff yesterday after concerns over Russia and China prompted Nvidia to issue lower-than-expected guidance for second-quarter revenue.

    Continue reading
  • Another AI supercomputer from HPE: Champollion lands in France
    That's the second in a week following similar system in Munich also aimed at researchers

    HPE is lifting the lid on a new AI supercomputer – the second this week – aimed at building and training larger machine learning models to underpin research.

    Based at HPE's Center of Excellence in Grenoble, France, the new supercomputer is to be named Champollion after the French scholar who made advances in deciphering Egyptian hieroglyphs in the 19th century. It was built in partnership with Nvidia using AMD-based Apollo computer nodes fitted with Nvidia's A100 GPUs.

    Champollion brings together HPC and purpose-built AI technologies to train machine learning models at scale and unlock results faster, HPE said. HPE already provides HPC and AI resources from its Grenoble facilities for customers, and the broader research community to access, and said it plans to provide access to Champollion for scientists and engineers globally to accelerate testing of their AI models and research.

    Continue reading

Biting the hand that feeds IT © 1998–2022