Companies and home users should use Microsoft's Windows Update service immediately, before it comes under attack from systems infected with the MSBlast worm this Saturday say security experts.
The MSBlast worm (also knows as Blaster or Lovsan) has been spreading quickly around the globe since Monday by infecting systems that do not have adequate firewall protection. The worm exploits a vulnerability in certain versions of Microsoft's Windows operating systems and has been designed to launch a simultaneous attack on the Windows Update Web site from Saturday 16 August.
Click here for help on dealing with the worm.The attack is unlike any seen before and Microsoft could find it difficult to keep its Windows Update service running.
Jason Holloway, UK general manager at mobile security company F-Secure, believes that although a patch that fixes the exploit has been available for around a month, only half of all computers running a vulnerable version of Windows will have applied it.
The worm is only a problem for users of Windows 2000, Windows XP and possibly NT4. Windows 98, Windows 95 and Windows 3.11 are not at risk.
Holloway said that when a similar attack took place on the White House Web site last year, "it wasn't very hard to knock it offline." If enough machines are infected, the Windows Update Web server's performance will significantly degrade and it could fall over completely: "We can't guarantee that the site will be around afterwards," said Holloway.
Paul Wood, chief information security analyst at Messagelabs, believes that Microsoft has had enough time to prepare: "Plenty of bandwidth and prior notification should enable Microsoft to defend itself," said Wood. However, he said it does depend on how prevalent the worm is.
But Holloway insists that MSBlast is far more sophisticated than previous worms, and will be more difficult to defend against. "Last time, they were attacking the site through its IP address. Administrators fixed the problem by setting up a different Web server, using a different IP address and then reconfiguring the DNS."
Holloway explained that this time, the worm uses the Web site's full name and looks up its DNS on the fly. "So Microsoft can't just change the IP address or load balance against this attack."
Another potential problem is that the worm has an activation date of 16 August, but not all computers are set with the correct time and date, so the attack has already started. "Some PCs will already be mounting an attack on Windows Update and I would expect that to escalate. By Friday it could become quite difficult to connect to that site."
Additionally, MSBlast is not spread by email. Instead it scans random IP addresses, looking for machines that are not protected with a firewall. "It has port scanning abilities. If it finds a specific port open, it launches a buffer overflow attack. After this, it can take control of the machine and do pretty much what it wants -- such as download a piece of code or take over the machine," said Wood.
Both Wood and Holloway agreed that a well-configured firewall and up to date antivirus software will protect most users.
Talkback
Is it definite that Windows 95 & 98 is not affected - or is it that Microsoft is no longer supporting 95 and 98 and therefore not developing patches, leaving users out on their own???
60secs and my PC is shut down!!!
Does anyone else get this as a result of MSBlast? I have applied Symantec's fix but still my PC shuts down after a 60secs worning!
Please email me!
i need to know are windows 98 going to get infected by this worm because if so how would i get a patch to protect my computer. i have to also let others know about this because of the franklin county careerlink has too many computers that are the newer version and where would i tell them to go to get help for their computers. i hope you write back real soon. concerned computer user
If windows 98 and 95 were going to get infected it would SAY windows 98 and 95 are going to be infected...and in fact - it says the opposite!!! I'm on windows xp, I was infected, so I put up my firewall which enabled me to connect to the net for long enough to download the patch. I then followed the instructions - as detailed on this site - and voila - problem solved. It was scary when I got it on Monday night, but really, it's no big deal.
I don,t see any mention of windows ME , is it safe or not.
is there also a patch for windows m98 se (msblast) worm, please please help me
I HAVE A XP PRO PC. I TRIED TO FOOL THE VIRUS BY DELETING OFF AND CREATING A msblast.exe FILE AND SETTING TO READ ONLY AND HIDDEN.
THIS WORK IN THE SENCE IT STOPPED THE MSBLAST.EXE BEING COPIED TO MY PC AGAIN BUT THE VIRUS IS VERY CLEVER.
IT COPIED ITS SELF BACK AS MSBLAST.PIF.
My windows update page wont download. It freezes and tells me it's not responding. Please someone help!!
We have just purchased 6 new Dell Optiplex GX280 machines running Win XP PRo and are having exactly the same difficulty.
We never had a problem when we updated our Dell Optiplex GX240 machines on the same network connected in the same way and also running Win XP Pro