The use of DNS in worms makes them considerably more difficult to deal with. That's why it's tough to stop the spread of MSBlast -- you can't simply block a TCP and UDP port without considering how it affects legitimate services. For example, blocking TCP port 135 on routers will stop MSBlast but also other software that makes use of the DCOM service, such as Microsoft Exchange. If you're going to successfully block MSBlast, you'll need to do it on border Internet routers and accept that some of your Microsoft products are not going to work across the Internet.
So this time, a worm failed to live up to its hype. However, don't be too sure it won't be worse the next time. Remember that thousands of hosts are still infected with MSBlast, scanning like mad to infect other machines.
But it was an interesting week. Who could have expected that a worm (Nachi) would be released that disables MSBlast and tries to fix vulnerable machines? For now, MSBlast has not made much of a dent at Microsoft or caused too many problems for the Internet. And although the Nachi worm isn't exactly what I would call a "success," it's an intriguing solution for stopping MSBlast. Sometimes, there really are simple solutions to complex problems.
This article was originally published in the Internet Security Focus e-newsletter.
Talkback
Also, and notible is that Microsoft ducked behind Akamai's linux based caching service.
I certainly hope you're joking when you're stating this:
"We'll probably never know whether the authors of MSBlast intended to have their worm thwarted like this, but I find it difficult to believe this was a mistake. Anyone who's clever enough to release a worm onto the Internet isn't likely to make such a ridiculous error."
Sentences like "difficult to believe this was a mistake" and "clever enough to release.."? I'm sorry, but, please! Everybody who knows how to access the Internet knows there's a bunch of toolkits out there where you're able to create viruses for known security flaws using drag&drop. You only need to change a couple of parameters and you're on your road down the criminal path.
*Of course* they did intend to take down Windows Update ... and they failed bigtime because they were too stupid like the rest of the virus-"authors" out there.