, SecurityFocus 2003-08-14
The Blaster worm has infected hundreds of thousands of Windows machines, shut down the Maryland state DMV, put network administrators on overtime, crashed countless consumer's home computers, and on Saturday it will attempt a denial-of-service attack on Microsoft's Windows Update site. But that doesn't make it all bad.Blaster, also known as MSBlast and LovSan, hit the Internet on Monday, spreading through the RPC DCOM vulnerability discovered by the Polish security research group Last Stage of Delirium earlier this year. The worm is built on dcom.c, one of the public exploit programs that emerged to demonstrate and exercise the flaw in the days and weeks following Microsoft's July 16th advisory. According to data gathered by (SecurityFocus publisher) Symantec's DeepSight network of intrusion detection systems, by Thursday afternoon the worm
As nasty as that is, security experts say it could have been much worse: the worm is hampered by clumsy construction, and it does not contain a malicious payload to damage victim's files. Moreover, in its reckless tear through cyberspace Blaster is accomplishing what a month of warnings from the security community, an unprecedented mass-e-mail campaign by Microsoft, and two advisories from the Department of Homeland Security all failed to do: it's forcing companies and consumers to install the patch for the serious RPC DCOM vulnerability, shutting down computer intruders who've had their pick of these systems for weeks.
"All the crackers that are out there basically breaking into systems, all those systems are going to be disappearing for them," says Marc Maiffret, a founder of security software company eEye. "It's like a human getting sick, and getting over it, and building antibodies."
Beginning in late July, intruders have had their choice of a growing number of easy-to-use RPC DCOM exploit programs and variants, some of them packaged with friendly GUIs or backdoor programs to install on attacked machines. Before the worm struck, universities like U.C. Berkeley and Stanford were already in pitched battles with intruders wielding mass infectors that were worm-like in their attack. According to the Department of Homeland security, on some campuses intruders were cracking systems and installing the RPC DCOM patch themselves, presumably to keep other hackers from taking the machines away from them. "When the exploits first came out, within a day or so there was a lot of chatter," says Chris Wysopal, research director for @stake. "People were amazed how easy it was to find vulnerable machines."
That's probably all over now.
"It is the silver lining of too much publicly," says Bruce Schneier, CTO of Counterpane Internet Security. "Once a vulnerability gets so huge that CNN reports on it, the real attackers that are trying to get into specific sites, and not just cause general mayhem, have to move to different vulnerabilities."
From that perspective, worms like Blaster are the forest fires of the Internet's ecosystem, a feared destructive force that burns away the dead, rotting wood. Home users might end up better off than before the worm struck, says Maiffret, as their battle with Blaster sends then to Windows Update, perhaps for the first time ever. "They're not just getting this patch, they're getting all these patches that have been sitting there," Maiffret says. Years of Internet Explorer bugs alone leave unpatched computers vulnerable to hijacking through malicious e-mail or specially-crafted websites. "All this stuff is going to be fixed when these people run Windows Update. And the only reason people are going to run it is because of this worm."
"It's totally messed up to say, but there's definitely a good side to worms," says Maiffret. "I'm not saying it's right to write a worm and release a worm, it obviously is not and its criminal, but at the same time there are definitely some positives that come from it."
Maiffret says the beneficial side effect of worms became apparent when the first self-propelled Windows virus, Code Red, struck the net in July, 2001, exploiting a vulnerability eEye found in Microsoft's IIS Web server software, and infecting 350,000 unpatched machines.
"Up until Code Red, it was a heyday for crackers -- you could break into any system you wanted that was running Windows," says Maiffret. "When something like Code Red came, that was one of the best things to happen to security -- Windows security -- in a long time."
Wysopal agrees that Blaster has a good side, but he says the benefits are heavily outweighed by the damage it's causing just by spreading. "If I took a day off to go to the Maryland DMV, and I can't renew my license because it's shut down, that's a lot of pain to go through because of the worm," he says. Moreover, serious intruders aren't bothered by losing the RPC DCOM hole. "The bad ass folks already got in long before the worm. They got what they wanted."