YOU ARE HERE: LAT HomeCollections

Virus Fails to Hit Microsoft, but Users Are Not So Lucky

August 16, 2003|Joseph Menn | Times Staff Writer

A poorly chosen target for the widespread Internet worm known as Blaster allowed Microsoft Corp. to sidestep a coordinated attack on one of its Web sites Friday, but the worm and its variants made life unpleasant for tens of thousands of computer users and could clog business networks over the next few days.

Blaster has infected 300,000 to 1.2 million machines, according to various estimates. Two of the major strains instructed their host computers to contact Microsoft's Web site the first time they were turned on after their internal clocks passed the stroke of midnight this morning. Such a flood of Internet traffic would have caused a so-called denial-of-service attack, in which a site is overwhelmed with requests for information.

Fortunately for Microsoft, that Web page directs traffic to Windowsupdate.Micro, where the software giant stores its upgrades and fixes -- including a patch to protect PCs from the vulnerability capitalized on by Blaster. So Microsoft just deactivated the referring site, leaving the infected machines with nothing to attack.

The main site was shut down for about four hours by a denial-of-service attack late Thursday and early Friday, but company spokesman Sean Sundwall said that attack wasn't aided by the Blaster worms.

The performance of the Internet backbone wasn't seriously affected as of this morning in Asia and Europe, and no outages were expected as morning dawned in North America, according to Keynote Systems Inc., a San Mateo firm that monitors Web site response times and the overall health of the Internet.

Still, some corporate networks could slow Monday morning as workers boot up infected computers, prompting their PCs to seek the neutered Microsoft site, said Vice President Chris Thompson of Santa Clara, Calif.-based Network Associates Inc., which distributes a popular anti-virus program.

"It will create network traffic, and it might create a congestion issue," said Thompson, who estimated that as many as 200,000 computers would try to contact the defunct Web page.

At least three major versions of Blaster were on the loose Friday, including one worm that installs a "back door" that gives the hacker who created the worm future access to infected PCs. Instructions for removing the worms and protecting computers from more attacks were posted on Microsoft's site.

The worms, which are designed to spread automatically without help from computer users, cause no permanent damage. But they can trigger constant rebooting, giving users little time to fix infected machines.

Security experts said they expected new and possibly more malicious worms to emerge and take advantage of the same hole in affected Windows operating systems that Blaster uses. The hole and a program to patch it were announced a month ago by Microsoft and computer security group Polish, which discovered the problem. Within hours of the announcement, hackers had developed examples of software code to exploit the hole and take control of computers running the Windows NT, Windows 2000, Windows XP and Windows Server 2003 operating systems.

Redmond, Wash.-based Microsoft went to unusual lengths to warn consumers, enlisting a direct marketer to send unsolicited e-mails that linked directly to the patch. After a hacker sent out a fake warning e-mail this week with a malicious program attached, Microsoft said it would never ask users to open an attachment, only to follow a Web link.

Microsoft also took the rare step of publicizing the patch on its home page and its portal. The patch was downloaded a record 80 million times.

The potentially grave consequences of the initial programming hole renewed calls for the world's biggest software company to be more vigilant. It didn't help that Microsoft had touted the victimized Windows Server 2003 -- the first server system released under its "trustworthy computing" initiative -- as its safest software to date for managing networks.

Spokesman Sundwall said Microsoft was considering additional actions to take in the future.

Thompson of Network Associates said consumers would be forced to take "more of an active role" in their own security. "It's really the only way," he said.

Microsoft shares slipped 9 cents to $25.54 on Nasdaq.

Los Angeles Times Articles