Blaster and SoBig to Return?

By Kevin Murphy There are many people named Kevin Murphy:

Kevin Murphy (actor), an American actor, author and puppeteer
Kevin Murphy (airport operations), Director of Operations, JFK
Kevin Murphy (football_player), Former NFL linebacker (1986-93)

Clogged networks, crashing computers, emergency patching, airline delays, cancelled trains... the second half of September could start to resemble August, with experts predicting new strains of the Blaster and SoBig Windows viruses.

Microsoft Corp warned yesterday that there are three more remotely exploitable vulnerabilities in recent versions of Windows, two of them very similar to and as dangerous as that which permitted Blaster to spread.

According to according to
prep.
1. As stated or indicated by; on the authority of: according to historians.

2. In keeping with: according to instructions.

3. one security group, an exploit for the third hole, which permits a denial-of-service attack "DoS" redirects here. For other uses, see DOS (disambiguation).
A denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended users. against vulnerable machines, has been available since code was posted to the web by Chinese hackers on July 25.

Microsoft sent out a series of alerts to users of Windows NT (Windows New Technology) A 32-bit operating system from Microsoft for Intel x86 CPUs. NT is the core technology in Windows 2000 and Windows XP (see Windows). Available in separate client and server versions, it includes built-in networking and preemptive multitasking. 4.0, 2000, XP and Server 2003, warning there are two buffer overrun vulnerabilities in the OS that could allow hackers to run arbitrary code In computer security, arbitrary code is executable code introduced externally that runs despite the intent of the original programmer. The code is injected into a currently-running application or its memory space, thus making the application execute the code. on their machines.

Bad luck to users of older Windows versions See Windows. - Microsoft no longer supports those operating systems Operating systems can be categorized by technology, ownership, licensing, working state, usage, and by many other characteristics. In practice, many of these groupings may overlap. and has no idea if the vulnerabilities affect you (this time, the company issued a patch for unsupported NT 4.0 as an "exception").

The two vulnerabilities are in the components of Windows that deal with remote procedure calls (RPC (Remote Procedure Call) A programming interface that allows one program to use the services of another program in a remote machine. The calling program sends a message and data to the remote program, which is executed, and results are passed back to the calling ) to distributed component object model (programming) Distributed Component Object Model - (DCOM) Microsoft's extension of their Component Object Model (COM) to support objects distributed across a network. DCOM has been submitted to the IETF as a draft standard. (DCOM (Distributed Component Object Model) Formerly Network OLE, it is Microsoft's technology for distributed objects. DCOM is based on COM, Microsoft's component software architecture, which defines the object interfaces. ) services. A worm could be designed to exploit these holes automatically.

"This is RPC and Blaster all over again with new patches required and a strong potential of new variants of the original Blaster worm emerging," said Marc Maiffret, co-founder of eEye Digital Security eEye Digital Security is a company that specialises in analysis and prevention of security vulnerabilities in software. Founded by Firas Bushnaq and Marc Maiffret in 1997, the company has been credited by Microsoft with bringing a number of security vulnerabilities to their Inc, which is credited with discovering the problems.

Exploit code for these critical holes has yet to be found online, but it's only a matter of time before it is. It took less than a month for Blaster (aka MSBlast, LovSan) to emerge after the first RPC hole was discovered in July.

Internet Security Systems Inc said in its alert that an exploit for the third bug disclosed yesterday - a less-serious RPC vulnerability that allows denial of service attacks - has been available for download since July 25.

The new critical security holes, coming so close to the last batch, will not do Microsoft's tarnished image any favors, particularly given the level of attention the constant security problems with Windows has been reaching in the mainstream media and government (see separate story).

In addition to the lurking threat of Blaster's son, there's also a possibility that the internet could soon be hit by a seventh version of SoBig, an email worm that travels as an executable attachment and infects Windows users.

The sixth version, SoBig.F, stopped trying to infect new machines yesterday, bringing temporary relief to network administrators who have had to deal with SoBig.F in addition to the usual volume of spam email.

In a post to a public mailing list yesterday, a Cambridge University mail administrator said that in the last three weeks SoBig.F was sent to the university 3.5 million times, infecting 56% of messages, (a third of a terabyte of mail in total) and consuming on average 2Mbps of bandwidth.

And virus experts warn that the next version could be released soon. In late August, Central Command Inc, an anti-virus software firm, said that precedent suggests SoBig.G could emerge "shortly after September 10th".

VP of products and services Steven Sundermeier said: "The virus author(s) of Sobig have developed a predictable pattern of releasing new variants soon after the current version de-activates itself." The first version was released in January.

Despite the arrests of a Minnesota teenager and a Romanian graduate student in connection with two Blaster variants, law enforcement in the US and elsewhere has yet to release any information about the its progress tracing the original authors of Blaster.

Likewise, a suspect in the SoBig case has yet to be arrested, although the FBI is known to have obtained IP addresses from a small Usenet service provider that is believed to have been used by the SoBig.F author to infect the first victims.

COPYRIGHT 2003 Datamonitor
No portion of this article can be reproduced without the express written permission from the copyright holder.

Reader Opinion

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:	computer viruses
Author:	Mruphy, Kevin
Publication:	Computergram International
Geographic Code:	1USA
Date:	Sep 11, 2003
Words:	662
Previous Article:	Open Source Leaders Strike Back at SCO.
Next Article:	Oracle Looks to PeopleSoft Proxy Fight.
Topics:	Computer software industry Product defects and recalls Product enhancement Computer viruses Forecasts and trends Operating systems Product defects and recalls Product enhancement Operating systems (Software) Product defects and recalls Product enhancement Software industry Product defects and recalls Product enhancement

Related Articles
Top ten viruses reported to Sophos in February. (Virus Notes).
Top ten viruses--March 2003. (Security).
Blaster Tops a Million Hosts, But Next One Could Be Worse.
Worms Hit Airline, Military as Microsoft Mulls Forced Fixes.
Security Industry Offers US Congress Virus Advice.
MCAFEE VIRUSSCAN ENTERPRISE SUPPORTS AMD64 PLATFORM.
Cyberworms.
SCO Offers $250k for MyDoom Author's Arrest.
Nachi B Variant Found.