Blaster worm impact may snowball as number of reports increases, warns Sophos

August 13, 2003 Sophos Press Release

Blaster

Sophos's technical support department is seeing an hour-on-hour increase in the number of calls from users concerned about the prolific Blaster worm, first seen late in the day (UK time) on 11 August. Unlike the more common email-aware worms, which often burst on the scene and rapidly die away, Blaster, which creeps round the internet looking for critical holes in Microsoft Windows, appears to be gaining momentum.

Sophos technicians have also warned users that it is possible to become infected by the Blaster worm without there being any obvious symptoms. Infected PCs are experiencing slower performance and those running Microsoft Windows XP are prone to re-booting over and over again. Sophos is concerned that many users - particularly home users - may just consider this an everyday glitch, not realise they are infected and take no action.

"Blaster has claimed its place as the most widespread virus in the world right now," said Graham Cluley, senior technology consultant at Sophos. "Despite well publicised advice regarding this Windows vulnerability from both Microsoft and the US Department of Homeland Security it seems that not everyone applied the patch in time."

"Blaster is as stealthy and silent as a shadow - it doesn't rely on emails to spread, so it's less likely to evoke user suspicion. It also knows no language barriers so it is truly a global worm," continued Cluley. "The danger is that there are numerous PCs out there which are infected without people realising. Sophos has received stacks of reports of this worm, but these could be just the tip of the iceberg."

The Blaster worm will automatically instruct infected PCs to launch a distributed denial of service attack on Microsoft Windows update website (www.windowsupdate.com) at 12 midnight local time on Friday 15/Saturday 16 August. Microsoft uses the website to deliver important security patches, such as the one exploited by the worm, to home users. If the attack is successful, Windows home users may be unable to access the website for critical security protection.

"It's only when Microsoft's update website comes under attack that we'll have any idea of just how widespread Blaster really is. It's likely that the first wave of attacks will take place as the clocks turn midnight in AsiaPac, that's early afternoon on Friday in the UK. These attacks could potentially snowball during the day as the rest of the world wakes up," said Cluley.

Further reading: Instructions on how to protect against and remove infections of the Blaster worm.