bodyType

customContents

entityId

entityUuid

articlePageQuery

filter

article

articleBaseAdvertisingInfoArticle

articleListArticle

articleSeoArticle

helpersCheckIsPostiesArticle

hooksArticleAcknowledgementGateOverlayArticle

hooksTrackPageViewArticle

hooksContentInterestArticle

articleLinkingDataContent

hooksAmpRedirectArticle

articleSchemaContent

liveArticle

advertZone

sentiment

contentLock

topics

types

sections

moreOnThisArticles

urlAlias

commentCount

authorLocations

authors

corrections

sponsorType

displaySlideShow

multimediaEmbed

printHeadline

seriesContainer

socialHeadline

headline

flag

firstTopic

glossary

flattenTypeIds

publishedDate

additionalInfoBoxes

quizIds

images

image

relatedLinks

relatedNewsletters

__typename

createdDate

sponsor

paywallTypes

pdfFiles

seriesReverseOrder

series

disableOffPlatformContent

published

updatedDate

summary

subHeadline

body

keywords

readingTime

customTimezone

liveContents

Carolyn Ong

Newspapers love stories about computer viruses. They are sensational, and they spread panic. But almost all the reports that I have read on the W32.Blaster worm seemed to have missed the point.

As with most episodes of worm attacks (these  are not going to die down but will increase in frequency, and the code will get better), cyber attacks are triggered by user complacency.

A May 2002 report from the Gartner Group revealed that most successful attacks on computer systems exploit security weaknesses that are well known and for which patches exist.

And this is certainly the case with  W32.Blaster and its offspring. People do not learn, and will continue to draw attacks.

The long-predicted worm that uses a flaw present in all Microsoft's XP and 2000 operating systems spread from the United States to Europe to Asia in three days.

The W32.Blaster worm attacks via a flaw for which a patch from Microsoft has been available for exactly one month.

It was called Lovsan because it contained a hilarious message for Microsoft chairman Bill Gates, hidden in the code: 'I just want to say LOVE YOU SAN!! Billy Gates, why do you make this possible? Stop making money and fix your software!!'

After August 15, infected computers were used to launch a denial of service attack against windowsupdate.com, where the patch for the vulnerability can be found.

It affects only computers running Windows XP and Windows 2000, causing the PCs to shut down and reboot repeatedly.

As far as we are concerned, W32.Blaster is a stroll in the park. It can be resolved in  less than 10 minutes, simply by downloading the patch.

It is a nuisance, not a malicious bug like SQL Slammer or Nimda, which not only destroyed data and brought down web businesses Amazon, Yahoo and Ebay, but also caused three-quarters of worldwide internet traffic to screech to a halt.

Anti-virus vendors are usually the first to go on about how nasty the latest worm is, because it gives them a chance to hawk their wares. Yet, while newspapers around the world were making the bug sound like the Sars of computer viruses, anti-virus experts we spoke to were playing it down.

As reported in Kelvin Sit's story in this section, David Sykes of Symantec told us this bug has all the hallmarks of an amateur but did warn that future strains might be more virulent. Allan Dyer, president of the Association of Anti-virus Asia Researchers,  said  W32.Blaster  should not have happened in the first place because a patch has been available since July 16.

The worm spreads automatically by sending itself via TCP port 135 to random IP addresses, generating large amounts of network traffic. Once it finds and infects a system, it copies itself on to the registry and sets up a shell, using TCP port 4444, which downloads a program, msblast.exe, before sending itself out again.

Experts do have one concern: the worm can be used against both servers and client PCs running Microsoft Windows, which makes up about 80 per cent of all computers. The sons of W32.Blaster are expected to be a lot more nasty.

The critical flaw is in Microsoft's Distributed Component Object Model Remote Procedure Call (RPC) interface. The vulnerability involves the RPC protocol, which deals with computer-to-computer communications. Microsoft warned that, under certain circumstances, the RPC might not properly check messages sent to the PC.

If any lesson can  be drawn from last week's attack, it is that more must be done to protect PCs connected to the internet. While it is no Code Red, administrators and PC users often underestimate the worm. They must still patch their systems as a matter of urgency or  risk a second attack.

Gartner said many recent cyber attacks could have been avoided if enterprises were more focused on their security efforts, but users seem not to learn from their mistakes. Take the Code Red virus;  patches were available to protect systems against Code Red, but people did not download them.

Two months later, the Nimda virus came along and exploited exactly the same weakness and caused even more havoc around the world. The combined devastation from Code Red and Nimda  is estimated at  billions of dollars, largely because of user indifference, according to Richard Mogull from Gartner.

However, I thought it was especially ironic that Gartner Group's Asia Pacific office was crippled for a day last week by W32.Blaster.



That 'lov' bug was just a nibble - wait for the big bite