‘Blaster’ master sought by FBI

The FBI has begun an investigation into the origins of the “Blaster” worm, which already has a new variant and continued to wreak havoc on computer systems worldwide yesterday.

The worm has caused hundreds of thousands of machines to mysteriously crash and restart, costing businesses more than $500 million.

Also known as MSBlaster and LoveSan, it appeared Monday but spread quickly Tuesday, causing computers to crash at many businesses and government offices, including the Maryland Motor Vehicle Administration and Federal Reserve Bank in Atlanta.

Many Long & Foster real estate offices in Maryland and Virginia also were shut down both days. MVA reopened yesterday, but drivers trying to renew their licenses or car registration endured two-hour waits at offices.

Blaster exploits vulnerabilities in Windows XP, Windows 2000 and Windows NT software. The worm is programmed to cause Microsoft’s Windows Update Web site to crash Saturday.

Microsoft alerted customers to the vulnerability in its software July 16, and offered a free software patch to download. While millions of computer users downloaded the patches, many others ignored the warnings and their machines became infected.

FBI spokesman Bill Murray declined to comment on the status of the investigation, except to say that it was reviewing a copy of the worm’s code for clues.

“Taking the code and analyzing it will help us to determine whether it’s someone who is savvy at writing these types of things or whether this came from someone who is inexperienced,” Mr. Murray said.

Some Internet security analysts who have viewed the worm said the code was badly written and includes portions that were simply copied and pasted from coding that had been published on the Internet.

“[Blaster] has peaked, but not due to the fact that it ran out of targets,” said Alfred Huger, a senior director of engineering with Cupertino, Calif., Internet security company Symantec Corp. “It’s so poorly written that it’s sort of run out of steam on its own.”

A more savvy programmer would have written the worm’s code more efficiently, allowing it to infect more computers more quickly, analysts said. There is some concern that sleeker “copycat” versions of Blaster could emerge. Already yesterday, Internet security companies were watching a worm called teekids.exe, which had similar characteristics. It was not clear late yesterday how many computers were infected by the variant, but it appears to be spreading as quickly as the original.

The Blaster worm is expected to wreak noticeable havoc for at least several weeks. Administrators at many universities said they probably would see small outbreaks of the worm on campuses over the next month because students returning from summer break could hook infected computers into the campus network.

Mr. Murray said the FBI is constantly watching for worms and viruses designed to copy previous attacks.

Story Continues →