- The Washington Times - Wednesday, August 13, 2003

The FBI has begun an investigation into the origins of the “Blaster” worm, which already has a new variant and continued to wreak havoc on computer systems worldwide yesterday.

The worm has caused hundreds of thousands of machines to mysteriously crash and restart, costing businesses more than $500 million.

Also known as MSBlaster and LoveSan, it appeared Monday but spread quickly Tuesday, causing computers to crash at many businesses and government offices, including the Maryland Motor Vehicle Administration and Federal Reserve Bank in Atlanta.

Many Long & Foster real estate offices in Maryland and Virginia also were shut down both days. MVA reopened yesterday, but drivers trying to renew their licenses or car registration endured two-hour waits at offices.

Blaster exploits vulnerabilities in Windows XP, Windows 2000 and Windows NT software. The worm is programmed to cause Microsoft’s Windows Update Web site to crash Saturday.

Microsoft alerted customers to the vulnerability in its software July 16, and offered a free software patch to download. While millions of computer users downloaded the patches, many others ignored the warnings and their machines became infected.

FBI spokesman Bill Murray declined to comment on the status of the investigation, except to say that it was reviewing a copy of the worm’s code for clues.

“Taking the code and analyzing it will help us to determine whether it’s someone who is savvy at writing these types of things or whether this came from someone who is inexperienced,” Mr. Murray said.

Some Internet security analysts who have viewed the worm said the code was badly written and includes portions that were simply copied and pasted from coding that had been published on the Internet.

“[Blaster] has peaked, but not due to the fact that it ran out of targets,” said Alfred Huger, a senior director of engineering with Cupertino, Calif., Internet security company Symantec Corp. “It’s so poorly written that it’s sort of run out of steam on its own.”

A more savvy programmer would have written the worm’s code more efficiently, allowing it to infect more computers more quickly, analysts said. There is some concern that sleeker “copycat” versions of Blaster could emerge. Already yesterday, Internet security companies were watching a worm called teekids.exe, which had similar characteristics. It was not clear late yesterday how many computers were infected by the variant, but it appears to be spreading as quickly as the original.

The Blaster worm is expected to wreak noticeable havoc for at least several weeks. Administrators at many universities said they probably would see small outbreaks of the worm on campuses over the next month because students returning from summer break could hook infected computers into the campus network.

Mr. Murray said the FBI is constantly watching for worms and viruses designed to copy previous attacks.

“We’re always worried about things like that,” he said. “Malicious codes always incite copycat coders to do the same thing.”

The Code Red and Nimda worms, which each infected thousands of computers’ servers in 2001, spawned more than a half-dozen copycats, though none created as much damage as the originals.

A worm is different than a virus, because it can spread without any action by the computer user.

Computer security companies said Blaster has not caused quite as much trouble as the “Slammer” worm that hit Microsoft server software in January. Computer Economics, a Carlsbad, Calif., research firm, said Slammer caused about $1 billion in damage worldwide. The company’s vice president, Mark McManus, said Blaster would cost about half as much to businesses, but the cost could rise depending on the success of the teekids.exe variant.

Placing a dollar value on the damage created by cyber attacks isn’t easy, security analysts said. The Computer Security Institute in San Francisco said that of 530 companies surveyed last year, 75 percent said they lost money as a result of a cyber attack, but only 47 percent of those said they could quantify the loss. Nevertheless, the institute reported that the companies lost about $202 million last year, down from $456 million in losses for the 503 companies responding in 2001.

Computer systems were particularly hard hit in 2001, when the Code Red and Nimda worms spread to more than a half-million servers worldwide. While Blaster is not expected to hit as many machines as Code Red or Nimda, it has created more of a nuisance because it targets many personal computers as well as servers, analysts said.

Mr. McManus said computer attacks in 2002 cost businesses $11.1 billion worldwide, compared to $13.1 billion in 2001. He said the cost to businesses in 2003 probably will reach 2001’s level.

Many computer security analysts yesterday blamed Microsoft for failing to distribute the protective patch to its customers. But others defended the software company, arguing that it did everything it could to warn customers, but that too many simply didn’t listen.

“I think this highlights the problem the big vendors have in getting customers to use update patches,” said Mr. Huger, of Symantec. “There is a degree of vigilance that has to be accepted by the user.”

Users of Windows XP are automatically alerted when a software update becomes available. Users simply need to click a button to begin download of the update, but many ignore the alerts, prompting some security analysts to suggest that Microsoft download updates automatically onto customers’ computers.

Copyright © 2019 The Washington Times, LLC. Click here for reprint permission.

The Washington Times Comment Policy

The Washington Times welcomes your comments on Spot.im, our third-party provider. Please read our Comment Policy before commenting.


Click to Read More and View Comments

Click to Hide