VeriSign: DNS Flood Shows Microsoft Blaster Worm Bigger Than Thought

ComputerWire ^ | August 15, 2003

[HAL9000]

The internet's domain name system root servers have been pounded with up to 50% more domain lookups than usual this week, and VeriSign Inc, the company that manages some of the servers, thinks the Blaster worm is to blame.

VeriSign said late yesterday that daily DNS queries on its infrastructure increased by 3.7 billion this week, roughly 33% more than usual. At 9am US Pacific time yesterday, the traffic was up 50% about normal levels, the company said.

"A five percent deviation would be significant. It's usually very predictable," VeriSign's senior VP of security services Ben Golub said. "This appears to be a global event."

According to Golub, the spike in traffic started at the same time Blaster (aka MSBlast and Lovsan) began infecting Windows 2000 and Windows XP machines on the August 11.

The logic goes that many vulnerable servers became infected, and therefore unreachable due to crashes or excessive amounts of outgoing traffic.

Remote applications, such as browsers, that try to access these servers find the first IP address they try doesn't work, so they do a DNS lookup that ultimately reaches VeriSign's name servers.

The company believes that even if this does not indicate there are more total infected hosts that previously thought, it indicates that those infected machines are not being cleaned up as fast as other worm watchers thought.

Which could be bad news for Microsoft Corp, which is due to have one of its web sites come under attack by Blaster-infected computers at midnight Saturday (which starts at 7am US Pacific time Friday).

© ComputerWireTM 2003

[Hanging Chad]

...midnight Saturday (which starts at 7am US Pacific time Friday)...
- - -
Huh?

[El Laton Caliente]

Think world wide time zones...

[B Knotts]

I think they mean that computers across the dateline (Christmas Island) will start hitting Microsoft at that time, as it will be Saturday there.

[AngryAmerican]

Yes...it is already 5:30 AM Saturday in FIJI, just over the international dateline, so if a computer in FIJI has this worm, it should now be pounding away at windowsupdate.com.

[GSWarrior]

My home PC is infected, but I am going to wait until after the weekend before I begin to address the problem. Too much confusion right now.

[lelio]

The internet's domain name system root servers have been pounded with up to 50% more domain lookups

Why do the root servers get this many requests? Shouldn't ISPs cache most of this information?

[kylaka]

Its not hard to fix, provided you have the latest MS service pack installed. If not, it is a bit more of a challenge. If you're running XP you can enable the firewall, which will hold it at bay, but that isn't a permanent fix.

[GSWarrior]

Right now this worm is residing in my PC. Is it doing any damage beyond just logging me off? Or should I immediately remove it to prevent further unseen damage?

[Ernest_at_the_Beach]

Thanks for the info Hal!

OFFICIAL BUMP(TOPIC)LIST

[dyed_in_the_wool]

1. Kill the msblaster.exe task from your current processes.
2. Search and delete anything named msblaster.exe.
3. Click on 'network connections'. Right click on your active connection, click on the third-most tab to the right and then click the 'firewall' checkbox.
4. If you're really feally frisky, you can seach online for the registry setting that it creates and delete that as well, but I don't recommend that for the faint of heart.
After the storm, try hitting the windowsupdate.com site for the patch.
But you don't need to go there to do this.

[Hanging Chad]

O-h-h-h-h-h-h-h-h,
NOW, I get it ....

[GSWarrior]

Thanks. Really appreciate your help.

[kylaka]

No, right now it is not doing any damage. Removing it does no real good. When you log back on the Web it will re-infect your computer in anywhere from 60 seconds to around 40 minutes. I asked about your service pack status because it will be nearly impossible to download from Microsoft, before the worm shuts you down, and it takes a few weeks to get it on disc from MS. The actual fix is about 1MB and takes less than 60 seconds to do. If I can help, or answer any more questions, just ask.

[GSWarrior]

My plan is to download the service pack on my neighbor's computer and install it onto mine. I am guessing that this will work. And do I need a firewall since I am not on a network?

Thanks.

[UseYourHead]

If you would like the repair tool and the patch, I can send them to you or make them available from my website. Just private reply me and let me know if you want the repair tool and which patch (NT, 2000, and or XP) you need.

[kylaka]

Can't do that. It won't allow you to save it... only download and install. I guess that approach is meant to thwart illegal installs of Windows, as it verifies your product key before starting.

You could enable your firewall as mentioned in comments above (dyed in the wool) described the process well, but I haven't verified that that works. That would (hopefully) allow you to download SP1a. You can also remove the worm and then load and watch Task Manager as SP1a is downloading. If any task launches, it is msblast.exe regardless of the name (it cloaks itself). You then have 4-5 seconds to kill the task before it installs and begins shutdown. Good Luck.

[kylaka]

My machines are done, but thanks for the offer.

[UseYourHead]

I have posted links to the repair tool and patches on my profile page. Be sure to rename the files when you download them from .e to .exe and let me know if you have any problems or questions.

[webheart]

My home PC is infected, but I am going to wait until after the weekend before I begin to address the problem. Too much confusion right now.

I don't mean to be rude, but that is the most ridiculous thing I've read for quite awhile. If your PC is infected, and still connected to the internet, then it is actively trying to propagate the virus to the internet. Symentec has a free removal tool that you can download from www.symantec.com, and it will do the job as quickly as anything you can try yourself. It then directs you to the page where the patch is available. Both downloads are compact enough to download in minutes even on a dialup.

If you don't want to deal with it until later, please turn off your computer or disconnect from the internet NOW.