Worm Attack Succeeds and Fails at the Same Time

Windows 2000 and XP machines that get infected after this moment will try to launch a distributed denial-of-service attack against Microsoft’s windowsupdate.com. Similarly, machines which were infected before midnight on 15th of August (local time) will start the attack the next time they are rebooted. This will continue until the end of the year 2003.

Microsoft made drastic changes in their Internet set up on Friday, changing the operations of their main servers. As to windowsupdate.com, they just surrendered.

“They figured out – quite correctly – that no web server could survive under the attack load generated by tens of thousands of infected computers. So Microsoft simply disconnected this server from the web and removed it’s name from domain name systems” explains Mikko Hypponen, Director of Anti-Virus Research at F-Secure Corporation. “Windowsupdate.com will probably never return. So in this sense, the worm accomplished what it wanted: windowsupdate.com is no more.”

As a result, the worm can’t find a target address for the attack – and won’t attack. The change was done so late that probably some affected machines still had cached IP address for windowsupdate.com and a limited amount of attack packets are going around the net – but not enough to cause disruption for the internet itself.

So, Microsoft sacrificed their server to save the rest of the net. Now there will be no floods of packets to overflow routers and switches at ISPs around the world. This probably was an easy decision for Microsoft, as windowsupdate.com was not used much.

The official address for Microsoft’s Windows Update Service is windowsupdate.microsoft.com. This is also the address built-in to Windows 98, ME, 2000, XP and 2003. Most likely this was the address the virus writer tried to attack, but she made a slight mistake in the address (which used to be redirected to the same update service).

F-Secure estimates that the Lovsan worm to continue to spread around the world in measurable amounts at least until 2005.

Source: F-Secure


Subscribe to the Help Net Security breaking news e-mail alerts:


Don't miss