Attack hits PCs

around world

NEW YORK (AP) – The latest Internet attack on Microsoft operating systems by rogue software disabled tens of thousands of computers worldwide Tuesday, though a fix had been available for nearly a month.

The virus-like worm, dubbed “LovSan” or “blaster,” snarled corporate networks with an inundation of data packets and frustrated home computer users unversed in techie triage.

It forced Maryland’s motor vehicle agency to close for the day and kicked Swedish Internet users offline as it spread, the worm triggering Windows computers to shut down and restart.

Security experts said the world was lucky this time because LovSan is comparatively mild and doesn’t destroy files. They worry that a subsequent attack exploiting the same flaw – one of the most severe to afflict Windows – could be much more damaging.

“We think we’re going to be dealing with it for quite some time,” said Dan Ingevaldson, engineering manager at Internet Security Systems in Atlanta.

Although LovSan did not appear to do any permanent damage, Ingevaldson said instructions to do just that could easily be written into a worm that propagates in the same way.

On July 16, Microsoft posted on its Web site a free patch that prevents LovSan and similar infections. The underlying flaw affects nearly all versions of the software giant’s flagship Windows operating system.

Notwithstanding high-profile alerts issued by Microsoft and the Department of Homeland Security, many businesses did not install the patches and scrambled Tuesday to shore up their computers.

Security experts say patches often stay on “to do” lists until outbreaks occur.

“You’re looking at 70 new vulnerabilities every week,” said Sharon Ruckman, senior director at the research lab for anti-virus vendor Symantec. “It’s more than a full-time job trying to make sure you are up to date.”

Microsoft spokesman Sean Sundwall acknowledged that the blame does not really lie with customers.

“Ultimately, it’s a flaw in our software,” he said.

The latest infection was dubbed “LovSan” because of a love note left on vulnerable computers: “I just want to say LOVE YOU SAN!”

Researchers also discovered another message hidden inside the infection that appeared to taunt Microsoft’s chairman: “billy gates why do you make this possible? Stop making money and fix your software!”

Tracing its origins will be difficult because the worm left few clues, said Marc Maiffret, co-founder of eEye Digital Security. The worm appeared based on code released earlier by a Chinese research group that goes by Xfocus, Maiffret said.

Non-Microsoft systems were not vulnerable, though some may have had trouble connecting with Web sites, e-mail and other servers that run on Windows.

Symantec’s probes detected more than 125,000 infected computers worldwide.

The worm exploits a flaw in Windows used to share data files across computer networks. It was first reported in the United States on Monday and spread across the globe as businesses opened Tuesday and workers logged on.

Additional U.S. computers were hit Tuesday, and Maryland’s Motor Vehicle Administration shut all its offices at noon.

“There’s no telephone service right now. There’s no online service right now. There’s no kiosk or express office service,” spokeswoman Cheron Wicker said. “We are currently working on a fix and expect to be operational again in the morning.”

In Sweden, Internet provider TeliaSonera said about 20,000 of its customers were affected after the infection clogged 40 servers handling Internet traffic.

Among companies affected in Germany was automaker BMW, said spokesman Eckhard Vannieck. He said the problems did not affect production.

Symantec, F-Secure and other anti-virus companies have free tools for removing the worm.

All Windows users, whether their computers were infected or not, were encouraged to obtain a fix from Microsoft’s Web site. Anti-virus and firewall products should also be updated, security experts say.

Larger companies typically have firewalls that can stem attacks, but once a worm gets inside a firewall, unprotected computers are vulnerable.

Employees connecting from home or taking infected laptops to the office can allow the worm to easily penetrate a company’s defenses, said Russ Cooper, a senior researcher at TruSecure.

But to expect home users to keep their systems current is unreasonable, said Bruce Schneier, chief technology officer with Counterpane Internet Security. He blames software developers for writing bad software that constantly needs “critical” patches.

“My mother will never install the patch until I come visit,” he said. “I couldn’t even call her and walk her through it. The industry is wrong to expect her to do it. The fact that she sends me e-mail is incredible enough.”



On the Net:

Microsoft warning:

http://www.microsoft.com/security/security-bulletins/ms03-026.asp

Advisory and links to removal instructions:

http://www.cert.org/advisories/CA-2003-20.html

AP-ES-08-12-03 1837EDT



Only subscribers are eligible to post comments. Please subscribe or login first for digital access. Here’s why.

Use the form below to reset your password. When you've submitted your account email, we will send an email with a reset code.