Using a technical sleight of hand, Microsoft was able to stave off a planned Internet attack on its Windows Update Web site over the weekend, keeping the site open for legitimate users. WinInfo Daily UPDATE readers are likely familiar by now with the fact that the infamous MSBlaster worm, which compromises a remote procedure call (RPC) vulnerability in all Windows NT-based OSs, was set to launch a Distributed Denial of Service (DDoS) attack on Windows Update August 16. Microsoft says it was able to turn back that attack by changing the way the company routes computers to the Web site, and Saturday came and went without any Windows Update performance problems or downtime.
"One strategy for cushioning the blow was to extinguish the WindowsUpdate.com site," a Microsoft spokesperson said. "We have no plans to ever restore that to be an active site." The company deregistered WindowsUpdate.com's IP address with Internet-based DNS servers. By Friday morning, WindowsUpdate.com was effectively offline, and the site sent legitimate users to http://windowsupdate.microsoft.com, which the company says was always the real destination; WindowsUpdate.com just redirected users to the longer URL. Because the worm knows only about WindowsUpdate.com, not the new URL, Microsoft was able to effectively stop the worm.
According to antivirus vendor Symantec, the MSBlaster worm has affected more than 385,000 computers, despite constant warnings during the past month from Microsoft, the US Department of Homeland Security (DHS), the technical press, and various security experts that users and administrators should install Microsoft's patch, which the company released in mid-July. Since that time, the intruders responsible for the MSBlaster worm were able to fashion a virulent software attack that took advantage of a vulnerability with Microsoft's RPC technology, knowing that many systems would remain unpatched and unprotected.
Sadly, many users could have averted the attack fairly easily; for example, Windows Server 2003 and Windows XP users had only to select one check box to enable the free ICF that comes with those products and prevent the worm from doing any damage. Let's hope that MSBlaster will be a turning point for Windows users and administrators; a little proactive security work can go a long way. Meanwhile, intruders are busy writing new variations of MSBlaster that will likely do more damage than the original version. You've been warned.