MS Blaster Worm Slams Into Cable

The MS Blaster worm proved a vexing pest to cable data providers last week, generating a flood of calls to customer-service centers even as technicians scrambled to block the computer virus's spread throughout their networks.

The worm — targeting a critical flaw in the Microsoft Corp.'s Windows 2000, Windows XP, Windows NT and Windows Server 2003 operating systems — began hitting the Internet grid Aug. 11.

High-speed problem

While not having the damaging impact of previous works such as Slammer on the Internet infrastructure, Blaster is bedeviling home computer users who didn't download a Microsoft software patch issued earlier this summer.

Computers with always-on broadband connections are particularly vulnerable, given the virus is spreading via the Internet connection itself, rather than e-mail.

Reports late last week put the total number of computers infected at 1 million or more.

While it initially has prompted infected computers to spontaneously reboot every 45 seconds, the worm's ultimate goal is a denial of service attack against Microsoft. The worm's coding instructs infected computers to fire off a slew of data requests beginning at midnight on Aug. 16 to Microsoft's Windows Update service, in an attempt to overwhelm and shut down the site's servers.

To ward off that attack, Microsoft late last week shut down its Windows Update portal. Users who try to tap into the site to obtain the critical software patch are instead directed to an alternate site. Apparently, any messages generated by the worm will not follow that redirect.

Cable operators worry that the resulting flood of upstream traffic from infected computers could spell trouble for their networks.

Comcast Corp., Charter Communications Inc., Time Warner Cable and Cox Communications all reported spikes in call volume to their customer service technical support centers, as frustrated cable modem users sought relief from MS Blaster.

"We know that people are infected," said Comcast spokeswoman Sarah Eder. "The thing is it is hard to educate people because the way that the worm works. It comes into your Microsoft operating system and then starts rebooting your computer every 45 seconds. So that means you cannot maintain connectivity to go get the patch."

Comcast portal aid

Comcast has created a special link on its portal guiding customers to a page with instructions on how to rid their computers of the virus. Comcast has been advising customers to start their computers in safe mode, clean the worm's infecting execution file from their hard drives and then download the patch.

Comcast technicians also took steps to block Port 135, the network router inlet the worm is using to enter computers, in an effort to slow its spread.

Similarly, Time Warner Cable and Cox Communications Inc. technicians also moved to shut off Port 135. By Thursday of last week Cox reported it had blocked 98% of the vulnerable server ports in its network, and as a result call volume steadily dropped, according to spokeswoman Laura Oberhelman. Customer care representatives also have been doling out information to customers who can't bring up their infected computers, she added.

Charter e-mail

The worm prompted Charter to send an e-mail warning to its customers, instructing them where to go to download the patch and what to do if their computers become infected, according to spokesman Dave Anderson.

The MS Blaster may prove a persistent pest. The worm is configured to trigger denial of service attacks against the Microsoft Update site daily from September through December, with subsequent attacks on the 16th
and 31st
days of each month in 2004.