Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

VeriSign: DNS Flood Shows Microsoft Blaster Worm Bigger Than Thought
ComputerWire ^ | August 15, 2003

Posted on 08/15/2003 10:22:17 AM PDT by HAL9000

The internet's domain name system root servers have been pounded with up to 50% more domain lookups than usual this week, and VeriSign Inc, the company that manages some of the servers, thinks the Blaster worm is to blame.

VeriSign said late yesterday that daily DNS queries on its infrastructure increased by 3.7 billion this week, roughly 33% more than usual. At 9am US Pacific time yesterday, the traffic was up 50% about normal levels, the company said.

"A five percent deviation would be significant. It's usually very predictable," VeriSign's senior VP of security services Ben Golub said. "This appears to be a global event."

According to Golub, the spike in traffic started at the same time Blaster (aka MSBlast and Lovsan) began infecting Windows 2000 and Windows XP machines on the August 11.

The logic goes that many vulnerable servers became infected, and therefore unreachable due to crashes or excessive amounts of outgoing traffic.

Remote applications, such as browsers, that try to access these servers find the first IP address they try doesn't work, so they do a DNS lookup that ultimately reaches VeriSign's name servers.

The company believes that even if this does not indicate there are more total infected hosts that previously thought, it indicates that those infected machines are not being cleaned up as fast as other worm watchers thought.

Which could be bad news for Microsoft Corp, which is due to have one of its web sites come under attack by Blaster-infected computers at midnight Saturday (which starts at 7am US Pacific time Friday).

© ComputerWireTM 2003



TOPICS: News/Current Events; Technical
KEYWORDS: blaster; lowqualitycrap; microsoft; techindex; turass; virus; worm
Navigation: use the links below to view more comments.
first 1-2021-29 next last

1 posted on 08/15/2003 10:22:18 AM PDT by HAL9000
[ Post Reply | Private Reply | View Replies]

To: HAL9000
...midnight Saturday (which starts at 7am US Pacific time Friday)...
- - -
Huh?
2 posted on 08/15/2003 10:27:25 AM PDT by Hanging Chad
[ Post Reply | Private Reply | To 1 | View Replies]

To: Hanging Chad
Think world wide time zones...
3 posted on 08/15/2003 10:30:06 AM PDT by El Laton Caliente
[ Post Reply | Private Reply | To 2 | View Replies]

To: Hanging Chad
I think they mean that computers across the dateline (Christmas Island) will start hitting Microsoft at that time, as it will be Saturday there.
4 posted on 08/15/2003 10:30:26 AM PDT by B Knotts
[ Post Reply | Private Reply | To 2 | View Replies]

To: Hanging Chad
Yes...it is already 5:30 AM Saturday in FIJI, just over the international dateline, so if a computer in FIJI has this worm, it should now be pounding away at windowsupdate.com.
5 posted on 08/15/2003 10:33:09 AM PDT by AngryAmerican
[ Post Reply | Private Reply | To 2 | View Replies]

To: HAL9000
My home PC is infected, but I am going to wait until after the weekend before I begin to address the problem. Too much confusion right now.
6 posted on 08/15/2003 10:36:22 AM PDT by GSWarrior
[ Post Reply | Private Reply | To 1 | View Replies]

To: HAL9000
The internet's domain name system root servers have been pounded with up to 50% more domain lookups

Why do the root servers get this many requests? Shouldn't ISPs cache most of this information?
7 posted on 08/15/2003 10:48:55 AM PDT by lelio
[ Post Reply | Private Reply | To 1 | View Replies]

To: GSWarrior
Its not hard to fix, provided you have the latest MS service pack installed. If not, it is a bit more of a challenge. If you're running XP you can enable the firewall, which will hold it at bay, but that isn't a permanent fix.
8 posted on 08/15/2003 11:18:48 AM PDT by kylaka
[ Post Reply | Private Reply | To 6 | View Replies]

To: kylaka
Right now this worm is residing in my PC. Is it doing any damage beyond just logging me off? Or should I immediately remove it to prevent further unseen damage?
9 posted on 08/15/2003 11:34:10 AM PDT by GSWarrior
[ Post Reply | Private Reply | To 8 | View Replies]

To: HAL9000; *tech_index; Salo; MizSterious; shadowman99; Sparta; freedom9; martin_fierro; ...
Thanks for the info Hal!

OFFICIAL BUMP(TOPIC)LIST

10 posted on 08/15/2003 11:36:39 AM PDT by Ernest_at_the_Beach (All we need from a Governor is a VETO PEN!!!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: GSWarrior
1. Kill the msblaster.exe task from your current processes.
2. Search and delete anything named msblaster.exe.
3. Click on 'network connections'. Right click on your active connection, click on the third-most tab to the right and then click the 'firewall' checkbox.
4. If you're really feally frisky, you can seach online for the registry setting that it creates and delete that as well, but I don't recommend that for the faint of heart.
After the storm, try hitting the windowsupdate.com site for the patch.
But you don't need to go there to do this.

11 posted on 08/15/2003 11:43:17 AM PDT by dyed_in_the_wool (Leave Sid alone. -- John Lydon)
[ Post Reply | Private Reply | To 6 | View Replies]

To: B Knotts; AngryAmerican; El Laton Caliente
O-h-h-h-h-h-h-h-h,
NOW, I get it ....
12 posted on 08/15/2003 11:43:46 AM PDT by Hanging Chad
[ Post Reply | Private Reply | To 4 | View Replies]

To: dyed_in_the_wool
Thanks. Really appreciate your help.
13 posted on 08/15/2003 11:50:53 AM PDT by GSWarrior
[ Post Reply | Private Reply | To 11 | View Replies]

To: GSWarrior
No, right now it is not doing any damage. Removing it does no real good. When you log back on the Web it will re-infect your computer in anywhere from 60 seconds to around 40 minutes. I asked about your service pack status because it will be nearly impossible to download from Microsoft, before the worm shuts you down, and it takes a few weeks to get it on disc from MS. The actual fix is about 1MB and takes less than 60 seconds to do. If I can help, or answer any more questions, just ask.
14 posted on 08/15/2003 12:15:43 PM PDT by kylaka
[ Post Reply | Private Reply | To 9 | View Replies]

To: kylaka
My plan is to download the service pack on my neighbor's computer and install it onto mine. I am guessing that this will work. And do I need a firewall since I am not on a network?

Thanks.

15 posted on 08/15/2003 1:10:17 PM PDT by GSWarrior
[ Post Reply | Private Reply | To 14 | View Replies]

To: kylaka
If you would like the repair tool and the patch, I can send them to you or make them available from my website. Just private reply me and let me know if you want the repair tool and which patch (NT, 2000, and or XP) you need.
16 posted on 08/15/2003 1:32:19 PM PDT by UseYourHead
[ Post Reply | Private Reply | To 14 | View Replies]

To: GSWarrior
Can't do that. It won't allow you to save it... only download and install. I guess that approach is meant to thwart illegal installs of Windows, as it verifies your product key before starting.

You could enable your firewall as mentioned in comments above (dyed in the wool) described the process well, but I haven't verified that that works. That would (hopefully) allow you to download SP1a. You can also remove the worm and then load and watch Task Manager as SP1a is downloading. If any task launches, it is msblast.exe regardless of the name (it cloaks itself). You then have 4-5 seconds to kill the task before it installs and begins shutdown. Good Luck.

17 posted on 08/15/2003 1:35:00 PM PDT by kylaka
[ Post Reply | Private Reply | To 15 | View Replies]

To: UseYourHead
My machines are done, but thanks for the offer.
18 posted on 08/15/2003 1:35:52 PM PDT by kylaka
[ Post Reply | Private Reply | To 16 | View Replies]

To: UseYourHead
I have posted links to the repair tool and patches on my profile page. Be sure to rename the files when you download them from .e to .exe and let me know if you have any problems or questions.

19 posted on 08/15/2003 1:42:36 PM PDT by UseYourHead
[ Post Reply | Private Reply | To 16 | View Replies]

To: GSWarrior; dyed_in_the_wool
My home PC is infected, but I am going to wait until after the weekend before I begin to address the problem. Too much confusion right now.

I don't mean to be rude, but that is the most ridiculous thing I've read for quite awhile. If your PC is infected, and still connected to the internet, then it is actively trying to propagate the virus to the internet. Symentec has a free removal tool that you can download from www.symantec.com, and it will do the job as quickly as anything you can try yourself. It then directs you to the page where the patch is available. Both downloads are compact enough to download in minutes even on a dialup.

If you don't want to deal with it until later, please turn off your computer or disconnect from the internet NOW.

20 posted on 08/15/2003 1:45:57 PM PDT by webheart (Citizen's Grammar Patrol)
[ Post Reply | Private Reply | To 11 | View Replies]


Navigation: use the links below to view more comments.
first 1-2021-29 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson