Friday June 08, 2001
DoS worm invades Microsoft servers
By Robert Lemos, ZDNet News

The self-spreading program--dubbed DoS.Storm--uses infected computers to inundate Microsoft's servers with data and e-mail. It's a crossover between hacking and virus writing--a new trend?

A program created to automatically flood Microsoft's Web and e-mail servers has been discovered on several corporate networks and may have spread further on the Internet, antivirus researchers said Friday.

Discovered this week, the worm--dubbed DoS.Storm--infects Microsoft Web servers and then scans for new machines to infect, floods Microsoft's main Web site with data, and sends a deluge of obscene e-mail to an apparently invalid address for Microsoft Chairman Bill Gates (news - web sites).

"This is one of the trends that we are going to see more and more of: the crossover between the hacking and virus writing, and moving away from e-mail-borne worms," said Vincent Weafer, director of software maker Symantec's antivirus research center.

The worm spreads by exploiting a known flaw in Microsoft's flagship Web server software, called the Internet Information Service (IIS). The vulnerability, dubbed the "Web server folder traversal" flaw, affects Microsoft IIS 4.0 and 5.0.

Although Symantec researchers found the flaw last October, the security hole had been fixed by a previous patch released in August 2000.

Once it infects a server, the worm starts scanning 10 million Internet addresses, looking for more vulnerable servers to infect.

The worm also initiates an attack on Microsoft, sending a flood of data to overwhelm its Web servers. Known as a denial-of-service (DoS) attack, almost 4,000 such attacks take place every week, according to a recent study.

Microsoft Web sites were crippled by a series of DoS attacks in January.

In addition, the worm will send a constant stream of e-mail to "gates@microsoft.com" with the message "F**k you!" The address is believed to be invalid, causing the e-mails to bounce back to the sender.

Microsoft representatives were not immediately available for comment.

Only a handful of Symantec customers have reported finding DoS.Storm, said Weafer, who does not expect it to spread far.

"If people update their security patches, it should not be a problem," he said. "The crunch question is, of course, how many people have patched."

Moreover, the worm's activities make it fairly easy to detect, he added.

The program's search for other vulnerable servers combined with the deluge of data and mail tends to redline the capacity of most corporate network connection, tipping off even the most inexperienced system administrators.

"Anyone with a good firewall and intrusion-detect system can see this thing easily," Weafer said.

Rival antivirus company Trend Micro had no indications of the worm from its customers.

Back To The Study

Home | Contact The Help Desk | Internet & Marketing Services