Media releases are provided as is by companies and have not been edited or checked for accuracy. Any queries should be directed to the company itself.

MSBlast Is Here To Stay and It's Bigger Than Slammer

  • 15 August, 2003 11:26

<p>TruSecure® is currently advising a host of companies affected by the MSBlast computer worm and deems it to be a serious threat to global business if not dealt with correctly. MSBlast is not mere scaremonger hype, it is very real and it is here to stay.</p>
<p>Stuart Johnstone, Senior Security Analyst, TruSecure Australia / New Zealand reviews the situation to date and predicts: "The level of attacks has stabilised but not diminished. We will see a steady level of attacks for the foreseeable future based on the fact that Slammer is a similar worm and is still attacking systems even to this day.</p>
<p>"MSBlast is 3 times more prevalent than Slammer and much more damaging to the infected machine. Slammer really only clogged bandwidth."</p>
<p>Here are TruSecure’s latest findings and insights into the infamous worm's track.</p>
<p>* Through yesterday the total number of unique hosts that have attacked rose from 471 to 697, an increase of 67%.</p>
<p>* Total number of attacks from inception to 14 August 9:00am (US EDT) is now at 9,692. Only 2% of attackers have only attacked once (this remains constant from the day before)</p>
<p>* 15% have now attacked for more than 1 hour (up from 12%)</p>
<p>* The average number of attacks per host is now 12.4 (down from 13)</p>
<p>* The most number of attacks TruSecure has seen by one IP address is now 115 (was 73)</p>
<p>* The most number of hours that a single host has attacked is now 9 (was 5)</p>
<p>* The most number of hosts that attacked in a single hour is still 27.</p>
<p>Stuart Johnstone adds: "TruSecure has started doing some average comparisons, comparing the average since inception of the attack to averages over the past 24 hours and its interesting to see very little difference between the two.</p>
<p>"There continue to be sporadic surges and drops. We associate this with the way the worm randomly generates IP addresses.</p>
<p>"Using a moving 12-hour average, the graphs are starting to flatten out at a level reached at 2:00am on 12 August (US EDT). There is still movement (due to the small number of samples), but its trending towards staying at that level."</p>
<p>Moreover Johnstone explains why many patches have come unstuck . . .</p>
<p>"Several patch management and update programs have a serious shortcoming that has contributed to the problem. Saint Bernard Software and Windows Update only check registry keys to ensure that a patch has been properly installed. Unfortunately, in the case of the Msft patch for this vulnerability, you need to check the files themselves. Therefore, many companies thought they had successfully patched but have not."</p>
Chris Bowes
Bowes Communications
+61 (0)2 9387 2332</p>

Most Popular