washingtonpost.com
FBI Looks For Source Of Internet Infection
'Blaster' Worm's Spread Slowed on Second Day

By Brian Krebs
washingtonpost.com
Thursday, August 14, 2003; Page E01
WashingtonPost Tech


The FBI yesterday joined the hunt for the source of an Internet worm that was estimated to have infected more than 250,000 computers this week.

As users patched the holes that made their computers vulnerable, it became clear that electronic attacks target both the humble to the mighty. Home users were believed to be most affected, but on Tuesday the Blaster worm reached into a dozen computers in the U.S. Senate and caused the Federal Reserve Bank of Atlanta to shut down most of its computer system. The worm interrupted work for two days at CBS in New York.

Nearly half the 250,000 infected computers are in the United States, said Alfred Huger, senior director of engineering at Symantec Corp., a security software company.

Huger said the number of new infections has dropped nearly 50 percent since the worm's peak Tuesday morning, but that new, more invasive versions of the worm will probably emerge.

It's very likely that in short order we'll see revisions of the worm that are faster, more efficient and more destructive, Huger said. Internet security experts already have detected at least two new versions of the worm, but the changes are minor.

The FBI's cyber division is trying to identify the source and author of the worm, said spokesman Bill Murray. Officials from the Department of Homeland Security are participating in the inquiry. Murray declined to say whether the FBI had any leads.

The program, which is known by various names, including MSBlaster and LoveSan, attacks the most recent versions of Microsoft Corp.'s Windows operating system but does not appear to be designed to alter files or destroy information on the computers. It finds computers on the Internet to which it can connect and worms its way into them, unlike a computer virus, which requires that a file -- received attached to e-mail, downloaded from a Web site or another computer user or contained on a disk -- be opened. If the infectious program is left on a computer, however, it can help spread the worm, which installs instructions for an attack Saturday on the Web site that Microsoft customers use to download software updates.

A Microsoft spokesman said the company is preparing a defense against an attack.

Microsoft alerted its customers to the worm on July 16 and urged them to download a patch to prevent it. The federal Homeland Security Department added its voice to the warning two weeks later, but many users did not respond until the Blaster worm began spreading vigorously this week.

Computer security experts said the worm was badly written and so it didn't spread as quickly or extensively as it could have. But the clear sense among the experts was that the online world once again dodged a bullet.

A better version of this worm wouldn't crash any machines; it would work correctly every time, move faster, and delete or steal its victims' files, said Dan Ingevaldson, an engineering manager at Atlanta-based Internet Security Systems Inc.

The worm cost businesses as much as $329 million worldwide in lost productivity on Tuesday, according to RedSiren Inc., an Internet security company based in Pittsburgh. Red Siren used a formula that employed data available on the World Wide Web, as well as assumptions on the average salary of workers who use computers, the amount of time the worm knocked them off-line and how much each hour of that time was worth.

Nicholas Brigman, a RedSiren vice president, said the estimates were based on a little more than 2 million computers being infected. He said that number could be smaller.

Using RedSiren's formula with Symantec's estimate of total infections suggests that the amount of money lost was only $35 million.



© 2003 The Washington Post Company