DoS worm invades Microsoft servers

The self-spreading program--dubbed DoS.Storm--infects computers, then uses them to inundate Microsoft's servers with data and email. It's a crossover between hacking and virus writing--a new trend?

A program created to automatically overload Microsoft's Web and email servers has been discovered on several corporate networks and may have spread further on the Internet, antivirus researchers said Friday.

First reported last week, the worm--dubbed DoS.Storm--spreads on Web servers running Microsoft software and is designed to use the infected servers to level an Internet attack against the company.

"This is one of the trends that we are going to see more and more of: the crossover between the hacking and virus writing, and moving away from email-borne worms," said Vincent Weafer, director of software maker Symantec's antivirus research center.

So far, the software giant has seen little, if any, activity from the worm, said Steve Lipner, manager for Microsoft's security response center.

"There have been no indications" that Microsoft is under attack, said Lipner. "We talked to the corporate security organization and they were not reporting anything."

Yet if incidents from earlier this year are any indication, the worm could still squirm into servers and cause problems.

Worms that spread from server to server have caught on with online vandals. So far, several variations of two worms, known as Ramen and Lion, have infected Linux machines, while another worm, called Sadmind, has infected Solaris machines and defaced Microsoft Web servers.

Unlike previous worms, DoS.Storm is a mating of a denial-of-service attack tool and an Internet worm.

The worm portion of the program attempts to spread the code throughout the Internet. Once it infects a server running Microsoft software, DoS.Storm starts scanning 10 million Internet addresses, looking for more vulnerable computers to invade.

Then the attack-tool portion of the code kicks in, initiating what's known as a denial-of-service (DoS) attack and sending a flood of data to overwhelm the servers that run Microsoft's main Web site. Almost 4,000 such DoS attacks take place on the Internet every week, according to a recent study.

In addition, the worm sends a constant stream of email to "" with the message "F**k you!". The address is invalid, causing the email to bounce back to the sender.

The worm spreads by exploiting a known flaw in Microsoft's flagship Web-server software, called the Internet Information Service (IIS). The vulnerability, referred to as the "Web server folder traversal" flaw, affects Microsoft IIS 4.0 and 5.0.

This is not the first time Microsoft has been the target of a DoS attack. Microsoft Web sites were crippled by a series of data floods in January.

The hole used by the worm is old. Security researchers found the IIS flaw last October. Microsoft fixed the vulnerability with a patch released in August 2000.

In May, Microsoft issued a cumulative patch to mend most of the security problems found in the company's IIS software. The patch was delivered as part of the solution to another vulnerability.

Symantec is the only antivirus company to report the worm so far, and only a handful of Symantec customers have found it on their networks, said Weafer. "If people update their security patches, it should not be a problem," he said. "The crunch question is, of course, how many people have patched."

Even for companies that haven't patched the hole, Weafer believes, the worm's activities will make it fairly easy to detect.

The program's search for other vulnerable servers combined with the deluge of data and mail tends to redline the capacity of most corporate network connections, tipping off even the most inexperienced system administrators, he said. "Anyone with a good firewall and intrusion-detect system can see this thing easily," he said.

Rival antivirus companies Trend Micro and Network Associates have had no indications of the worm from their customers.