INTERNET Microsoft finds a way out of online attack
The worm uses an incorrect address for a Web page for updating Windows.
SEATTLE (AP) -- Microsoft may write flawed software, but it can take solace in the fact that the author of the "blaster" worm also made at least one mistake.
That error may be Microsoft's biggest weapon in fending off part two of the Internet attack that was set to start at midnight Friday and continue into today.
The worm, which so far has infected more than 350,000 computers around the world, now aims to bring down Microsoft's Web site for software patches by flooding it with traffic.
The Department of Homeland Security said it has not noticed any activity from the worm yet, but it urged home users and small and midsize businesses to download the patch from www.microsoft.com.
The viruslike infection, also dubbed "LovSan" or "MSBlast," exploits a flaw in most current versions of Microsoft's Windows operating system for personal computers, laptops and server computers.
Although Microsoft posted a software patch to fix the flaw July 16, many users failed to download the patch, leaving them vulnerable to the worm, which first started hitting computers around the world Monday.
The worm caused computers to reboot frequently or disrupted Internet browsing.
But it also packed a second punch: Today, infected computers that have not cleaned up the virus will in effect turn into a legion of zombies instructed to repeatedly call up a Microsoft Web site that houses the software patch.
With so much traffic flooding the network, the site could be unreachable and computer users would be unable to access the patch.
But there's a flaw. The worm instructed computers to call up http://windowsupdate.com -- which is an incorrect address for reaching the actual Microsoft Web site that houses the software patch.
Although Microsoft has long redirected those who visited that incorrect address to the real site -- http://windowsupdate.microsoft.com -- the company disabled the automatic redirection Thursday in preparation for the onslaught of infected computers.
Microsoft's real Web site should still be accessible to users, said Microsoft spokesman Sean Sundwall. However, those who don't know the correct address may be confused and think the so-called "denial of service" attack worked.
The company is taking other measures to keep its site up and running, he said, although he declined to give specifics.
Microsoft's network and others around the country may still see a slowdown in Internet traffic simply from the volume of activity the worm is expected to generate from its many infected computers, said Vincent Weafer, senior director of security response for Symantec Corp., a security and anti-virus company.
However, the worm's effects are "not going to be catastrophic," Weafer said. "The Internet by itself is very resilient."
The rate of new infections has slowed, he said.
But computer users who still have not downloaded the patch need to, he said, adding that the company expects new infections to continue for as long as two years.
XOn the Net: http://windowsupdate.microsoft.com or http://www.dhs.gov