• PC World
• »Security

Microsoft has pulled the WindowsUpdate.com Internet address in an effort to thwart an attack on its systems by computers infected with the Blaster worm, the company says.

Blaster, also known as the DCOM or Lovsan worm, spread quickly this week, infecting as many as 1 million computers, according to some estimates. Infected machines were set to stage a denial of service attack on WindowsUpdate.com at midnight on Saturday. A DoS attack is designed to cripple a Web site or network by prompting floods of useless traffic.

But Microsoft has removed the target by killing the domain name, the company said Friday. Microsoft used the WindowsUpdate.com address to redirect Internet users to the software update site for Windows at windowsupdate.microsoft.com.

Redirecting Traffic

"WindowsUpdate.com is a nonessential address, so we just pulled it as part of our strategy to avert the worm," says Sean Sundwall, a Microsoft spokesperson. "That creates problems for the worm."

Users can still get software updates by going directly to the Windows Update Web site that is part of the Microsoft.com domain. "The site is up and running, so people are getting their patches," Sundwall says. The patch to fix the Windows vulnerability that Blaster exploits is available from Security Bulletin MS03-026. It was released in July.

Internet users who type the WindowsUpdate.com URL in their browser get an error message. Microsoft has deleted the Domain Name System information for the domain, and it no longer sends traffic to an actual Web site. DNS is the address book for the Internet, the system that maps text-based Web addresses to numeric IP addresses.

"The domain does not point anywhere. It is a dead URL. There are no plans to bring it back," Sundwall says.

Temporary Fix

Dumping the WindowsUpdate.com domain name may keep Microsoft from having to cope with another DoS attack, but it does not stop the worm from infecting the systems of Microsoft customers, says Lloyd Taylor, vice president of technology and operations at Web performance management services company Keynote Systems.

"It is a particularly elegant solution, but it does not stop the spreading of the worm," Taylor said.

PCs infected by the worm were set to begin sending a constant stream of connection requests to the WindowsUpdate.com address at 12 a.m. local time on Saturday. Once launched, the attack was intended to continue, unabated, through the end of December and begin again on January 16, 2004, experts say.

Earlier Attack

Meanwhile, Microsoft continues to investigate another DoS attack that downed its main site for two hours Thursday evening. That attack apparently had nothing to do with the Blaster worm.

The attack occurred Thursday evening at 8:45 p.m. Pacific Daylight Time and was directed at www.microsoft.com, Sundwall says.

Microsoft.com was completely inaccessible for two hours Thursday evening and experienced "off and on" disruptions for another two hours, he confirms.

"We're really confident that this was not an attack from the Blaster worm," Sundwall says.

The timing of the attack and a technical analysis of the traffic sent to Microsoft indicates a source other than machines infected with Blaster, he adds.

Early reports that Microsoft's windowsupdate.com site was the target of the attack proved false, though some users reported difficulty reaching the site Friday morning.

The windowsupdate.microsoft.com and download.microsoft.com sites, which distribute software updates to Microsoft customers, were unaffected by the attack, Sundwall says. Users continued to access and download software patches from those sites throughout the attack, he adds.

Still Investigating

Helsinki security company F-Secure has been monitoring windowsupdate.com since Wednesday and detected no interruption until Microsoft downed the site, according to Mikko Hypponen, head of antivirus research.

While both Thursday's attack and an August 1 attack against Microsoft.com were denial of service attacks, Microsoft does not believe the two were linked.

"That's the only similarity we can confirm at this point. We think the sources were different," Sundwall says.

Microsoft could not comment on the details of the attack, but Sundwall says it was a DoS attack emanating from machines worldwide. He says Microsoft does not know how many computers were involved, but points out that Microsoft's site is a popular target and is designed to withstand even large-scale attacks without disruption.

The attackers probably have a very large network of compromised "zombie" machines that are being coordinated to attack Microsoft, he says.

With two successful attacks in one week, Microsoft is looking into software and other technology to prevent future threats, Sundwall adds.

Microsoft is already a customer of Akamai Technologies, which operates a distributed worldwide network that can diffuse DOS attacks. Microsoft would not comment on whether Thursday's attack affected only its servers, or whether Akamai servers were also involved.

Paul Roberts of the IDG News Service contributed to this report.