MS Blaster Worm
Five Things to Know about a Blended Malware Threat
In 2003, the technology landscape was still digging out from the burst of the dot-com bubble of the years prior. Yet, there was a sense of optimism and plenty of cause for it. Computers were already benefiting the lives of every serious enterprise and happy consumer. Innovations that year included MySpace, Android OS, the iTunes store, Windows XP, camera phones, and the Intel Pentium M for laptops. All sectors seem to enjoy the innovations coming onto the stage. That is, until the growing attack vector caused especially by millions more users of home and office computers was again proven vulnerable to malicious software.
That year on August 11th the internet worm MS Blaster, aka W32 aka Lovesan, affected hundreds of thousands of Microsoft home and office computers worldwide. It was, as Symantec Corporation and the SANS Institute now call it, a prime example of a “blended threat” — one that combines elements of viruses, worms, trojan horses, and other malicious code. Hindsight tells us that there was plenty of opportunity to prevent Blaster (e.g. patching, updating, heeding alerts from OEMs and other industry voices). Due to the more limited context of the time, however, a wholly unprepared yet thoroughly connected population of users were taken by surprise and the consumer and enterprise settings paid an unnecessary price in terms of damage costs, downtime or lost productivity, and opportunity.
Here are five things you should know about the MS Blaster worm, the blended threat for which the world was unprepared.
1. Blaster affected certain Windows operating systems.
laster affected devices running Windows versions 2003/XP/2000/NT. The virus took advantage of a DCOM (Distributed Component Object Model) vulnerability to spread across Internet-connected systems. DCOM is an interface component of Windows, which handles messages sent using the RPC (remote procedure call) protocol. Blaster affected Transmission Control Protocol (TCP) ports 135 and 4444 as well the User Datagram Protocol (UDP) port 69. Indeed, an indication of a Blaster device or network infection is an inexplicable, unreasonable increase in network traffic through these ports. Specifically, Baster (1) sent traffic on port 135 to attempt to infect other hosts, (2) opened a backdoor by listening on TCP port 4444 to accept remote commands, and (3) opened UDP port 69 to send msblast.exe to other hosts. Workstations attacked by Blaster experienced various symptoms: an unsolicited reboot with the welcome screen absent users, frequent shutdowns, bricking, loss of internet connection, and more.
2. Blaster launched DDoS attacks against Microsoft.
Blaster “zombied” computers, rendered them unusable, and recruited them for self-propagation. It also enrolled them in a practice that was equally mischievous and sinister. Blaster, the worm that affected machines running the Windows OS, created a botnet that carried out distributed denial-of-service (DDoS) attacks against…Microsoft Corporation. Blaster attacked the Microsoft Windows update Web server (http://www.windowsupdate.com) using port 80, although this attack failed to have its intended result of shutting down the company’s system since the aforementioned URL redirects to windowsupdate.microsoft.com. (Nevertheless, Microsoft shut down the site temporarily in response to the attack.) Blaster was programmed to launch a DDoS attack daily from the 16th day to the last day of the month from the January through August. For the months of September through December, it launched the attack daily for each day of the month.
3. Blaster exploited a reported vulnerability.
Blaster spread with ease not because of its genius as a particularly artful piece of software, but because of human error. As early as mid-July the aforementioned ports vulnerabilities affecting certain Windows versions had been shared with system administrators, authorities, and within security vendor circles. (It is believed the worm was reverse engineered from Microsoft’s patch.) Yet, the failure to address these vulnerabilities simply by patching systems in offices and homes led to Blaster’s success. Help Net Security, used this statistic to illustrates that, at its peak, Blaster found vulnerable systems every 30 seconds all over the world.
4. Blaster contained two notable messages.
In addition to wreaking havoc, Blaster is known for containing two provocative messages to its victims. Users of Blaster-infected computers were met with two cheeky messages. The first being, “I just want to say LOVE YOU SAN!!” The greeting is the reason Blaster is also known as Lovesan. Blaster’s other message was the irreverent remark, “billy gates why do you make this possible ? Stop making money and fix your software!!” This was clearly aimed at Microsoft cofounder, CEO and chairman Bill Gates whose operating system was Blaster’s only target. In Gates’s defense, systems infected by Blaster were ones that did not received software patches at the prodding of Microsoft, security vendors, US and other authorities, and so on.
5. Blaster’s ‘creator’ was apprehended.
The Blaster investigation was conducted by the Northwest Cyber Crime Task Force (NWCCTF), chiefly agents of the Federal Bureau of Investigation (FBI) and the United States Secret Service (USSS), with support from the Justice Department’s Computer Crime and Intellectual Property Section, several US Attorney’s Offices including those in Minnesota and California’s Southern District. Jeffrey Lee Parson of Hopkins, MN — 18 years at the time of his crime — was convicted of deploying a variant of Blaster following his admission of guilt. Parson had modified Blaster to add, at least, a tool to remote-access other devices. The “B” version of the worm Parson is responsible for infected 48,000 computers worldwide, and for his creation he was sentenced to 18 months in prison, 3 years of supervised release, and 100 hours of community service.
That’s five things you now know about MS Blaster. To learn more, read the SANS Institute FAQ. Then watch this news video that, viewed through today’s lens, sums up in just 2 minutes the worm attack’s chaos and simplicity.