display | more...

MSBlast is a virus found on August 11, 2003 that exploits a hole in Windows XP found in the Remote Procedural Call section. The security leak will allow a hacker or anybody with a vicious intent and a working knowledge of cracking one's computer to seize root and plant a virus on your computer, without having to go through e-mail or a web site. The name MSBlast comes from the name of the executable program that resides on an infected computer. This virus, also known as WORM_MSBLAST.A, W32.BLASTER.WORM, and W32/LOVESAN.WORM, will then begin to scan IP addresses at random, pick one, and propagate itself onto another computer. Some people will never see any symptoms of the virus, and it will only propagate on a Windows XP or Windows 2000 environment. However, the effects of the virus are rather nasty. It can reboot your computer at any time without input from the user, and it can restrict you from your Internet connection. The next thing this virus will do, is at Midnight on Friday, August 15, every infected computer will begin to send small packets of data to the WindowsUpdate.com site in an attempt to bring it offline. Several anti-virus programs already have new definitions for detecting and removing it. Experts have compared this virus to the Boomer virus that brought down corporate networks in January of 2003.

Blaster is a worm that affects users of Microsoft Windows NT-based operating systems - from NT 4 onwards. Therefore, users of Windows 95, 98, and ME are safe, whereas 2000, XP and 2003 are all affected. Symantec and Microsoft both refer to the worm as W32.Blaster.Worm; Lovsan is the name used by McAfee. Like all worms, it works by crawling into an open port on your computer, and then using it as a host from which to propagate itself; worms can infect a machine without any user interaction at all. Syptoms of Blaster include sudden, frequent reboots, and your computer failing to respond to input. Another symptom that I noticed is getting error messages about svchost shutting down. Granted, this could be just down to your choice of operating system...;)

Blaster exploits a known vulnerability (buffer overflow, inevitably) in one of DCOM's RPC API calls. This vulnerability allows anyone who exploits it to execute arbitrary code on the compromised machine. Blaster attacks through TCP ports 4444 and 135 and UDP port 69; as soon as it has infected a machine, it basically starts a DoS attack on windowsupdate.com1 (to try to prevent the user from downloading a patch), and then starts generating IP addresses to try to attack next. Blaster contains the following text (although it is never displayed):

I just want to say LOVE YOU SAN!!
billy gates why do you make this possible? Stop making money and fix your software!!

Infection can be prevented by running a firewall on your machine, or by downloading the patch issued by Microsoft to fix the vulnerability. Microsoft have also issued a utility for use by network admins to check which machines in a network may be vulnerable. Most anti-virus software should be able to find and remove Blaster from your system, as can the tool issued by Symantec.

1: The concerted DoS attack actually worked, indirectly; windowsupdate.com was preemptively taken down in favour of windowsupdate.microsoft.com, which got fiddled around slightly so as to be hosted by Akamai. Well, sort of; Akamai was taking the requests and forwarding them to Microsoft's servers, which run Windows 2003; Akamai's servers all run Linux, which lead to a recent Netcraft report claiming that windowupdate.microsoft.com was served by IIS run on Linux. The microsoft.com address has been the default site for automatic windows updates for years now (thanks, lj), but patches, like that for Blaster, might not get picked up automatically. Read all about it at http://www.theregister.co.uk/content/4/32385.html and http://www.computerworld.com/securitytopics/security/story/0,10801,84077,00.html; the netcraft report can be found at: http://uptime.netcraft.com/up/graph/?host=windowsupdate.microsoft.com

TLA's explained:

  • DCOM: Distributed Component Object Model: A Windows-based framework by which you can access code objects residing on another machine.
  • API: Application Programmer Interface: A set of methods in a piece of software (generally middleware) that are made available to a programmer who wishes to use the software as a component in his own code.
  • RPC: Remote Procedure Call: A protocol which allows calls to be made between different computer processes, and thus between different machines.
  • TCP: Transmission Control Protocol: The underlying protocol of TCP/IP. Basically, TCP is concerned with sending and receiving data packets over the network. Its companion, IP (Internet Protocol), deals with where the packets are going, and where they are coming from.
  • UDP: User Datagram Protocol: Similar to TCP, UDP is a network protocol for data transmission. UDP is not as reliable as TCP, but is faster and more efficient, as it never runs checks to ensure that the data actually reaches its target; nor does it attempt to resend data.
  • DoS: Denial Of Service: An attempt to disable a service on a remote machine (usually either a web server or DNS server) by flooding it with requests until it falls over.
  • TLA: Three Letter Acronym: What geeks use to confuse their managers. Not always accurate, however; the TLA MLA (Multi Letter Acronym) is sometimes used instead.


The Blaster worm is probably the best possible worm we could have hoped for that uses the DCOM exploit. The Windows DCOM vulnerability is one of the worst security holes yet discovered in Windows - it can be remotely exploited to give local root on any operating system based on windows NT. Patches for the vulnerability were (as usual) not being deployed anywhere near fast enough, especially given the severity of the problem. A well-designed worm would have spread like wildfire, infecting the majority of vulnerable machines in just a few hours, and putting them under the control of the worm's owner. MSBlast is not a well-designed worm.

Three major flaws in MSBlast have come to light so far - It was intended to DDOS windowsupdate.com, and indeed does this correctly. Unfortunately for the worm, however, windowsupdate.com is simply a redirect to windowsupdate.microsoft.com , the official location of Windows Update since its inception five years ago. Days before the DDOS was due to occur, Microsoft removed the DNS record for windowsupdate.com , leaving the worm with nothing to DDOS. Windows Update continues to work just fine at its actual URL, http://windowsupdate.microsoft.com . Had the author done his homework, the worm would have attacked the correct URL, and possibly taken down Windows Update. An outage in Windows Update would have made the DCOM patch a lot harder for home users to get hold of.

Another flaw is the way MSBlast propagates. An MSBlast infection is a two-stage process - first the DCOM bug is exploited, to get the target machine running a stub. This stub tries to connect to a previously infected machine (communicating on TCP port 4444), and if successful it downloads the worm proper using TFTP. This is a fatal design flaw, as TFTP was never intended to be used on the internet, and is blocked by default by many firewalls and routers. TFTP is mostly used by systems that use BOOTP to boot, thus any network that uses BOOTP will prevent TFTP from crossing the firewall as a basic security measure (Preventing sensitive boot data from getting out, and hostile forged data getting in). TFTP traffic is very uncommon on the internet, and a clear indication of the worm's presence. Had the worm used a common protocol, like HTTP, for both communication and downloading, it could have avoided all the firewall problems (The vast majority of firewalled machines have some way of accessing the web), and would not have been quite so obvious to intrusion detection systems. The worm's use of a fixed, distinctive port to communicate with other worms (4444/tcp), and an unusual protocol to download itself (TFTP on 69/udp), means that it is easily blocked by ISPs, greatly impeding its progress, and the usefulness of installed clients.

MSBlast's greatest flaw, however, is that it was not properly tested, and affects the stability of the system it is installed on. A well-designed worm gives the user no reason to suspect that something is amiss, until they are TOSed from their ISP. By causing the system to reboot, lock up, and fill up the system log, MSBlast quickly reveals its presence to the user. Windows NT is not Windows 9x - random rebooting is seriously unusual behaviour for NT. Once the user suspects that something is amiss, the game is usually up - if they can't remove the worm themselves, they will certainly take it to someone who can. It is very likely that after removing the worm, the system will be patched to stop it being re-infected.

Thanks to these design flaws, the Blaster worm has succeeded only in raising public awareness of the importance of keeping up-to-date with security patches, and has significantly reduced the potential impact that a well-written worm exploiting the DCOM vulnerability could have had.

Log in or register to write something here or to contact authors.