Blaster (also known as Lovsan, Lovesan, or MSBlast) was a
computer worm
A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It wi ...
that spread on computers running
operating system
An operating system (OS) is system software that manages computer hardware, software resources, and provides common daemon (computing), services for computer programs.
Time-sharing operating systems scheduler (computing), schedule tasks for ef ...
s
Windows XP
Windows XP is a major release of Microsoft's Windows NT operating system. It was release to manufacturing, released to manufacturing on August 24, 2001, and later to retail on October 25, 2001. It is a direct upgrade to its predecessors, Wind ...
and
Windows 2000
Windows 2000 is a major release of the Windows NT operating system developed by Microsoft and oriented towards businesses. It was the direct successor to Windows NT 4.0, and was released to manufacturing on December 15, 1999, and was official ...
during August 2003.
The worm was first noticed and started spreading on August 11, 2003. The rate that it spread increased until the number of infections peaked on August 13, 2003. Once a network (such as a company or university) was infected, it spread more quickly within the network because firewalls typically did not prevent internal machines from using a certain port.
Filtering by ISPs and widespread publicity about the worm curbed the spread of Blaster.
In September 2003, Jeffrey Lee Parson, an 18-year-old from
Hopkins, Minnesota
Hopkins is a small suburban city in Hennepin County, Minnesota, United States, located west of Minneapolis. Hopkins was the headquarters of Minneapolis-Moline, which was a large manufacturer of tractors and agricultural equipment in the United ...
, was indicted for creating the B variant of the Blaster worm; he admitted responsibility and was sentenced to an 18-month
prison
A prison, also known as a jail, gaol (dated, standard English, Australian, and historically in Canada), penitentiary (American English and Canadian English), detention center (or detention centre outside the US), correction center, correc ...
term in January 2005.
The author of the original A variant remains unknown.
Creation and effects
According to court papers, the original Blaster was created after security researchers from the Chinese group Xfocus
reverse engineered the original Microsoft patch that allowed for execution of the attack.
The worm spreads by exploiting a
buffer overflow
In information security and programming, a buffer overflow, or buffer overrun, is an anomaly whereby a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory locations.
Buffers are areas of memor ...
discovered by the Polish security research group Last Stage of Delirium
in the
DCOM RPC
RPC may refer to:
Science and technology
* Rational polynomial coefficient
* Reactive Plastic Curtain, a carbon-dioxide-absorbing device used in some rebreather breathing sets
* Regional Playback Control, a regional lockout technology for DVDs
* ...
service on the affected operating systems, for which a patch had been released one month earlier i
MS03-026and later i
MS03-039 This allowed the worm to spread without users opening attachments simply by spamming itself to large numbers of random IP addresses. Four versions have been detected in the wild.
These are the most well-known exploits of the original flaw in RPC, but there were in fact another 12 different vulnerabilities that did not see as much media attention.
The worm was programmed to start a
SYN flood against port 80 of
windowsupdate.com if the system date is after August 15 and before December 31 and after the 15th day of other months, thereby creating a
distributed denial of service attack (DDoS) against the site.
The damage to Microsoft was minimal as the site targeted was windowsupdate.com, rather than windowsupdate.microsoft.com, to which the former was redirected. Microsoft temporarily shut down the targeted site to minimize potential effects from the worm.
The worm's executable, MSBlast.exe, contains two messages. The first reads:
I just want to say LOVE YOU SAN!!
This message gave the worm the alternative name of Lovesan. The second reads:
billy gates why do you make this possible ? Stop making money
and fix your software!!
This is a message to
Bill Gates
William Henry Gates III (born October 28, 1955) is an American business magnate and philanthropist. He is a co-founder of Microsoft, along with his late childhood friend Paul Allen. During his career at Microsoft, Gates held the positions ...
, the
co-founder
An organizational founder is a person who has undertaken some or all of the formational work needed to create a new organization, whether it is a business, a charitable organization, a governing body, a school, a group of entertainers, or any othe ...
of Microsoft and the target of the worm.
The worm also creates the following registry entry so that it is launched every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ windows auto update=msblast.exe
Timeline
*May 28, 2003: Microsoft releases a patch that would protect users from an exploit in WebDAV that
Welchia
Welchia, also known as the "Nachi worm", is a computer worm that exploits a vulnerability in the Microsoft remote procedure call (RPC) service similar to the Blaster worm. However, unlike Blaster, it first searches for and deletes Blaster if it exi ...
used. (Welchia used the same exploit as MSBlast but had an additional method of propagation that was fixed in this patch. This method was only used after 200,000 RPC DCOM attacks - the form that MSBlast used.)
*July 5, 2003: Timestamp for the patch that Microsoft releases on the 16th.
*July 16, 2003: Microsoft releases a patch that would protect users from the yet unknown MSBlast. At the same time they also released a bulletin describing the exploit.
*Around July 16, 2003: White hat hackers create proof-of-concept code verifying that the unpatched systems are vulnerable. The code was not released.
*July 17, 2003: CERT/CC releases a warning and suggests blocking port 135.
*July 21, 2003: CERT/CC suggests also blocking ports 139 and 445.
*July 25, 2003: xFocus releases information on how to exploit the RPC bug that Microsoft released the July 16 patch to fix.
*August 1, 2003: The U.S. issues an alert to be on the lookout for malware exploiting the RPC bug.
*Sometime prior to August 11, 2003: Other viruses using the RPC exploit exist.
*August 11, 2003: Original version of the worm appears on the Internet.
*August 11, 2003: Symantec Antivirus releases a rapid release protection update.
*August 11, 2003, evening: Antivirus and security firms issued alerts to run Windows Update.
*August 12, 2003: The number of infected systems is reported at 30,000.
*August 13, 2003: Two new worms appear and begin to spread. (Sophos, a variant of MSBlast and W32/RpcSpybot-A, a totally new worm that used the same exploit)
*August 15, 2003: The number of infected systems is reported at 423,000.
*August 16, 2003: DDoS attack against windowsupdate.com starts. (Largely unsuccessful because that URL is merely a redirect to the real site, windowsupdate.microsoft.com.)
*August 18, 2003: Microsoft issues an alert regarding MSBlast and its variants.
*August 18, 2003: The related
helpful worm,
Welchia
Welchia, also known as the "Nachi worm", is a computer worm that exploits a vulnerability in the Microsoft remote procedure call (RPC) service similar to the Blaster worm. However, unlike Blaster, it first searches for and deletes Blaster if it exi ...
, appears on the internet.
*August 19, 2003: Symantec upgrades their risk assessment of Welchia to "high" (category 4).
*August 25, 2003: McAfee lowers their risk assessment to "Medium".
*August 27, 2003: A potential DDoS attack against HP is discovered in one variant of the worm.
*January 1, 2004: Welchia deletes itself.
*January 13, 2004: Microsoft releases a stand-alone tool to remove the MSBlast worm and its variants.
*February 15, 2004: A variant of the related worm Welchia is discovered on the internet.
*February 26, 2004: Symantec lowers their risk assessment of the Welchia worm to "Low" (category 2).
*March 12, 2004: McAfee lowers their risk assessment to "Low".
*April 21, 2004: Another variant is discovered.
*January 28, 2005: The creator of the "B" variant of MSBlaster is sentenced to 18 months in prison.
Side effects
Although the worm can only spread on systems running
Windows 2000
Windows 2000 is a major release of the Windows NT operating system developed by Microsoft and oriented towards businesses. It was the direct successor to Windows NT 4.0, and was released to manufacturing on December 15, 1999, and was official ...
or
Windows XP
Windows XP is a major release of Microsoft's Windows NT operating system. It was release to manufacturing, released to manufacturing on August 24, 2001, and later to retail on October 25, 2001. It is a direct upgrade to its predecessors, Wind ...
, it can cause instability in the RPC service on systems running other versions of
Windows NT
Windows NT is a proprietary graphical operating system produced by Microsoft, the first version of which was released on July 27, 1993. It is a processor-independent, multiprocessing and multi-user operating system.
The first version of Wi ...
, including
Windows Server 2003
Windows Server 2003 is the sixth version of Windows Server operating system produced by Microsoft. It is part of the Windows NT family of operating systems and was released to manufacturing on March 28, 2003 and generally available on April 24, ...
and
Windows XP Professional x64 Edition
Microsoft Windows XP Professional x64 Edition, released on April 25, 2005, is an edition of Windows XP for x86-64 personal computers. It is designed to use the expanded 64-bit memory address space provided by the x86-64 architecture.
The prima ...
. In particular, the worm does not spread in Windows Server 2003 because Windows Server 2003 was compiled with the /GS switch, which detected the buffer overflow and shut the RPCSS process down. When infection occurs, the buffer overflow causes the RPC service to crash, leading Windows to display the following message and then automatically reboot, usually after 60 seconds.
This was the first indication many users had an infection; it often occurred a few minutes after every startup on compromised machines. A simple resolution to stop countdown is to run the "shutdown /a" command, causing some side effects such as an empty (without users) Welcome Screen.
The
Welchia
Welchia, also known as the "Nachi worm", is a computer worm that exploits a vulnerability in the Microsoft remote procedure call (RPC) service similar to the Blaster worm. However, unlike Blaster, it first searches for and deletes Blaster if it exi ...
worm had a similar effect. Months later, the
Sasser worm
Sasser is a computer worm that affects computers running vulnerable versions of the Microsoft operating systems Windows XP and Windows 2000. Sasser spreads by exploiting the system through a vulnerable port. Thus it is particularly virulent ...
surfaced, which caused a similar message to appear.
See also
*
Botnet
A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its co ...
*
BlueKeep (security vulnerability)
*
Conficker
Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows OS software and dictionary attacks on administrator pas ...
*
Gameover ZeuS
GameOverZeus is a peer-to-peer botnet based on components from the earlier ZeuS trojan. The malware was created by Russian hacker Evgeniy Mikhailovich Bogachev. It is believed to have been spread through use of the Cutwail botnet.
Unlike its pred ...
*
Helpful worm
*
Operation Tovar
*
Nachia (computer worm)
*
Sasser (computer worm)
*
Spam
*
Timeline of computer viruses and worms
A timeline is a display of a list of events in chronological order. It is typically a graphic design showing a long bar labelled with dates paralleling it, and usually contemporaneous events.
Timelines can use any suitable scale represent ...
*
Tiny Banker Trojan
*
Torpig
*
List of convicted computer criminals
Convicted computer criminals are people who are caught and convicted of computer crimes such as breaking into computers or computer networks. Computer crime can be broadly defined as criminal activity involving information technology infrastruc ...
*
Zeus (malware)
*
Zombie (computer science)
In computing, a zombie is a computer connected to the Internet that has been compromised by a hacker via a computer virus, computer worm, or trojan horse program and can be used to perform malicious tasks under the remote direction of the hac ...
References
{{Hacking in the 2000s, collapsed
Windows malware
Exploit-based worms
Hacking in the 2000s