.gif)
Blaster (computer worm)
Encyclopedia
The Blaster Worm was a computer worm
that spread on computers running the Microsoft
operating systems: Windows XP
and Windows 2000
, during August 2003.
The worm was first noticed and started spreading on August 11, 2003. The rate that it spread increased until the number of infections peaked on August 13, 2003. Filtering by ISPs and widespread publicity about the worm curbed the spread of Blaster.
On August 29, 2003, Jeffrey Lee Parson, an 18-year-old from Hopkins, Minnesota
was arrested for creating the B variant of the Blaster worm; he admitted responsibility and was sentenced to an 18-month prison term in January 2005.
The worm spread by exploiting a buffer overflow
discovered by the Polish cracking group Last Stage of Delirium in the DCOM
RPC
service on the affected operating systems, for which a patch had been released one month earlier in MS03-026 and later in
MS03-039. This allowed the worm to spread without users opening attachments simply by spamming itself to large numbers of random IP addresses. Four versions have been detected in the wild.
The worm was programmed to start a SYN flood
on August 15, 2003 against port 80 of windowsupdate.com, thereby creating a distributed denial of service attack (DDoS) against the site. The damage to Microsoft was minimal as the site targeted was windowsupdate.com instead of windowsupdate.microsoft.com to which it was redirected. Microsoft temporarily shut down the targeted site to minimize potential effects from the worm.
The worm contains two messages in it's source code. The first:
is why the worm is sometimes called the Lovesan worm.
The second:
is a message to Bill Gates
, the co-founder of Microsoft and the target of the worm.
The worm also creates the following registry entry so that it is launched every time Windows starts:
, Windows XP (64 bit)
, and Windows Server 2003
. In particular, the worm does not spread in Windows Server 2003 because it was compiled with the /GS switch, which detected the buffer overflow and shut the RPCSS process down.When infection occurs, buffer overflow makes RPC service crash, leading Windows to display following message and then automatically reboot, usually after 60 seconds. (default RPC service failure behaviour)
This was the first indication many users had an infection; it often occurred a few minutes after every startup on compromised machines. A simple resolution to stop countdown is to run the "shutdown -a" command in the Windows command line, causing some side effects such as an empty (without users) Welcome Screen. The Welchia worm had a similar effect. No more than a year later, the Sasser worm surfaced, which caused a similar message to appear.
Computer worm
A computer worm is a self-replicating malware computer program, which uses a computer network to send copies of itself to other nodes and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a computer virus, it does not need to attach...
that spread on computers running the Microsoft
Microsoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
operating systems: Windows XP
Windows XP
Windows XP is an operating system produced by Microsoft for use on personal computers, including home and business desktops, laptops and media centers. First released to computer manufacturers on August 24, 2001, it is the second most popular version of Windows, based on installed user base...
and Windows 2000
Windows 2000
Windows 2000 is a line of operating systems produced by Microsoft for use on personal computers, business desktops, laptops, and servers. Windows 2000 was released to manufacturing on 15 December 1999 and launched to retail on 17 February 2000. It is the successor to Windows NT 4.0, and is the...
, during August 2003.
The worm was first noticed and started spreading on August 11, 2003. The rate that it spread increased until the number of infections peaked on August 13, 2003. Filtering by ISPs and widespread publicity about the worm curbed the spread of Blaster.
On August 29, 2003, Jeffrey Lee Parson, an 18-year-old from Hopkins, Minnesota
Hopkins, Minnesota
As of the census of 2000, there were 17,145 people, 8,224 households, and 3,741 families residing in the city. The population density was 4,205.9 people per square mile . There were 8,390 housing units at an average density of 2,058.2 pe square mile...
was arrested for creating the B variant of the Blaster worm; he admitted responsibility and was sentenced to an 18-month prison term in January 2005.
Creation and effects
According to court papers, the original Blaster was created after a Chinese cracking collective called Xfocus reverse engineered the original Microsoft patch that allowed for execution of the attack.The worm spread by exploiting a buffer overflow
Buffer overflow
In computer security and programming, a buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. This is a special case of violation of memory safety....
discovered by the Polish cracking group Last Stage of Delirium in the DCOM
Distributed component object model
Distributed Component Object Model is a proprietary Microsoft technology for communication among software components distributed across networked computers. DCOM, which originally was called "Network OLE", extends Microsoft's COM, and provides the communication substrate under Microsoft's COM+...
RPC
Remote procedure call
In computer science, a remote procedure call is an inter-process communication that allows a computer program to cause a subroutine or procedure to execute in another address space without the programmer explicitly coding the details for this remote interaction...
service on the affected operating systems, for which a patch had been released one month earlier in MS03-026 and later in
MS03-039. This allowed the worm to spread without users opening attachments simply by spamming itself to large numbers of random IP addresses. Four versions have been detected in the wild.
The worm was programmed to start a SYN flood
SYN flood
A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.-Technical details:...
on August 15, 2003 against port 80 of windowsupdate.com, thereby creating a distributed denial of service attack (DDoS) against the site. The damage to Microsoft was minimal as the site targeted was windowsupdate.com instead of windowsupdate.microsoft.com to which it was redirected. Microsoft temporarily shut down the targeted site to minimize potential effects from the worm.
The worm contains two messages in it's source code. The first:
I just want to say LOVE YOU SAN!!
is why the worm is sometimes called the Lovesan worm.
The second:
billy gates why do you make this possible ? Stop making money
and fix your software!!
is a message to Bill Gates
Bill Gates
William Henry "Bill" Gates III is an American business magnate, investor, philanthropist, and author. Gates is the former CEO and current chairman of Microsoft, the software company he founded with Paul Allen...
, the co-founder of Microsoft and the target of the worm.
The worm also creates the following registry entry so that it is launched every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows auto update=msblast.exe
Side effects
Although the worm can only spread on systems running Windows 2000 or Windows XP (32 bit) it can cause instability in the RPC service on systems running Windows NTWindows NT
Windows NT is a family of operating systems produced by Microsoft, the first version of which was released in July 1993. It was a powerful high-level-language-based, processor-independent, multiprocessing, multiuser operating system with features comparable to Unix. It was intended to complement...
, Windows XP (64 bit)
Windows XP Professional x64 Edition
Microsoft Windows XP Professional x64 Edition released on April 25, 2005 is an edition of Windows XP for x86-64 personal computers. It is designed to use the expanded 64-bit memory address space provided by the x86-64 architecture....
, and Windows Server 2003
Windows Server 2003
Windows Server 2003 is a server operating system produced by Microsoft, introduced on 24 April 2003. An updated version, Windows Server 2003 R2, was released to manufacturing on 6 December 2005...
. In particular, the worm does not spread in Windows Server 2003 because it was compiled with the /GS switch, which detected the buffer overflow and shut the RPCSS process down.When infection occurs, buffer overflow makes RPC service crash, leading Windows to display following message and then automatically reboot, usually after 60 seconds. (default RPC service failure behaviour)
This was the first indication many users had an infection; it often occurred a few minutes after every startup on compromised machines. A simple resolution to stop countdown is to run the "shutdown -a" command in the Windows command line, causing some side effects such as an empty (without users) Welcome Screen. The Welchia worm had a similar effect. No more than a year later, the Sasser worm surfaced, which caused a similar message to appear.
See also
- Helpful wormHelpful wormA helpful worm is variant on a computer worm which delivers its payload by doing "helpful" actions instead of malicious actions. Welchia was a major example of a helpful worm - utilizing the same exploit that caused the Blaster worm...
- List of convicted computer criminals
- SpamSpam (electronic)Spam is the use of electronic messaging systems to send unsolicited bulk messages indiscriminately...
- Timeline of notable computer viruses and wormsTimeline of notable computer viruses and wormsThis is a timeline of noteworthy computer viruses, worms and Trojan horses.- 1966 :* The work of John von Neumann on the "Theory of self-reproducing automata" is published...