|Creator||Jeffrey Lee Parson|
|Date||August 11th, 2003|
|File Type||Win32 PE executable (.EXE)|
WORM_MSBLAST.A (Trend Micro)
|Damage costs||$335 million|
Blaster, also known as Lovesan, is an internet worm. It created havoc in the late summer of 2003 with widespread Distributed Denial of Service (DDoS) attacks, with damage totaling in the hundreds of millions.
Blaster gets its most-often used name from the file that it drops in the Windows System folder, msbast.exe. Its second name, Lov(e)san comes from the "I LOVE YOU SAN" line in the worm. A few sources also call this worm Poza.
It is also notable for two hidden text strings, one that says "I just want to say LOVE YOU SAN!" (from which it receives one of its aliases) and a message to the Microsoft owner Bill Gates that says "billy gates why do you make this possible ? Stop making money and fix your software!!" It appeared within less than a month before one of the major variants of the Sobig worm.
The Blaster worm shut down CTX, the largest railroad system in the Eastern U.S., for hours, crippled the new Navy/Marine Corps intranet, shut down Air Canada's check-in system and has been implicated in the severity of the Northeast blackout. Maryland Motor Vehicle Administration authority shut its offices for the day because its systems were so severely affected by Blaster that it could no longer continue as normal. Other organizations reportedly suffering network slowdowns or worse because of the worm include German car manufacturer BMW, Swedish telco TeliaSonera, the Federal Reserve Bank of Atlanta and Philadelphia's City Hall. Damage totaled to $320 million.
Symantec believes that 188,000 computers were infected with the worm by the afternoon of August 13, 2 days after the worm's discovery. Microsoft believes that between 8 to 16 million computers were infected with Blaster. Some systems may have been counted more than once, as the figures were based on the number of submissions of the worm received.
As late as 2005 December, new infections of the worm were still being found with 500 to 800 infections per day. This is mostly because of machines that still have yet to be patched. 79% of infections were on Windows XP Gold, and 21 percent were on Windows XP with Service Pack 1. Infections on machines with Service Pack 2 were non-existent.
Sometimes Welchia is listed as a variant of Blaster, usually called Blaster.D, in part thanks to the coherence of different Antivirus companies' naming.
In fall of 2006, a German Wikipedia entry for Blaster was edited to contain a link to a site claiming to contain a fix for the worm. The link actually contained malware that infected computers. The cyber-criminals responsible also sent spam emails to German email addresses advising users to visit the Wikipedia page for information on the worm. Since Wikipedia is a legitimate site, it is not filtered by phishing or spam filters.
The system will receive code that exploits a DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) from the Blaster worm on an already infected computer coming through TCP port 135. There is an 80% chance that the worm will send exploit code specific to Windows XP an 20% that it will be specific to Windows 2000. If the exploit code does not match the system, the RPC subsystem will fail. On Windows XP and Server 2003, this causes a system reboot. In Windows 2000 and NT 4.0, this causes the system to be unresponsive.
After the exploit code is successfully sent to the target machine, the target opens a remote command shell that listens on TCP port 4444. The worm on the infecting computer starts a Trivial File Transfer Protocol (TFTP) server listening on UDP port 69. It sends a command to the target machine over port 4444 to download the worm and run it, then immediately disconnects that port.
On the target computer, the command shell is closed and it issues a TFTP "get" command, which downloads the worm from the infecting machine's System folder through port 69 and runs it. After the worm is downloaded, the worm on the infecting computer will close the TFTP server.
When run, Blaster adds the value "windows auto update = msblast.exe" to the local machine registry key that causes the worm to run when Windows starts (the registry value may also be msblast.exe I just want to say LOVE YOU SAN!! bill) In other versions of Blaster it would add value mslaugh.exe instead of msblast.exe. It attempts to create a mutex named BILLY and will abort if it finds one already running, avoiding infection of one computer more than once. It checks the Winsock version, only working on versions 1.0, 1.01, and 2.02. If Blaster finds an active network connection, it will begin looking for new machines to infect. The worm sleeps for 20-second intervals and awakens to look for new machines to infect.
Blaster uses two methods of searching for IP addresses to infect new machines. The first method will occur 40% of the time, using the IP address of the infected machine as its base address. The first two numbers of the address are left the same while the fourth value is set to zero and the worm checks the third. If the third number in the IP address is greater than 20, there is a 40% chance that the worm will subtract a random number that is less than 20 and changes its base address to that number. For example, if the infected computer has an IP address of 184.108.40.206, the worm may decide to turn it into 220.127.116.11 if it decides to decrease the third number by 19.
The worm will then begin to increment the last number to scan the entire subnet. The second method will occur 60% of the time, selecting a completely random base and incrementing the number from there.
The Worm starts a SYN Flood on August 15 against port 80 of windowsupdate.com, creating a distributed DDoS attack against the site after August 16. It may also perform one from the 15th to the last day of every month from January to August and any day from September to December.
Although Blaster cannot spread to 64-bit Windows or Windows Server 2003, unpatched computers running these operating systems may cause the Remote Procedure Call Service to crash as a result of the worm's attempts to exploit them, causing the system to reboot after 1 minute and some side effects. However, if the worm is manually placed and executed on a computer running these operating systems, it can run and spread.
Blaster has had only a few variants of note, and these have not spread far or done much damage. The variants mostly only differ in one or two respects from the original.
The 7,200 byte-long B variant uses the name "penis32.exe" as the worm's file name. Jeffrey Lee Parson was arrested for creating the B variant of the worm. He was convicted and sentenced to 18 months in prison.
Blaster.C is 5,360 bytes long. Its file name is "teekids.exe" and adds the value "Microsoft Inet Xp.. = teekids.exe" to the same registry key as the original.
Blaster.D is a worm that exploits the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026 ) using TCP port 135. The worm targets only Windows 2000 and Windows XP computers. While computers that are running Windows NT or Windows 2003 Server are vulnerable to the aforementioned exploit (if not properly patched), the worm is not coded to replicate to those systems.
This worm attempts to download the Mspatch.exe file to the %WinDir%\System32 folder, and then execute it. It is 11,776 bytes long.
Blaster.E is a worm that exploits the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026 ) using TCP port 135. The worm targets only Windows 2000 and Windows XP computers.
While Windows NT and Windows 2003 Servers are vulnerable to the aforementioned exploit (if not properly patched), the worm is not coded to replicate to those systems. This worm attempts to download the Mslaugh.exe file into the %Windir%\System32 folder, and then execute it.
Blaster.F is a worm that exploits the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026 ) using TCP port 135. The worm targets only Windows 2000 and Windows XP computers.
While Windows NT and Windows 2003 Servers are vulnerable to this exploit (if not properly patched), the worm is not coded to replicate to those systems. This worm attempts to download the Enbiei.exe file into the %Windir%\System32 folder, and then execute it.
It is 11,808 bytes long. It also contains text in Romanian:
Nu datzi la fuckultatea de Hidrotehnica!!! Pierdetzi timp ul degeaba…
Birsan te cheama pensia!!!Ma pis pe diploma!!!!!!
Blaster.G is the largest variant of Blaster, weighing in at 66,048 bytes. It uses the file names eschlp.exe and svchosthlp.exe. It adds the values "Helper = (windows system folder)\eschlp.exe /fstart" and"MSUpdate = (windows system folder)\svchosthlp.exe" to the same registry as the previous variants. It also modifies Internet Explorer's registry key to set the browser's startpage to http://www.getgood.biz.
Blaster.H is a 6,688-byte variant that uses te file name "mschost.exe". It adds "windows shellext.32 = mschost.exe" to the same registry key as the previous versions.
Blaster.K is a worm that exploits the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026 ) using TCP port 135. The worm targets only Windows 2000 and Windows XP computers.
While Windows NT and Windows 2003 servers are vulnerable to the exploit if they are not properly patched, the worm is not coded to replicate to those systems. This worm attempts to download the mschost.exe file into the %Windir%\System32 folder, and then execute it.
Blaster.T is a worm that exploits the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026 ) using TCP port 135. The worm targets only Windows 2000 and Windows XP computers.
- John Leyden. The Register, "Blaster rewrites Windows worm rules", 2003.08.14. "Blaster Body Count 8m or Above". 2004.04.05
- Peter Szor. The Art of Computer Virus Research and Defense, "Exploits, Vulnerabilities and Buffer Overflow Attacks", Section 10.4.6, pp. 410–413.
- Asosiasi Penyelenggara Jasa Internet Indonesia, Recommendations to Internet Service Providers Regarding the Blaster Worm
- eEye Digital Security, ANALYSIS: Blaster Worm. 2003.08.11
- Ellen Messmer. PCWorld, "Blaster Worm Racks Up Victims". 2003.08.15
- Douglas Knowles, Frederic Perriot, Peter Szor. Symantec.com, W32.Blaster.Worm
- Benjamin Nahorney. Symantec, W32.Blaster.T.Worm.
- Sophos Antivirus, W32/Blaster-F, W32/Blaster-G.
- Trend Micro Antivirus, WORM_MSBLAST.A.
- McAfee Antivirus W32/Lovesan.worm.a, W32/Lovsan.worm.f.
- Viruslist.com, Net-Worm.Win32.Lovesan.a.
- Brian E. Burke, Charles J. Kolodgy, Christian A. Christiansen. IDC, "MARKET ANALYSIS Worldwide Security Software 2004–2008 Forecast: April 2004 Forecast"
- Andy McCue. Silicon.com, "MSBlast virus writer faces 15 years behind bars". 2004.01.19
- Paul Roberts. InfoWorld, Romanian nabbed for launching Blaster-F. 2003.09.03
- Amber Maitland. Pocket-lint, Wikipedia infected by malware. 2006.11.06
- Alex Zaharov-Reutt. ITWire, Wikipedia hacked and infected. 2006.11.07