Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Blaster (computer worm)
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
== Creation and effects == According to court papers, the original Blaster was created after security researchers from the Chinese group {{Proper name|Xfocus}} [[reverse engineering|reverse engineered]] the original Microsoft patch that allowed for execution of the attack.<ref>{{cite web |first=Iain |last=Thomson |url=http://www.vnunet.com/vnunet/news/2123165/fbi-arrests-stupid-blaster-b-suspect |title=FBI arrests 'stupid' Blaster.B suspect |publisher=[[Incisive Media|vnunet.com]] |date=2003-09-01 |url-status=dead |archive-url=https://web.archive.org/web/20081101140521/http://www.vnunet.com/vnunet/news/2123165/fbi-arrests-stupid-blaster-b-suspect |archive-date=2008-11-01 |access-date=2018-11-03}}</ref> The worm spreads by exploiting a [[buffer overflow]] discovered by the Polish security research group Last Stage of Delirium<ref name="able2know">{{cite web |url=https://able2know.org/topic/10489-1 |title=MSBlast W32.Blaster.Worm / LovSan :: removal instructions |publisher=able2know.org |date=2003-08-12 |access-date=2018-11-03}}</ref> in the [[Distributed Component Object Model|DCOM]] [[Remote procedure call|RPC]] service on the affected operating systems, for which a patch had been released one month earlier in MS03-026<ref name="ms03-026">{{cite web |title=Microsoft Security Bulletin MS03-026 - Critical |url=https://docs.microsoft.com/en-us/security-updates/securitybulletins/2003/ms03-026 |website=learn.microsoft.com |language=en-us |date=1 March 2023}}</ref> (CVE-2003-0352) and later in MS03-039.<ref name="ms03-039">{{cite web |title=Microsoft Security Bulletin MS03-039 - Critical |url=https://docs.microsoft.com/en-us/security-updates/securitybulletins/2003/ms03-039 |website=learn.microsoft.com |language=en-us |date=1 March 2023}}</ref> This allowed the worm to spread without users opening attachments simply by spamming itself to large numbers of random IP addresses. Four versions have been detected in the wild.<ref name="Symantec">{{cite web |url=https://www.symantec.com/security-center/writeup/2003-081113-0229-99 |archive-url=https://web.archive.org/web/20180517223833/https://www.symantec.com/security-center/writeup/2003-081113-0229-99 |url-status=dead |archive-date=May 17, 2018 |title=W32.Blaster.Worm |publisher=Symantec |date=2003-12-09 |access-date=2018-11-03}}</ref> These are the most well-known exploits of the original flaw in RPC, but there were in fact another 12 different vulnerabilities that did not see as much media attention.<ref name="ISSLifecycle">{{cite web |title=The Lifecycle of a Vulnerability |year=2005 |publisher=internet Security Systems, Inc. |url=http://www.iss.net/documents/whitepapers/ISS_Vulnerability_Lifecycle_Whitepaper.pdf |url-status=dead |archive-url=https://web.archive.org/web/20161224172843/http://www.iss.net/documents/whitepapers/ISS_Vulnerability_Lifecycle_Whitepaper.pdf |archive-date=2016-12-24 |access-date=2018-11-03}}</ref> The worm was programmed to start a [[SYN flood]] against port 80 of [[Microsoft Update|windowsupdate.com]] if the system date is after August 15 and before December 31 and after the 15th day of other months, thereby creating a [[distributed denial of service attack]] (DDoS) against the site.<ref name="Symantec" /> The damage to Microsoft was minimal as the site targeted was windowsupdate.com, rather than windowsupdate.microsoft.com, to which the former was redirected. Microsoft temporarily shut down the targeted site to minimize potential effects from the worm.{{citation needed|date=September 2013}} The worm's executable, MSBlast.exe,<ref>{{cite web |url=https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Worm:Win32/Msblast.A |access-date=2018-11-03 |title=Worm:Win32/Msblast.A |publisher=Microsoft Corporation}}</ref> contains two messages. The first reads: <blockquote> I just want to say LOVE YOU SAN!! </blockquote> This message gave the worm the alternative name of Lovesan. The second reads: <blockquote> billy gates why do you make this possible ? Stop making money<br /> and fix your software!! </blockquote> This is a message to [[Bill Gates]], the [[co-founder]] of Microsoft and the target of the worm. The worm also creates the following [[Windows Registry|registry]] entry so that it is launched every time Windows starts: <blockquote> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ windows auto update=msblast.exe </blockquote>
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)