Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Blaster (computer worm)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
{{Short description|2003 Windows computer worm}} {{Infobox computer virus | fullname = Blaster | image = File:Blaster hex dump.png | caption = [[Hex dump]] of the Blaster worm, showing a message left for [[Microsoft]] founder [[Bill Gates]] by the programmer | common_name = | technical_name = As '''Blaster''' * Worm.Win32.Blaster (Global Hauri) * W32/Blaster (Norman) * W32/Blaster ([[Sophos]]) * W32.Blaster.Worm ([[NortonLifeLock|Symantec]]) As '''Lovsan''' * Lovsan ([[F-secure]]) * W32/Lovsan.worm ([[McAfee]]) As '''MSBLAST''' * Worm.Win32.Blaster (Global Hauri) * Win32/Msblast (Microsoft) * WORM_MSBLAST ([[Trend Micro]]) Win32.Poza (CA) Blaster (Panda) | aliases = Lovsan, Lovesan, MSBlast | family = | classification = | type = [[Computer worm|Worm]] | subtype = | isolation_date = 2004 | origin = Minnesota (B variant only) | infection_vector = | author = Jeffrey Lee Parson (B variant only) | ports_used = [[Remote Procedure Call]] | OS = [[Windows XP]] and [[Windows 2000]] }} '''Blaster''' (also known as '''Lovsan''', '''Lovesan''', or '''MSBlast''') was a [[computer worm]] that spread on computers running [[operating system]]s [[Windows XP]] and [[Windows 2000]] during August 2003.<ref>{{cite web |url=http://www.cert.org/advisories/CA-2003-20.html |title=CERT Advisory CA-2003-20: W32/Blaster worm |publisher=CERT/CC |date=2003-08-14 |url-status=dead |archive-url=https://web.archive.org/web/20141017130853/http://www.cert.org/historical/advisories/CA-2003-20.cfm |archive-date=2014-10-17 |access-date=2018-11-03}}</ref> The worm was first noticed and started spreading on August 11, 2003. The rate that it spread increased until the number of infections peaked on August 13, 2003. Once a network (such as a company or university) was infected, it spread more quickly within the network because firewalls typically did not prevent internal machines from using a certain port.<ref name="support.microsoft.com">{{cite web |title=MS03-026: Buffer Overrun in RPC May Allow Code Execution |url=https://support.microsoft.com/en-us/help/823980/ms03-026-buffer-overrun-in-rpc-may-allow-code-execution |publisher=Microsoft Corporation |work=Microsoft Support |access-date=2018-11-03}}</ref> Filtering by ISPs and widespread publicity about the worm curbed the spread of Blaster. In September 2003, Jeffrey Lee Parson, an 18-year-old from [[Hopkins, Minnesota]], was indicted for creating the B variant of the Blaster worm; he admitted responsibility and was sentenced to an 18-month [[prison]] term in January 2005.<ref name="infoworld">{{cite web |date=2005-01-28 |url=https://www.justice.gov/archive/criminal/cybercrime/press-releases/2005/parsonSent.htm|title=Minnesota Man Sentenced to 18 Months in Prison for Creating and Unleashing a Variant of the MS Blaster Computer Worm|publisher=[[United States Department of Justice]] |access-date=2021-02-17}}</ref> The author of the original A variant remains unknown. == Creation and effects == According to court papers, the original Blaster was created after security researchers from the Chinese group {{Proper name|Xfocus}} [[reverse engineering|reverse engineered]] the original Microsoft patch that allowed for execution of the attack.<ref>{{cite web |first=Iain |last=Thomson |url=http://www.vnunet.com/vnunet/news/2123165/fbi-arrests-stupid-blaster-b-suspect |title=FBI arrests 'stupid' Blaster.B suspect |publisher=[[Incisive Media|vnunet.com]] |date=2003-09-01 |url-status=dead |archive-url=https://web.archive.org/web/20081101140521/http://www.vnunet.com/vnunet/news/2123165/fbi-arrests-stupid-blaster-b-suspect |archive-date=2008-11-01 |access-date=2018-11-03}}</ref> The worm spreads by exploiting a [[buffer overflow]] discovered by the Polish security research group Last Stage of Delirium<ref name="able2know">{{cite web |url=https://able2know.org/topic/10489-1 |title=MSBlast W32.Blaster.Worm / LovSan :: removal instructions |publisher=able2know.org |date=2003-08-12 |access-date=2018-11-03}}</ref> in the [[Distributed Component Object Model|DCOM]] [[Remote procedure call|RPC]] service on the affected operating systems, for which a patch had been released one month earlier in MS03-026<ref name="ms03-026">{{cite web |title=Microsoft Security Bulletin MS03-026 - Critical |url=https://docs.microsoft.com/en-us/security-updates/securitybulletins/2003/ms03-026 |website=learn.microsoft.com |language=en-us |date=1 March 2023}}</ref> (CVE-2003-0352) and later in MS03-039.<ref name="ms03-039">{{cite web |title=Microsoft Security Bulletin MS03-039 - Critical |url=https://docs.microsoft.com/en-us/security-updates/securitybulletins/2003/ms03-039 |website=learn.microsoft.com |language=en-us |date=1 March 2023}}</ref> This allowed the worm to spread without users opening attachments simply by spamming itself to large numbers of random IP addresses. Four versions have been detected in the wild.<ref name="Symantec">{{cite web |url=https://www.symantec.com/security-center/writeup/2003-081113-0229-99 |archive-url=https://web.archive.org/web/20180517223833/https://www.symantec.com/security-center/writeup/2003-081113-0229-99 |url-status=dead |archive-date=May 17, 2018 |title=W32.Blaster.Worm |publisher=Symantec |date=2003-12-09 |access-date=2018-11-03}}</ref> These are the most well-known exploits of the original flaw in RPC, but there were in fact another 12 different vulnerabilities that did not see as much media attention.<ref name="ISSLifecycle">{{cite web |title=The Lifecycle of a Vulnerability |year=2005 |publisher=internet Security Systems, Inc. |url=http://www.iss.net/documents/whitepapers/ISS_Vulnerability_Lifecycle_Whitepaper.pdf |url-status=dead |archive-url=https://web.archive.org/web/20161224172843/http://www.iss.net/documents/whitepapers/ISS_Vulnerability_Lifecycle_Whitepaper.pdf |archive-date=2016-12-24 |access-date=2018-11-03}}</ref> The worm was programmed to start a [[SYN flood]] against port 80 of [[Microsoft Update|windowsupdate.com]] if the system date is after August 15 and before December 31 and after the 15th day of other months, thereby creating a [[distributed denial of service attack]] (DDoS) against the site.<ref name="Symantec" /> The damage to Microsoft was minimal as the site targeted was windowsupdate.com, rather than windowsupdate.microsoft.com, to which the former was redirected. Microsoft temporarily shut down the targeted site to minimize potential effects from the worm.{{citation needed|date=September 2013}} The worm's executable, MSBlast.exe,<ref>{{cite web |url=https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Worm:Win32/Msblast.A |access-date=2018-11-03 |title=Worm:Win32/Msblast.A |publisher=Microsoft Corporation}}</ref> contains two messages. The first reads: <blockquote> I just want to say LOVE YOU SAN!! </blockquote> This message gave the worm the alternative name of Lovesan. The second reads: <blockquote> billy gates why do you make this possible ? Stop making money<br /> and fix your software!! </blockquote> This is a message to [[Bill Gates]], the [[co-founder]] of Microsoft and the target of the worm. The worm also creates the following [[Windows Registry|registry]] entry so that it is launched every time Windows starts: <blockquote> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ windows auto update=msblast.exe </blockquote> == Timeline == *May 28, 2003: Microsoft releases a [[Patch (computing)|patch]] that would protect users from an exploit in WebDAV that [[Welchia]] used. (Welchia used the same exploit as MSBlast but had an additional method of propagation that was fixed in this patch. This method was only used after 200,000 RPC DCOM attacks - the form that MSBlast used.)<ref>{{cite web |title=The Welchia Worm |pages=14, 17 |url=https://www.giac.org/paper/gcih/517/welchia-worm/105720 |format=PDF |date=2003-12-18 |first=Gene |last=Bransfield |access-date=2018-11-03}}</ref><ref>{{cite web |title=Buffer Overrun in Windows Kernel Message Handling could Lead to Elevated Privileges (811493) |url=https://docs.microsoft.com/en-us/security-updates/securitybulletins/2003/ms03-013 |access-date=2018-11-03}}</ref> *July 5, 2003: Timestamp for the patch that Microsoft releases on the 16th.<ref name="support.microsoft.com"/> *July 16, 2003: Microsoft releases a patch that would protect users from the yet unknown MSBlast. At the same time they also released a bulletin describing the exploit.<ref name="support.microsoft.com"/><ref>{{cite web |title=Flaw In Microsoft Windows RPC Implementation |url=http://www.iss.net/threats/147.html |date=2003-07-16 |url-status=dead |archive-url=https://web.archive.org/web/20160304023343/http://www.iss.net/threats/147.html |archive-date=2016-03-04}}</ref> *Around July 16, 2003: White hat hackers create proof-of-concept code verifying that the unpatched systems are vulnerable. The code was not released.<ref name="able2know" /> *July 17, 2003: CERT/CC releases a warning and suggests blocking port 135.<ref name="cert.org">{{cite web |url=http://www.cert.org/historical/advisories/CA-2003-16.cfm |title=Buffer Overflow in Microsoft RPC |url-status=dead |archive-url=https://web.archive.org/web/20140715013109/http://www.cert.org/historical/advisories/CA-2003-16.cfm |archive-date=2014-07-15 |date=2003-08-08 |access-date=2018-11-03}}</ref> *July 21, 2003: CERT/CC suggests also blocking ports 139 and 445.<ref name="cert.org"/> *July 25, 2003: {{Proper name|xFocus}} releases information on how to exploit the RPC bug that Microsoft released the July 16 patch to fix.<ref>{{cite web|title=The Analysis of LSD's Buffer Overrun in Windows RPC Interface |url=http://www.xfocus.org/documents/200307/2.html |date=2003-07-25 |url-status=dead |archive-url=https://web.archive.org/web/20180217063837/http://www.xfocus.org/documents/200307/2.html |archive-date=2018-02-17 |access-date=2018-11-03}}</ref> *August 1, 2003: The U.S. issues an alert to be on the lookout for malware exploiting the RPC bug.<ref name="able2know" /> *Sometime prior to August 11, 2003: Other viruses using the RPC exploit exist.<ref name="ISSLifecycle" /> *August 11, 2003: Original version of the worm appears on the Internet.<ref name="infoworld.com">{{cite news |title=Blaster worm spreading, experts warn of attack |url=https://www.infoworld.com/article/2677291/security/blaster-worm-spreading--experts-warn-of-attack.html |date=2003-08-12 |first=Paul F. |last=Roberts |newspaper=InfoWorld |access-date=2018-11-03}}</ref> *August 11, 2003: Symantec Antivirus releases a rapid release protection update.<ref name="Symantec" /> *August 11, 2003, evening: Antivirus and security firms issued alerts to run Windows Update.<ref name="infoworld.com"/> *August 12, 2003: The number of infected systems is reported at 30,000.<ref name="infoworld.com"/> *August 13, 2003: Two new worms appear and begin to spread. (Sophos, a variant of MSBlast and W32/RpcSpybot-A, a totally new worm that used the same exploit)<ref>{{cite web |title=New Blaster worm variant on the loose |url=https://www.infoworld.com/article/2677200/application-development/new-blaster-worm-variant-on-the-loose.html |date=2003-08-13 |first=Paul F. |last=Roberts |publisher=InfoWorld |access-date=2018-11-03}}</ref> *August 15, 2003: The number of infected systems is reported at 423,000.<ref>{{cite web |title=Blaster worm attack a bust |url=https://www.infoworld.com/article/2677039/security/blaster-worm-attack-a-bust.html |date=2003-08-18 |first=Paul F. |last=Roberts |publisher=InfoWorld |access-date=2018-11-03}}</ref> *August 16, 2003: DDoS attack against windowsupdate.com starts. (Largely unsuccessful because that URL is merely a redirect to the real site, windowsupdate.microsoft.com.)<ref name="infoworld.com"/> *August 18, 2003: Microsoft issues an alert regarding MSBlast and its variants.<ref>{{cite web |title=Virus alert about the Blaster worm and its variants |url=https://support.microsoft.com/en-us/help/826955 |publisher=Microsoft Corporation |work=Microsoft Support |access-date=2018-11-03}}</ref> *August 18, 2003: The related [[Anti-worm|helpful worm]], [[Welchia]], appears on the internet.<ref name="SymantecWelchia">{{cite web |title=W32.Welchia.Worm |url=https://www.symantec.com/security-center/writeup/2003-081815-2308-99 |archive-url=https://web.archive.org/web/20180903194250/https://www.symantec.com/security-center/writeup/2003-081815-2308-99 |url-status=dead |archive-date=September 3, 2018 |date=2017-08-11 |access-date=2018-11-03 |publisher=Symantec}}</ref> *August 19, 2003: Symantec upgrades their risk assessment of Welchia to "high" (category 4).<ref>{{cite news |last=Naraine |first=Ryan |title='Friendly' Welchia Worm Wreaking Havoc |url=http://www.internetnews.com/ent-news/article.php/3065761/Friendly+Welchia+Worm+Wreaking+Havoc.htm |access-date=2018-11-03 |publisher=InternetNews.com |date=2003-08-19}}</ref> *August 25, 2003: McAfee lowers their risk assessment to "Medium".<ref name="Virus Profile: W32/Lovsan.worm.a">{{cite web |title=Virus Profile: W32/Lovsan.worm.a |url=https://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=100547 |date=2003-08-11 |publisher=[[McAfee]] |access-date=2018-11-03}}</ref> *August 27, 2003: A potential DDoS attack against HP is discovered in one variant of the worm.<ref name="Symantec" /> *January 1, 2004: Welchia deletes itself.<ref name="SymantecWelchia" /> *January 13, 2004: Microsoft releases a stand-alone tool to remove the MSBlast worm and its variants.<ref>{{cite web|title=A tool is available to remove Blaster worm and Nachi worm infections from computers that are running Windows 2000 or Windows XP |url=http://support.microsoft.com/kb/833330 |url-status=dead |archive-url=https://web.archive.org/web/20140806204101/http://support.microsoft.com/kb/833330 |archive-date=2014-08-06 |publisher=Microsoft Corporation |work=Microsoft Support |access-date=2018-11-03}}</ref> *February 15, 2004: A variant of the related worm Welchia is discovered on the internet.<ref>{{cite web |title=W32.Welchia.C.Worm |url=https://www.symantec.com/security-center/writeup/2004-021513-4624-99 |archive-url=https://web.archive.org/web/20181103214906/https://www.symantec.com/security-center/writeup/2004-021513-4624-99 |url-status=dead |archive-date=November 3, 2018 |publisher=Symantec |date=2007-02-13 |access-date=2018-11-03}}</ref> *February 26, 2004: Symantec lowers their risk assessment of the Welchia worm to "Low" (category 2).<ref name="SymantecWelchia" /> *March 12, 2004: McAfee lowers their risk assessment to "Low".<ref name="Virus Profile: W32/Lovsan.worm.a"/> *April 21, 2004: A "B" variant is discovered.<ref name="Virus Profile: W32/Lovsan.worm.a"/> *January 28, 2005: The creator of the B variant of MSBlaster is sentenced to 18 months in prison.<ref>{{cite web |title=Minnesota Man Sentenced to 18 Months in Prison for Creating and Unleashing a Variant of the MS Blaster Computer Worm|url=https://www.justice.gov/criminal/cybercrime/press-releases/2005/parsonSent.htm |date=2005-01-28 |url-status=dead |archive-url=https://web.archive.org/web/20140714174209/http://www.justice.gov/criminal/cybercrime/press-releases/2005/parsonSent.htm |archive-date=2014-07-14 |access-date=2018-11-03}}</ref> == Side effects == Although the worm can only spread on systems running [[Windows 2000]] or [[Windows XP]], it can cause instability in the [[Remote procedure call|RPC]] service on systems running other versions of [[Windows NT]], including [[Windows Server 2003]] and [[Windows XP Professional x64 Edition]]. In particular, the worm does not spread in Windows Server 2003 because Windows Server 2003 was compiled with the /GS switch, which detected the buffer overflow and shut the RPCSS process down.<ref>{{cite web |url=https://blogs.msdn.microsoft.com/michael_howard/2004/05/23/why-blaster-did-not-infect-windows-server-2003/ |title=Why Blaster did not infect Windows Server 2003 |publisher=Microsoft Corporation |work=Microsoft Developer |first=Michael |last=Howard |date=2004-05-23 |access-date=2018-11-03}}</ref> When infection occurs, the buffer overflow causes the RPC service to crash, leading Windows to display the following message and then automatically reboot, usually after 60 seconds.<ref>{{cite web |url=https://www.trendmicro.com/vinfo/us/threat-encyclopedia/archive/malware/worm_msblast.a |title=Worm_MSBlast.A |publisher=TrendMicro.com |access-date=2018-11-03}}</ref> {{cquote|1=System Shutdown: This system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by NT AUTHORITY\SYSTEM Time before shutdown: hours:minutes:seconds Message: Windows must now restart because the Remote Procedure Call (RPC) Service terminated unexpectedly. }} This was the first indication many users had an infection; it often occurred a few minutes after every startup on compromised machines. A simple resolution to stop countdown is to run the "shutdown /a" command,<ref>{{cite web |url=http://h10025.www1.hp.com/ewfrf/wc/document?cc=us&docname=c00035757&lc=en |title=Blaster Worm-Virus or Its Variants Cause the Computer to Shutdown with an NT AUTHORITY\SYSTEM Error Message Regarding Remote Procedure Call (RPC) Service |publisher=[[Hewlett-Packard|HP]] |work=HP Consumer Support |url-status=dead |archive-url=https://web.archive.org/web/20141110185841/http://h10025.www1.hp.com/ewfrf/wc/document?cc=us&docname=c00035757&lc=en |archive-date=2014-11-10 |access-date=2018-11-03}}</ref> causing some side effects such as an empty (without users) Welcome Screen.<ref>{{cite web |title=Blaster Worm |date=6 September 2011 |url=https://www.techopedia.com/definition/27295/blaster-worm |publisher=Techopedia |access-date=2018-11-03}}</ref> The [[Welchia]] worm had a similar effect. Months later, the [[Sasser (computer worm)|Sasser worm]] surfaced, which caused a similar message to appear. == See also == * [[Conficker]] * [[Timeline of computer viruses and worms]] * [[List of convicted computer criminals]] * [[Zeus (malware)]] == References == {{reflist|30em}} {{Hacking in the 2000s|collapsed}} [[Category:Windows malware]] [[Category:Exploit-based worms]] [[Category:Hacking in the 2000s]]
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)
Pages transcluded onto the current version of this page
(
help
)
:
Template:Citation needed
(
edit
)
Template:Cite news
(
edit
)
Template:Cite web
(
edit
)
Template:Cquote
(
edit
)
Template:Hacking in the 2000s
(
edit
)
Template:Infobox computer virus
(
edit
)
Template:Proper name
(
edit
)
Template:Reflist
(
edit
)
Template:Short description
(
edit
)