SANS ISC: Blaster Worm Update

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

Summary

At this point, the Internet Storm Center is tracking in excess of 150,000 machines
infected with the Blaster worm. The total number of infected machines is suspected to be significantly higher.

for our earlier analysis of the worm, see

http://isc.sans.org/diary.html?date=2003-08-11

Variants

As of yesterday (Aug. 13th), anti virus vendors found two variants of blaster. At this point, neither variant behaves dramatically different and neither variant is as wide spread as the original msblaster version. However, note that these variants use different file names and registry key entries.

Variations that install backdoors have been reported. It is not clear at this point if these are variants of the 'sdbot' based massrooters which had been spotted over the last 2+ weeks

Code Analysis

Chris Ream provided a detailed source analysis of the code

http://isc.sans.org/Analysis_of_MSBLAST.pdf (PDF File)
Cleanup

Cleanup of infected machines is proceeding slowly. We strongly recommend a complete rebuild of infected machines. The RPC DCOM vulnerability has been used by widespread attack tools for over two weeks before blaster was released. Current virus removal tools will only remove the blaster worm and a few versions of the tools used prior to blaster. Even if you remove the exploit code, you may still be left with backdoors installed by one of the massrooter exploits.

Infrastructure Impact

At this point, no wide spread internet connectivity issues are associated to blaster. However, on Saturday, blaster infected machines will launch a DDOS attack against Microsoft update side. As a result, networks with large numbers of infected hosts may experience problems.

Infocon Outlook

We expect to remain at infocon 'yellow' while awaiting the impact of the DDOS.
The DDOS is expected to hit 'windowsupdate.com'. From preliminary testing, it looks like Windows systems should still be able to retrieve updates, as usually
'windowsupdate.microsoft.com' is used by the automated update scripts.