Blaster
Blaster
Type Internet worm
Creator
Date Discovered 2003.08.11
Place of Origin
Source Language C
Platform MS Windows
File Type(s) .exe
Infection Length
Reported Costs $320 Million

The Blaster worm, also known as Lovesan, created havoc in late summer of 2003 with widespread Distributed Denial of Service (DDoS) attacks, with damage totaling in the hundreds of millions. It is also notable for two hidden text strings, one that says "I just want to say LOVE YOU SAN!" (from which it receives one of its aliases) and a message to Microsoft CEO Bill Gates. It appeared within less than a month before one of the major variants of the Sobig worm.

Behavior

The system will receive code that exploits a DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) from the Blaster worm on an already infected computer coming through TCP port 135. There is an 80% chance that the worm will send exploit code specific to Windows XP an 20% that it will be specific to Windows 2000. If the exploit code does not match the system, the RPC subsystem will fail. On Windows XP and Server 2003, this causes a system reboot. In Windows 2000 and NT 4.0, this causes the system to be unresponsive.

After the exploit code is successfully sent to the target machine, the target opens a remote command shell that listens on TCP port 4444. The worm on the infecting computer starts a Trivial File Transfer Protocol (TFTP) server listening on UDP port 69. It sends a command to the target machine over port 4444 to download the worm and run it, then immediately disconnects that port.

On the target computer, the command shell is closed and it issues a TFTP "get" command, which downloads the worm from the infecting machine's system folder through port 69 and runs it. After the worm is downloaded, the worm on the infecting computer will close the TFTP server.

When run, Blaster adds the value "windows auto update = msblast.exe" to the local machine registry key that causes the worm to run when Windows starts (the registry value may also be msblast.exe). It attempts to create a mutex named BILLY and will abort if it finds one already running, avoiding infection of one computer more than once. It checks the Winsock version, only working on versions 1.0, 1.01, and 2.02. If Blaster finds an active network connection, it will begin looking for new machines to infect. The worm sleeps for 20-second intervals and awakens to look for new machines to infect.

Blaster uses two methods of searching for IP addresses to infect new machines. The first method will occur 40% of the time, using the IP address of the infected machine as its base address. The first two numbers of the address are left the same while the fourth value is set to zero and the worm checks the third. If the third number in the IP address is greater than 20, there is a 40% chance that the worm will subtract a random number that is less than 20 and changes its base address to that number. For example, if the infected computer has an IP address of 201.27.173.80, the worm may decide to turn it into 201.27.154.0 if it decides to decrease the third number by 19. The worm will then begin to increment the last number to scan the entire subnet. The second method will occur 60% of the time, selecting a completely random base and incrementing the number from there.

The Worm starts a SYN Flood on August 15 against port 80 of windowsupdate.com, creating a distributed DDoS attack against the site after August 16. It may also perform one from the 15th to the last day of every month from January to August and any day from September to December.

Blaster cannot spread to the Windows NT or Windows Server 2003, unpatched computers running these operating systems may crash as a result of the worm's attempts to exploit them. However, if the worm is manually placed and executed on a computer running these operating systems, it can run and spread.

Effects

The Blaster worm shut down CTX, the largest railroad system in the Eastern U.S., for hours, crippled the new Navy/Marine Corps intranet, shut down Air Canada's check-in system and has been implicated in the severity of the Northeast blackout. Maryland Motor Vehicle Administration authority shut its offices for the day because its systems were so severely affected by Blaster that it could no longer continue as normal. Other organizations reportedly suffering network slowdowns or worse because of the worm include German car manufacturer BMW, Swedish telco TeliaSonera, the Federal Reserve Bank of Atlanta and Philadelphia's City Hall. Damage totaled to $320 million.

Symantec believes that 188,000 computers were infected with the worm by afternoon of August 13, 2 days after the worm's discovery. Microsoft believes that between 8 to 16 million computers were infected with Blaster. Some systems may have been counted more than once, as the figures were based on the number of submissions of the worm received.

Name

Lovsan.png

Blaster gets its most-often used name from the file that it drops in the Windows System folder, msblast.exe. Its second name, Lov(e)san comes from the "I LOVE YOU SAN" line in the worm. A few sources also call this worm Poza.

Antivirus Aliases

  • ALWIL: Win32:Blaster
  • Avira: Worm/Lovsan.A
  • Bullguard:
  • CA: Win32.Poza
  • ClamAV: Worm.Blaster.A
  • Doctor Web: Win32.HLLW.LoveSan.based
  • Eset: Win32/Lovsan.A
  • F-Prot: W32/Msblast.A
  • F-Secure: Lovsan.A
  • Grisoft: Worm/Lovsan.A
  • Kaspersky Lab: Net-Worm.Win32.Lovesan.a, Worm.Win32.Lovesan.a
  • McAfee: W32/Lovsan.worm.a
  • Panda: W32/Blaster
  • RAV: Win32/Msblast.A
  • SOFTWIN: Worm.Lovesan.A
  • Sophos: W32/Blaster-A
  • Symantec: W32.Blaster.Worm
  • Trend Micro: WORM_MSBLAST.A

Other Facts

As late as 2005 December, new infections of the worm were still being found with 500 to 800 infections per day. This is mostly because of machines that still have yet to be patched. 79% of infections were on Windows XP Gold, and 21 percent were on Windows XP with Service Pack 1. Infections on machines with Service Pack 2 were non-existent.

Sometimes Welchia is listed as a variant of Blaster, usually called Blaster.D, in part thanks to the coherence of different Antivirus companies' naming.

In fall of 2006, a German Wikipedia entry for Blaster was edited to contain a link to a site claiming to contain a fix for the worm. The link actually contained malware that infected computers. The cyber-criminals responsible also sent spam emails to German email addresses advising users to visit the Wikipedia page for information on the worm. Since Wikipedia is a legitimate site, it is not filtered by phishing or spam filters.

Variants

Blaster has had only a few variants of note, and these have not spread far or done much damage. The variants mostly only differ in one or two respects from the original.

Blaster.B

The 7,200 byte-long B variant uses the name "penis32.exe" as the worm's file name. Jeffrey Lee Parson was arrested for creating the B variant of the worm. He was convicted and sentenced to 18 months in prison.

Blaster.C

Blaster.C is 5,360 bytes long. Its file name is "teekids.exe" and adds the value "Microsoft Inet Xp.. = teekids.exe" to the same registry key as the original.

Blaster.D

This variant uses the file name "mspatch.exe" and adds the value "Nonton Antivirus = mspatch.exe" to the same registry key as the previous versions. It is 11,776 bytes long.

Blaster.E

The E variant of Blaster uses the file name "mslaugh.exe" and adds the value "windows automation = mslaugh.exe" to the same registry key as the original.

Blaster.F

This variant uses the file name enbiei.exe and adds the value "www.hidro.4t.com = enbiei.exe" to the same registry key as the original. It is 11,808 bytes long. It also contains text in Romanian:

Nu datzi la fuckultatea de Hidrotehnica!!! Pierdetzi timp ul degeaba…
Birsan te cheama pensia!!!Ma pis pe diploma!!!!!!

The text translates into "Don't go to the Hydrotechnics faculty!!! You are wasting your time… Birsan, your pension awaits!!! I urinate on the diploma!!!!!!"

This variant came from Romania in September of 2003 and was confined to the intranet of a Romanian university. Dan Dumitru Ciobanu, the creator faces 15 years in prison if convicted of "unlawful possession of a program and disturbing a computer system".

Blaster.G

Blaster.G is the largest variant of Blaster, weighing in at 66,048 bytes. It uses the file names eschlp.exe and svchosthlp.exe. It adds the values "Helper = (windows system folder)\eschlp.exe /fstart" and"MSUpdate = (windows system folder)\svchosthlp.exe" to the same registry as the previous variants. It also modifies Internet Explorer's registry key to set the browser's startpage to http://www.getgood.biz.

Blaster.H

Blaster.H is a 6,688-byte variant that uses te file name "mschost.exe". It adds "windows shellext.32 = mschost.exe" to the same registry key as the previous versions.

Sources

John Leyden. The Register, "Blaster rewrites Windows worm rules", 2003.08.14

-.-, "Blaster Body Count 8m or Above". 2004.04.05

Peter Szor. The Art of Computer Virus Research and Defense, "Exploits, Vulnerabilities and Buffer Overflow Attacks", Section 10.4.6, pp. 410-413.

Asosiasi Penyelenggara Jasa Internet Indonesia, Recommendations to Internet Service Providers Regarding the Blaster Worm

eEye Digital Security, ANALYSIS: Blaster Worm. 2003.08.11

Ellen Messmer. PCWorld, "Blaster Worm Racks Up Victims". 2003.08.15

Douglas Knowles, Frederic Perriot, Peter Szor. Symantec.com, W32.Blaster.Worm

Benjamin Nahorney. Symantec, W32.Blaster.T.Worm.

Sophos Antivirus, W32/Blaster-G.

-, W32/Blaster-f.

Trend Micro Antivirus, WORM_MSBLAST.A.

McAfee Antivirus W32/Lovesan.worm.a.

-, W32/Lovsan.worm.f.

Securelist.com, Net-Worm.Win32.Lovesan.a.

Brian E. Burke, Charles J. Kolodgy, Christian A. Christiansen. IDC, "MARKET ANALYSIS Worldwide Security Software 2004–2008 Forecast: April 2004 Forecast". (PDF)

Andy McCue. Silicon.com, "MSBlast virus writer faces 15 years behind bars". 2004.01.19

Paul Roberts. InfoWorld, Romanian nabbed for launching Blaster-F. 2003.09.03

Amber Maitland. Pocket-lint, Wikipedia infected by malware. 2006.11.06

Alex Zaharov-Reutt. ITWire, Wikipedia hacked and infected. 2006.11.07

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License