News

Blaster Worm Exploits RPC DCOM Vulnerability

The first worm, which exploits the juicy RPC DCOM vulnerability in Windows that Microsoft released a patch for last month, went into the wild on Monday, crashing vulnerable computers, slowing down local subnets and sending scanning traffic on port 135 through the roof.

The worm goes by the name MS Blast (ISS X-Force), Blaster (Symantec and Sophos), Win32.Poza (Computer Associates) or Lovsan (McAfee and F-Secure). Symantec rated the urgency of the worm as "high," although most other anti-virus vendors deemed it a medium threat.

By exploiting a hole in Windows, the worm spreads without requiring any action from a user such as opening an e-mail or visiting a Web site. It does not appear to have a damaging payload, although it is set to begin a Distributed Denial of Service attack against Microsoft's Windows Update Web site starting Saturday and lasting through the end of the year.

Security experts have been waiting for a worm based on the Windows vulnerability since Microsoft put out bulletin MS03-026, "Buffer Overrun in RPC Interface Could Allow Code Execution," on July 16. The patch fixed a flaw that allows an attacker to exploit a buffer overrun vulnerability over the Internet to take Local System level control of an affected machine. Vulnerable versions of Windows included Windows 2000, Windows XP, Windows NT 4.0 and Windows Server 2003.

Exploit code based on the vulnerability was published to the Web by at least three groups within a week of Microsoft's security bulletin. Microsoft took the unusual step of e-mailing customers outside of its normal security bulletin alert service and plastered warnings to users to download the fix all over the Microsoft.com Web site. An ISS alert on Monday warned that "hundreds of thousands of computers may still be vulnerable."

Most anti-virus vendors that provided analysis of the worm on Monday maintained that an internal algorithm caused the worm to scan for and attack only Windows XP systems 80 percent of the time and only Windows 2000 systems 20 percent of the time. Without elaboration, Trend Micro's bulletin, however, said the worm also runs and propagates on Windows NT.

Once inside a vulnerable machine, Blaster adds "MSBLAST.EXE" to the registry so it always launches at startup. If the date is later than Aug. 15 and earlier than Dec. 31, it will launch a TCP-based Denial of Service attack against windowsupdate.com. Outside of that date range, it will launch attacks against the Windows Update site after the 15th of every month. The worm is capable of nearly continuous attacks against the update site.

The internal algorithm determines whether the worm will attack Windows 2000 or Windows XP, then another algorithm selects the range of IP addresses the worm will attack. Blaster establishes an FTP service listening on port 69, then scans port 135 on 20 different IP addresses. On any successful connections, Blaster sets up a remote command shell on the victim machine, connects to the remote shell on port 4444 and instructs the remote machine to download and execute the 6 KB MSBLAST.EXE from the attacking host. From there the process starts all over on the victim machine.

With its lack of a damaging payload, Blaster could serve as the warning shot that many users need to get their systems patched before a far more malicious worm based on the vulnerability hits the Web.

Several anti-virus vendors had removal tools posted to their Web sites.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • FTC Expands Microsoft Antitrust Investigation Under Trump Administration

    The Federal Trade Commission (FTC) is pressing ahead with a broad investigation into Microsoft's business practices, an inquiry that began in the final weeks of the Biden administration.

  • An image of planes flying around a globe

    2025 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss.

  • Microsoft to Shut Down Skype Services

    Microsoft will discontinue its Skype telecommunications and video calling services on May 5, 2025, marking the end of the platform's decades-long run.

  • Big Blue To Acquire Datastax in Enterprise AI Play

    In a bid to bolster its enterprise-aimed AI capabilities, IBM is planning to acquire Datastax, a leading AI and data solutions provider, for an undisclosed amount.