News

Blaster Worm Exploits RPC DCOM Vulnerability

• By Scott Bekker
• August 11, 2003

The worm goes by the name MS Blast (ISS X-Force), Blaster (Symantec and Sophos), Win32.Poza (Computer Associates) or Lovsan (McAfee and F-Secure). Symantec rated the urgency of the worm as "high," although most other anti-virus vendors deemed it a medium threat.

By exploiting a hole in Windows, the worm spreads without requiring any action from a user such as opening an e-mail or visiting a Web site. It does not appear to have a damaging payload, although it is set to begin a Distributed Denial of Service attack against Microsoft's Windows Update Web site starting Saturday and lasting through the end of the year.

Security experts have been waiting for a worm based on the Windows vulnerability since Microsoft put out bulletin MS03-026, "Buffer Overrun in RPC Interface Could Allow Code Execution," on July 16. The patch fixed a flaw that allows an attacker to exploit a buffer overrun vulnerability over the Internet to take Local System level control of an affected machine. Vulnerable versions of Windows included Windows 2000, Windows XP, Windows NT 4.0 and Windows Server 2003.

Exploit code based on the vulnerability was published to the Web by at least three groups within a week of Microsoft's security bulletin. Microsoft took the unusual step of e-mailing customers outside of its normal security bulletin alert service and plastered warnings to users to download the fix all over the Microsoft.com Web site. An ISS alert on Monday warned that "hundreds of thousands of computers may still be vulnerable."

Most anti-virus vendors that provided analysis of the worm on Monday maintained that an internal algorithm caused the worm to scan for and attack only Windows XP systems 80 percent of the time and only Windows 2000 systems 20 percent of the time. Without elaboration, Trend Micro's bulletin, however, said the worm also runs and propagates on Windows NT.

Once inside a vulnerable machine, Blaster adds "MSBLAST.EXE" to the registry so it always launches at startup. If the date is later than Aug. 15 and earlier than Dec. 31, it will launch a TCP-based Denial of Service attack against windowsupdate.com. Outside of that date range, it will launch attacks against the Windows Update site after the 15th of every month. The worm is capable of nearly continuous attacks against the update site.

The internal algorithm determines whether the worm will attack Windows 2000 or Windows XP, then another algorithm selects the range of IP addresses the worm will attack. Blaster establishes an FTP service listening on port 69, then scans port 135 on 20 different IP addresses. On any successful connections, Blaster sets up a remote command shell on the victim machine, connects to the remote shell on port 4444 and instructs the remote machine to download and execute the 6 KB MSBLAST.EXE from the attacking host. From there the process starts all over on the victim machine.

With its lack of a damaging payload, Blaster could serve as the warning shot that many users need to get their systems patched before a far more malicious worm based on the vulnerability hits the Web.

Several anti-virus vendors had removal tools posted to their Web sites.