by Greg LegereThe computer Blaster Worm was a computer virus that infected users on Windows XP, and 2000. The Blaster Worm also called Lovesan or MSBlast depending on the variation began spreading on August 11th of 2003. The number of total infections peaked only 2 days later, ISP filtering and publicity about the computer worm slowed the spread of Blaster. Only a short while later on August 29th, Jeffrey Lee Parson was arrested for creating a variant of the Blaster Worm. He took responsibility for the attack and was sentenced to 18 months in prison.
Court papers show that the original Blaster was created by a Chinese cracking collective known as Xfocus. After they reverse engineered the Microsoft patch that allowed for the attack to happen.
The worm was spread by taking advantage of a buffer overflow in the DCOM RPC service. This allowed the worm to spread itself without getting users to open an attachment, but by spamming itself to random IP addresses, it would fill up a buffer that did not correctly have bounds checking. This allowed someone to write past a buffer in memory and add their own code. When the program came back, a pointer called the malicious code, and the code began executing it's commands. Four separate versions of the worm have been detected.
The worm also created an entery in the Windows registry that caused the program to execute on startup.
In addition to attacking other users the worm was programmed to perfom a Distributed Denial of Service (DDoS) attack against windowsupdate.com of Microsoft. The damage was minimal to Microsoft since, windowsupdate.com simply redirected a user to windowsupdate.microsoft.com. Microsoft shut down windowsupdate.com for a short period of time to minimize the effects.
The source code of Blaster had two separate messages. The first message was "I just want to say LOVE YOU SAN!!" which is why the worm was also called 'Lovesan'. A second message was a message to Bill Gates and said "bill gates why do you make this possible ? Stop making money and fix your software!!".
Although this worm can only spread on systems that are running Windows 2000 and XP (32 bit), it can cause Windows NT, Windows XP (64 bit version), and Windows Server 2003 to crash. The wrom can not spread on a Windows Server 2003 because it was compiled with the /GS switch which allows the system to detect buffer overflows and terminate the process. But because of this, when infection occurs this causes the system to terminate the RPC service. The system can not function without this service, and will restart to fix the problem. This would happen only a few minutes after starting up the machine.
No comments:
Post a Comment