What is the Blaster Worm?

Jeremy Laukkonen

The blaster worm was a malware computer program that first propagated over the Internet in 2003. Within a few days of its appearance in early August of 2003, the worm had infected several hundred thousand Windows-based computers. The blaster worm was not a zero day attack, as it exploited a security hole that had actually been patched in July of that year. Computers that already had the patch were not vulnerable, and those that could successfully download it were then protected from further exploitation. One of the functions that the blaster worm carried out was to use infected computers in a series of distributed denial of service (DDoS) attacks on the servers responsible for providing the security patches.

A computer worm is malicious software that creates copies to spread itself.
A computer worm is malicious software that creates copies to spread itself.

In July of 2003, Microsoft® released a security patch relating to the distributed component object model (DCOM) remote procedure call (RPC) protocol. Hacker groups were able to reverse engineer the patch to discover and then exploit the vulnerability it was meant to fix. They designed a worm using a file called MSblast.exe, which is where the name blaster comes from.

The blaster worm was designed to propagate directly through the Internet, and did not require a user to download a file or open an attachment. Once a computer was infected, the worm would contact a large number of Internet protocol (IP) addresses on port 135. If a vulnerable Windows XP® machine was contacted in this manner, the worm could replicate itself and then repeat the process.

One consequence of blaster worm infection was participation in a timed DDoS attack. Each infected computer was set to direct a large amount of traffic at the servers responsible for distributing patches. These attacks depended on the local clock of the infected computer, resulting in a continuous wave of excess traffic directed at the servers. This strategy prompted eventual changes to the way these update systems work, so that critical patches would remain available in the face of future attacks.

Once the nature of the infection was discovered, many Internet service providers (ISPs) began to block traffic on port 135. This effectively stopped the propagation of the worm across these ISPs, though a large number of machines had already been infected. As cleanup operations began, a number of variants began to appear. Of these variants, one used the same exploits to attempt a forced patch of the problem. This has been referred to as a helpful worm, despite the fact that it resulted in a number of problems of its own.

You might also Like

Discuss this Article

Post your comments
Forgot password?