Threat Level: green Handler on Duty: Rick Wanner

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2003-08-14 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Blaster Worm Update

Published: 2003-08-14
Last Updated: 2003-08-14 22:18:41 UTC
by Handlers (Version: 1)
0 comment(s)
Summary

At this point, the Internet Storm Center is tracking in excess of 150,000 machines
infected with the Blaster worm. The total number of infected machines is suspected to be significantly higher.

for our earlier analysis of the worm, see

http://isc.sans.org/diary.html?date=2003-08-11

Variants

As of yesterday (Aug. 13th), anti virus vendors found two variants of blaster. At this point, neither variant behaves dramatically different and neither variant is as wide spread as the original msblaster version. However, note that these variants use different file names and registry key entries.

Variations that install backdoors have been reported. It is not clear at this point if these are variants of the 'sdbot' based massrooters which had been spotted over the last 2+ weeks

Code Analysis

Chris Ream provided a detailed source analysis of the code

http://isc.sans.org/Analysis_of_MSBLAST.pdf (PDF File)
Cleanup

Cleanup of infected machines is proceeding slowly. We strongly recommend a complete rebuild of infected machines. The RPC DCOM vulnerability has been used by widespread attack tools for over two weeks before blaster was released. Current virus removal tools will only remove the blaster worm and a few versions of the tools used prior to blaster. Even if you remove the exploit code, you may still be left with backdoors installed by one of the massrooter exploits.

Infrastructure Impact

At this point, no wide spread internet connectivity issues are associated to blaster. However, on Saturday, blaster infected machines will launch a DDOS attack against Microsoft update side. As a result, networks with large numbers of infected hosts may experience problems.

Infocon Outlook

We expect to remain at infocon 'yellow' while awaiting the impact of the DDOS.
The DDOS is expected to hit 'windowsupdate.com'. From preliminary testing, it looks like Windows systems should still be able to retrieve updates, as usually
'windowsupdate.microsoft.com' is used by the automated update scripts.
Keywords:
0 comment(s)
Diary Archives