Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2003-08-15 InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Blaster Worm Update - Power Outage

Published: 2003-08-15
Last Updated: 2003-08-15 15:20:06 UTC
by Handlers (Version: 1)
0 comment(s)

Microsoft decided to no longer resolve ''. The Blaster worm
will not start its DDOS attack as a result. '' and
'' continue to be reachable.

As the traffic caused by 'blaster' did start to show a decrease, a wide spread
power outage across the Northeastern US caught everyones attention. From news
coverage, there is no relation between blaster and the power outage. However,
the extend and duration of the power outage caused numerous ISPs across the
northeastern US and Canada to shut down until power was restored.

Based on BGP routing table size, a number of networks are still not reachable as
off this morning ( Aug. 15th).

(see prior 'diaries' for more analysis)

Blaster Popup Ad

One 'popup ad' has been spotted that attempts to look similar to the popup
message shown if the RPC DCOM service shuts down. This popup message attempts
to trick users into buying software to clean and protect their computer.

Blaster DDOS

During the day today, we expect the DDOS against '' to start.
However, the 'Windows Update' function should still work, as it uses
''. If you are operating a larger network, we
recommend that you monitor traffic to ''. The traffic will use spoofed source IPs. The last two octets of the source IP will be spoofed.

Infected machines will only start the DDOS attack after they have been rebooted. If a machine is scanning right now, it will continue to scan.

Blaster DDOS Mitigation

If traffic to '' exceeds reasonable networks, block the respective IPs. As this host is not used for regular updates, users will still be able to reach the actual update site.

Monitor traffic to port 135 and 4444 to spot infected machines. This traffic will not be spoofed. Block port 135 as close to end users as possible to avoid further spread of the virus. Do not block port 4444 for larger networks with a diverse user base, as it is used for some critical applications. The port 4444 traffic will be of no consequence if port 135 is blocked. may is no longer resolving in at least some networks. As a result, the worm will not start its DDOS attack.


We expect to reduce the infocon from Yellow to Green later today, as 'Blaster' is currently in steady state. No wide spread infrastructure issues are expected at this point.

0 comment(s)
Diary Archives