Blaster is a worm that affects users of Microsoft Windows NT-based operating systems - from NT 4 onwards. Therefore, users of Windows 95, 98, and ME are safe, whereas 2000, XP and 2003 are all affected. Symantec and Microsoft both refer to the worm as W32.Blaster.Worm; Lovsan is the name used by McAfee. Like all worms, it works by crawling into an open port on your computer, and then using it as a host from which to propagate itself; worms can infect a machine without any user interaction at all. Syptoms of Blaster include sudden, frequent reboots, and your computer failing to respond to input. Another symptom that I noticed is getting error messages about svchost shutting down. Granted, this could be just down to your choice of operating system...;)
Blaster exploits a known vulnerability (buffer overflow, inevitably) in one of DCOM's RPC API calls. This vulnerability allows anyone who exploits it to execute arbitrary code on the compromised machine. Blaster attacks through TCP ports 4444 and 135 and UDP port 69; as soon as it has infected a machine, it basically starts a DoS attack on windowsupdate.com1 (to try to prevent the user from downloading a patch), and then starts generating IP addresses to try to attack next. Blaster contains the following text (although it is never displayed):
I just want to say LOVE YOU SAN!!
billy gates why do you make this possible? Stop making money and fix your software!!
Infection can be prevented by running a firewall on your machine, or by downloading the patch issued by Microsoft to fix the vulnerability. Microsoft have also issued a utility for use by network admins to check which machines in a network may be vulnerable. Most anti-virus software should be able to find and remove Blaster from your system, as can the tool issued by Symantec.
1: The concerted DoS attack actually worked, indirectly; windowsupdate.com was preemptively taken down in favour of windowsupdate.microsoft.com, which got fiddled around slightly so as to be hosted by Akamai. Well, sort of; Akamai was taking the requests and forwarding them to Microsoft's servers, which run Windows 2003; Akamai's servers all run Linux, which lead to a recent Netcraft report claiming that windowupdate.microsoft.com was served by IIS run on Linux. The microsoft.com address has been the default site for automatic windows updates for years now (thanks, lj), but patches, like that for Blaster, might not get picked up automatically. Read all about it at http://www.theregister.co.uk/content/4/32385.html and http://www.computerworld.com/securitytopics/security/story/0,10801,84077,00.html; the netcraft report can be found at: http://uptime.netcraft.com/up/graph/?host=windowsupdate.microsoft.com
TLA's explained:
- DCOM: Distributed Component Object Model: A Windows-based framework by which you can access code objects residing on another machine.
- API: Application Programmer Interface: A set of methods in a piece of software (generally middleware) that are made available to a programmer who wishes to use the software as a component in his own code.
- RPC: Remote Procedure Call: A protocol which allows calls to be made between different computer processes, and thus between different machines.
- TCP: Transmission Control Protocol: The underlying protocol of TCP/IP. Basically, TCP is concerned with sending and receiving data packets over the network. Its companion, IP (Internet Protocol), deals with where the packets are going, and where they are coming from.
- UDP: User Datagram Protocol: Similar to TCP, UDP is a network protocol for data transmission. UDP is not as reliable as TCP, but is faster and more efficient, as it never runs checks to ensure that the data actually reaches its target; nor does it attempt to resend data.
- DoS: Denial Of Service: An attempt to disable a service on a remote machine (usually either a web server or DNS server) by flooding it with requests until it falls over.
- TLA: Three Letter Acronym: What geeks use to confuse their managers. Not always accurate, however; the TLA MLA (Multi Letter Acronym) is sometimes used instead.
References: