The blaster worm infected hundreds of thousands of Windows-based computers in 2003, exploiting a security hole that had been patched a month prior. It used infected computers to launch DDoS attacks on servers distributing security patches. ISPs blocked traffic on port 135 to prevent further spread.
The blaster worm was malware that first spread to the Internet in 2003. Within days of its appearance in early August 2003, the worm had infected several hundred thousand Windows-based computers. The blaster worm was not a zero day attack, as it exploited a security hole that was actually patched in July of that year. Computers that already had the patch weren’t vulnerable, and those that could successfully download it were therefore protected from further exploitation. One of the functions performed by the worm blaster was to use infected computers in a series of Distributed Denial of Service (DDoS) attacks on the servers responsible for delivering security patches.
In July 2003, Microsoft® released a security patch for the Distributed Components Object Model (DCOM) Remote Procedure Call (RPC) protocol. Hacking groups were able to reverse engineer the patch to discover and then exploit the vulnerability it was supposed to fix. They designed a worm using a file called MSblast.exe, which is where the name blaster comes from.
The blaster worm was designed to propagate directly through the Internet and did not require the user to download a file or open an attachment. Once a computer is infected, the worm would contact a large number of Internet Protocol (IP) addresses on port 135. If a vulnerable Windows XP® computer was contacted in this way, the worm could replicate itself and then repeat the process.
A consequence of the blaster worm infection was participation in a timed DDoS attack. Each infected computer was set up to direct a large amount of traffic to the servers responsible for distributing the patches. These attacks depended on the infected computer’s local clock, resulting in a continuous flood of traffic flooding to the servers. This strategy has led to eventual changes to the way these update systems work, so that critical patches remain available in the face of future attacks.
Once the nature of the infection was discovered, many Internet Service Providers (ISPs) started blocking traffic on port 135. This effectively stopped the worm from propagating through these ISPs, even though a large number of machines were already infected. When the cleaning operations began, numerous variations appeared. Of these variants, one used the same exploits to attempt a hard fix for the problem. This has been called a useful worm, despite the fact that it has caused numerous problems.
Protect your devices with Threat Protection by NordVPN
