It's six years since the infamous Blaster worm crippled Windows systems worldwide. The most damaging variant of Blaster (AKA Lovesan) first started spreading on 11 August 2003, reaching its peak on 13 August. Security researchers reckon the original malware was created by Chinese VXers after they reverse engineered a Microsoft …
Whats the point of the article?
"but the era of high-profile, noisy megaworms like Blaster belongs to days long gone."
So let us all put our defences down?
Stop updating Windows cause there is no treat?
Use a exploding mAc?
I remember it well
The most apparent symptom of Blaster as I recall was it causing the RPC service to fail and the default behaviour for that to be to shut the machine down. Working in ISP support at the time, the number of calls we took on that one. Simple to fix if you knew what to do and recognised it, but if you just used the machine to view a few web pages and email.
Or if you were our local newspaper's computing columnist. In the October/November after this, someone wrote to him saying they were getting the shutdown screen every time they went on the internet. The computer "expert's" advice, disable your firewall and see if the same thing happens.
That is 48 hours of my life...
...I'll never get back.
The first we detected it was one of our MAN routers fell over, then another, then switches. PC's we're in fact the last to die.
I remember having to break links to every office and the entire IT team (including programmers) going round, disconnecting every pc and killing of the virus and getting MS patches up to date.
Got a bit of cash out of that, at the time
The number of network Admins who read that the worm used the RPC service, opened up MMC, and disabled the RPC service, as a result, thinking they were being smart... After all, if the service isn't running, ti can't be exploited, right? The thing is, much of Windows relies upon the Remote Procedure Call service, to run - most notably MMC, itself. So, not only has the machine been rendered unsuable, but the primary means of restoring the situation can no longer run. Never mind. Just reboot the system, yeah?
Except a Windows machine is unbootable, without RPC running. (What is it, that is so 'Remote', about this service, you may ask? Well, it's a long story, and much of it has to do with an Asshole in Redmond, called Soma.)
No. The only way to revive the system after you disable RPC, is to restart in safe mode and hack the registry (as detailed by Black Viper, and countless others at the time).
It shows how utterly ropey the Windows substructure was, back then, however: a point-and-drool interface, like MMC, could grant someone with Admin rights the ability to switch off a service that it - and much of the Windows operating system - depended upon, to run. (Microsoft have since greyed out the option to control this service from the MMC - although the fact that it is still viewable as a service, within the MMC, indicates that this is probably as far as this effort has gone.)
Of about twenty five machines I was paid to ressurect, following Blaster, only five had been directly infected by Blaster, itself. The rest (some of them critical file and print servers, for legal firms and estate agents, in an age when printed paper amounted to a lot more than it does, today) had been knocked out of action by their own Sys Admins, disabling the targeted service via MMC.
This was about the same time that Microsoft was touting the fact that Windows was, in fact, cheaper than Linux because you could pay the Windows people much much less money. Blaster came at the time of a prefect storm. Many people were fitting their first broadband connections, Windows updates still had to be installed on a patch-by-patch basis at the user's behest, and no PC shop ever sold a machine with patches installed. Users would plug their brand new machines into their brand new routers and get infected within half a minute. Imagine what hay, these various, nefarious 'foreign secret services', we hear so much about these days, would have made with a network such as this! There was, basically, no security, and every service was switched on, by default.
When I were a lad...
Ohh I remember those days - 200+ sites struggling to work because their WAN link was flooded with traffic. I had to build a patch CD to send to sites to allow users to apply the patch, install any other updates and run a 'cleaner' to remove it from every PC in the office.
It certainly got our 'strategy leaders' to consider proper patching procedures rather than believing that if it wasn't broke, it didn't need changing/fixing. They wouldn't accept previous arguments that changes prevented things breaking...
Beat them to it...
Remeber when it started to pop up, in the hours before ti went Nuts. A well known local Calgary cable operator didnt think at this time, to keep an eye on traffic trends. As luck had it I was working with the Author of Nuke Nabber to update the program and my honeypot machines started to go huts and fall over. A few hours later I was in the thick of it with the cable operators IT team trying to work out what the hell was going on. As AC said, thats 48 hours of my life I'll never see again.
Kind of fun in a twisted, massochistic way though.
God doesnt time fly
Just helped build a machienf or me firend installed windows hooked up to BB and bang off it went lol
After 3 installs of xp i said sod it and wait a while to see what pop up on the net.
"but the era of high-profile, noisy megaworms like Blaster belongs to days long gone."
2008 is not all that far behind, or was Conficker not a high-profile, noisy worm? OK it wasn't /as/ destructive, but still caused some degree of damage to various systems.
Looking through the history of significant computer worms and viruses, there appears to be a major worm about every 5 years since 1980-ish. So set your clocks for 2013 and place your bets on which OS will bear the brunt...
A formative experience
Blaster was a big eye-opener for our shop. I still remember the eye-watering hour or so it took for us to stop blindly panicking as our PCs went into a reboot-loop, think of someone we knew who was actually computer-savvy, call them (I actually remember quietly hoping the phone wouldn't also be haywire when I picked it up!), and have them patiently talk us through the diagnosis and recovery process.
A year or two earlier we'd had an MS patch seriously screw up a PC and were all but ignoring updates at that stage - we never did that again. Nor did we ever again go online without ZoneAlarm installed. This episode probably more than any other set me on the path to becoming a serious (well, competent) sysadmin.
Then a year later I reinstalled Windows on my home machine, and got hit by Sasser while downloading ZoneAlarm :(
@Anonymous Coward 09:15 GMT
Congratulations on deliberately misunderstanding the article
lot of damage to our organisation
I were a lowly helpdesk bloke back at the time. It tore a hole at the hospital I worked for. One has to wonder if the creative geniuses behind said viruses were aware of the damage it wreaked. Its one thing to take down a companies IT infrastructure, it’s another to risk the lives of patients. Given all drug administration is held on computers these days we were literally racing against time. We had many threatening phone calls from ward staff advising if things weren’t up and running again in minutes as apposed to hours lives would be lost.
I remember Blaster
After the worst was over, I knocked together this Shakespeare-flavour "soliloquy".
A Midsummer Night's Worm
That which we call a worm,
by any other term -
a virus springs to mind -
would still be as unkind.
To patch, or not to patch,
That's hardly the question;
nor nobler in the mind,
facing worms of this kind,
to count on a bastion
of safe e-mail to catch
this inbound contagion
which comes not to us thus,
making fools of us all.
Windows computers fall
Despite our cautious fuss,
through this dread pathogen.
To surf, perchance to browse,
aye, therein lies the rub;
for in that 'net browsing
what dire threats appearing
shall penetrate our hubs?
So we all best not drowse.
Nay, this worm, as we know,
doth enter where unpatched
to Windows versions three -
NT, 2K, XP -
from portals yet unwatched.
Its progress is not slow.
This worm's not made the best,
though spreading wild and free,
'tis not most efficient -
there's yet more proficient.
What fools these mortals be!
See not this is a test?
This be very madness,
yet 'tis method in it.
For, if we shun the patch
despite what we might catch,
when Windows next gets bit
'twill make a vaster mess.
This pale worm might be poor;
but, lest we be serene,
the next one will have ways
to use our salad days
of judgment very green
to pierce to Windows' core.
I come to bury this
Blaster, not to praise it.
The evil men do lives
on the 'net and it gives
us cause not to be hit.
Come, this patch let's not miss.
@ By Havin_it Posted Thursday 13th August 2009 11:48 GMT
You actually used caps for zone alarm? wow... and trust it? wow again...
(Never mind the use of caps for m$..... im in shock)
"MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!"
You forgot Slammer! That was the best, at any rate in terms of the amount of hysterical "The net is burning UNPLUG EVERYTHING NOW EVERYBODY PANIC!!!1!!" posts it generated to NANOG :-)
Plus it was novel for being a one-hit single-packet UDP attack, which is still I think unique, and it was an almost-warhol worm; it infected the world in about ten minutes. It generated a metric fuckload of traffic, too. Far more significant than say Sasser, which was very much a me-too worm.
I miss those days
I loved the blaster virus it netted me and my co-workers a nice chunk of change in overtime at the college I worked at. Especially since we had disinfect the whole network with it 2-3 times a week due to students and our IT Director re-infecting it.
People might talk trash and hate MS I love them personally, because they earned me some very nice paychecks in the past.
if we're going back in time
anyone remember the 'end of the world' panic about the Michaelangelo virus (kindly instigated by McAfee, iirc)
[we need an old codger icon]