Alerts
Blaster Worm - Details & Technical Analysis
Date:
August 11, 2003
Severity:
High
Systems Affected:
Microsoft Windows NT Workstation 4.0
Microsoft Windows NT Server 4.0
Microsoft Windows NT Server 4.0, Terminal Server Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Overview:
The worm begins by targeting Microsoft systems that have not been properly patched for the known RPC DCOM vulnerability. Once the worm detects an unpatched system, it will attempt to download and run a file called msblast.exe. If successful in infecting a system, the worm will propagate itself, modify Windows registry settings, and initiate a SYN flood denial-of-service attack on windowsupdate.com.
The worm payload does not contain any additional malicious content; however, because of the nature of the worm and the speed at which it attempts to impact systems, it can potentially create a denial-of-service attack against windowsupdate.com.
For further information and a technical description of the Blaster worm please visit:
http://www.eeye.com/html/Research/Advisories/AL20030811.html
Detection:
eEye is offering a free tool that scans network machines and detects if any are vulnerable to the Blaster worm. The Retina RPC DCOM Scanner is based off of eEye's vulnerability assessment solution, Retina® Network Security Scanner. Users of Retina do not need the tool since Retina already checks for the RPC DCOM vulnerability and presence of the Blaster worm. The free Retina RPC DCOM Scanner can be found by visiting:
http://www.eeye.com/html/Research/Tools/RPCDCOM.html
Prevention:
The full version of Retina Network Security scanner can not only identify vulnerable machines, it can also detect whether the worm has already infected systems on a network. In addition to the security weakness being exploited by the Blaster worm, Retina detects over one thousand vulnerabilities to provide ongoing, comprehensive security audits for any network.
Retina Network Security Scanner
August 11, 2003
Severity:
High
Systems Affected:
Microsoft Windows NT Workstation 4.0
Microsoft Windows NT Server 4.0
Microsoft Windows NT Server 4.0, Terminal Server Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Overview:
The worm begins by targeting Microsoft systems that have not been properly patched for the known RPC DCOM vulnerability. Once the worm detects an unpatched system, it will attempt to download and run a file called msblast.exe. If successful in infecting a system, the worm will propagate itself, modify Windows registry settings, and initiate a SYN flood denial-of-service attack on windowsupdate.com.
The worm payload does not contain any additional malicious content; however, because of the nature of the worm and the speed at which it attempts to impact systems, it can potentially create a denial-of-service attack against windowsupdate.com.
For further information and a technical description of the Blaster worm please visit:
http://www.eeye.com/html/Research/Advisories/AL20030811.html
Detection:
eEye is offering a free tool that scans network machines and detects if any are vulnerable to the Blaster worm. The Retina RPC DCOM Scanner is based off of eEye's vulnerability assessment solution, Retina® Network Security Scanner. Users of Retina do not need the tool since Retina already checks for the RPC DCOM vulnerability and presence of the Blaster worm. The free Retina RPC DCOM Scanner can be found by visiting:
http://www.eeye.com/html/Research/Tools/RPCDCOM.html
Prevention:
The full version of Retina Network Security scanner can not only identify vulnerable machines, it can also detect whether the worm has already infected systems on a network. In addition to the security weakness being exploited by the Blaster worm, Retina detects over one thousand vulnerabilities to provide ongoing, comprehensive security audits for any network.
Retina Network Security Scanner
