WIN32_Blaster - A Case Study From Microsofts Perspective by LTrunk3487



Matthew Braverman Microsoft Corporation, 1 Microsoft Way, Redmond, WA 98052, USA Tel +1 425 703 2229 • Email

was exploited, an attacker could run arbitrary code with Local System privileges on an affected computer [1]. After developing information related to the continued prevalence of Msblast in late 2003, Microsoft released the Windows Blaster Worm Removal Tool, also known as BlastCln, on January 13, 2004. The tool, released through Windows Update (WU) and Automatic Updates (AU), identified and cleaned millions of computers infected with Msblast, despite being released over five months after the appearance of the original threat. About nine months following the release of Msblast, on May 5, 2004, the Sasser worm appeared in the wild. Sasser exploited a vulnerability (MS04-011) with attack vectors similar to MS03-026, meaning it had the potential to spread as widely as Msblast. However, in the time between these two attacks, Microsoft had introduced a series of internal engineering and process improvements, that enabled the company to develop and widely distribute a cleaner tool only days after the appearance of this worm. These improvements, combined with other post-Msblast, Microsoft-sponsored security initiatives focused on customer support, product development, and user education, helped to significantly slow the spread and reduce the number of users affected by Sasser. The regularly updated Windows Malicious Software Removal Tool, first released on January 11, 2005, enables Microsoft to continue to respond quickly to high-priority malware attacks in the future. This paper evaluates the impact of the Msblast worm, details the initiatives created as a result of this threat, and reviews how the positive impact of these initiatives helped to limit the spread of the Sasser worm.

On August 11, 2003, the world of mobile malicious code changed with the release of the Blaster worm. Using a vulnerability in the Microsoft Windows 2000 and Windows XP operating systems to infect a computer, the threat replicated to more computer systems than any other malicious software in history. Since the release of Blaster almost two years ago, Microsoft has invested considerable resources in reducing the number of users infected with this threat, in addition to putting mechanisms in place to help prevent the class of vulnerability that Blaster exploited. This paper provides deeply quantitative details and statistics that Microsoft has observed regarding the initial and continued effects of the worm on the global computing infrastructure and Internet users worldwide.

The first variant of the Win32/Msblast worm (Win32/Blaster) appeared in the wild on August 11, 2003. Subsequently, several variants of Msblast.A (with minor changes) were released over the course of August and September 2003. Other threats that exploited the same vulnerability appeared following Msblast, including the Nachi/Welchia worm, although Msblast is clearly the most prevalent and prominent of these threats. To infect a computer, Msblast exploited a security vulnerability in certain versions of the Windows operating system. A bulletin describing and patching this vulnerability, Microsoft Security Bulletin MS03-026 (KB 823980) [1], was released on July 16, 2003, 26 days prior to the appearance of Msblast in the wild. The bulletin described a critical security vulnerability in a Windows Distributed Computing Model (DCOM) Remote Procedure Call (RPC) interface. By default, all versions of Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 were susceptible to this vulnerability [1]. However, it is important to note that only Windows 2000 and Windows XP were susceptible to being infected by Msblast. Infection under Windows Server 2003 could not occur because the vulnerable components were compiled with the /GS flag [2, 3]. MS03-026 was superseded by MS03-039 on September 10, 2003, which included patches for additional vulnerabilities in RPC DCOM, discovered through subsequent, internal code reviews of that component. To exploit the original vulnerability described in MS03-026, an attacker needed to send a specially formed request to the remote computer on specific RPC ports. Once the vulnerability

In mid-November 2003, almost three months after the release of Msblast, Microsoft worked with key ISP partners participating in the newly formed Global Infrastructure Alliance for Internet Safety (GIAIS), to determine that Msblast was likely still active on a large number of computers running Microsoft Windows. Network traffic data obtained from the ISP partners indicated that the threat had not significantly decreased in prevalence, despite the time elapsed since the initial release of the threat. GIAIS members also noted the significant detrimental effect of the Nachi worm (labelled as a ‘good worm’ in some press statements) on the Internet backbones. Nachi sent ICMP ping commands to a set of computers before trying to infect them, which essentially caused an ICMP flood on a network. The Msblast network data contrasted with prevalence indicators assigned by anti-virus vendors, which had indicated that Msblast was decreasing in prevalence at that time. For example, Symantec downgraded the Msblast threat level from 4 to 3 [4], and McAfee lowered their risk assessment from high to medium in October 2003 [5]. Also, Microsoft support call volumes related to Msblast had significantly decreased over the past few months. Investigating the possible causes for this discrepancy and reviewing a sample of Msblast-related incident resolutions, Microsoft determined that the incongruity was likely related to customers patching their computers with MS03-026 or MS03-039, effectively stopping the computers from constantly


VIRUS BULLETIN CONFERENCE OCTOBER 2005 ©2005 Virus Bulletin Ltd. No part of this reprint may be reproduced, stored in a retrieval system, or transmitted in any form without the prior written permission of the publishers.


rebooting and preventing reinfection, but not removing the current infection of Msblast. As long as the computer was infected with Msblast, it continued to generate traffic to attempt to infect vulnerable computers. Because the infection did not impact the performance of the computer significantly, the user may not have realized the computer was still infected, especially if the computer did not have an up-to-date anti-virus product installed. In response to these findings, members of the anti-malware team within Microsoft’s Security Business & Technology Unit designed a small removal tool, named BlastCln, which would detect and remove all known variants of Msblast and Nachi from a computer. The tool targeted only threats that were active in memory or referenced from a set of registry auto-start points. The tool did not scan the hard drive for these threats and thus ran in a relatively small amount of time, compared to a full scan with an anti-virus product. The tool was posted to the Microsoft Download Center on January 5, 2004 and to Windows Update (WU) / Automatic Updates (AU) / Software Update Services (SUS) on January 13, 2004. Through WU/AU/SUS, the cleaner tool was offered to users running Windows 2000 or Windows XP, which was consistent with the platforms affected by this worm. Using specific WU detection logic associated with registry keys and files created by Msblast and Nachi, the BlastCln tool was offered only to computers likely to be infected with these threats. By leveraging this logic, Microsoft targeted the delivery of the tool to computers that needed it (that is, if a computer wasn’t infected with Msblast or Nachi, the user wouldn’t be prompted to download or install the update, which conserved bandwidth), and obtained effective infection and cleaning statistics by measuring the download and execution metrics for the update. Also, the tool was offered only to computers that had been patched by MS03-026 or MS03-039. This verification ensured that users who ran the tool and removed Msblast would not have to re-run the tool, because their computer could not be reinfected through the main infection vector. Without this check, an unpatched computer that ran the tool and then connected to an infected network could be reinfected within minutes. Over the first six months, Microsoft recorded approximately 25 million downloads and 12 million executions of the tool via WU/AU. In other words, over 25 million unique computers were identified as being infected by Msblast, and the tool removed over 12 million of these infections. Nine million of the 25 million downloads were completed in the first nine days. As indicated in these figures, slightly less than 50% of users who downloaded the tool from WU/AU actually ran the tool on their computers. This is mainly due to AU users who downloaded the tool automatically, but had their settings configured to install updates manually and had not yet clicked to install the tool. Many of these users will eventually install the update or remove the threat from their computer with another technique (anti-virus software, reinstalling their operating system). Data in the ‘post-Sasser virus cleaner tools’ section supports this statement and indicates that the number of new Msblast infections has decreased significantly since this time. It is unlikely that any computers were counted more than once or became reinfected because the prerequisite logic relied on

MS03-026/MS03-039 being installed. If this update was installed, a computer would not be reinfected by these threats through normal propagation vectors.

Customer support
The most noticeable effect of Msblast occurred when an unpatched computer connected to an infected network, whereupon the RPC service on the computer would terminate, triggering a managed shut-down of the operating system and preventing the user from using the computer. When Msblast was released in mid-August 2003, the number of support calls spiked significantly. In the first five days after the release of Msblast, Microsoft’s Customer Service and Support (CSS) organization received over three million calls (only a subset of which were answered) from end-user and enterprise customers, who were looking to prevent their computers from rebooting continuously. Each support call averaged about an hour, while the support professional walked the user through enabling a firewall or extending the managed shut-down timer and then updating the computer with MS03-026/MS03-039. If possible, the support professional would also help the user turn on AU and run a third-party disinfection tool to remove Msblast from the infected computer. As the call volume increased, CSS management realized that additional resources were required to handle customer inquiries. CSS mobilized a program to solicit volunteers from other Microsoft departments, especially product groups, to help answer calls. After several hours of training, over 1,000 volunteers (including executives from various departments) spent at least eight hours each on the phone, working alongside permanent support professionals, through the end of August, helping customers bring computers back to a stable state. As a result of the Msblast incident, CSS implemented several changes to their support infrastructure (especially directed at end users) to help respond to similar incidents in the future. The most significant changes are: • The establishment of a formal ‘CSS Reservist’ program to organize and facilitate product group volunteers in the case of future incidents. This program ensures that participants are always up-to-date with training, logistical information, and privileges (e.g. account information) necessary to interact with Microsoft’s support incident system and provides CSS with several hundred trained volunteers to mobilize quickly. • The establishment of the 24-hour PC Safety phone line at 1-866-PCSAFETY (international numbers are listed at This no-charge service provides consumers with an easy way to get reliable information and support about top security threats currently in the wild. The phone line has been instrumental in helping Microsoft provide customers with support for such threats as Mydoom and Sasser.

‘Protect Your PC’ campaign
Microsoft also launched its ‘Protect Your PC’ campaign at the end of August 2003. The campaign spanned several media

VIRUS BULLETIN CONFERENCE OCTOBER 2005 ©2005 Virus Bulletin Ltd. No part of this reprint may be reproduced, stored in a retrieval system, or transmitted in any form without the prior written permission of the publishers.



venues – including a strong web presence, several full-page advertisements in major newspapers such as USA Today, in-store promotions, and information pamphlets – and centred on three steps designed to help prevent users from being affected by threats such as Msblast. The three Protect Your PC steps are: 1. Enable a firewall on your computer. 2. Get the latest computer software updates. 3. Use up-to-date anti-virus software. On the Protect Your PC website at protect/, Microsoft created the Windows Security Advisor (WSA). This online tool detects whether a user has enabled the Windows Internet Connection Firewall (ICF) and AU. If not, the tool provides a simple one-click interface to enable each feature. The tool was updated at the end of 2004 to verify that Windows XP Service Pack 2 was installed. This campaign is likely a contributing factor to the increase in update downloads following the release of a security bulletin. For example, Microsoft estimates that approximately 36 million users downloaded MS03-026 in the seven days following its release and 19 days prior to the release of Msblast. Compare this with MS04-011, the vulnerability that Win32/Sasser exploited, released months after the launch of the PYPC campaign. This bulletin had approximately 95 million downloads after the same amount of time. Assuming that a proportional amount of users installed the downloads in both cases, it is likely that almost three times as many users were protected from Sasser than from Msblast.

that replicate easily and widely, such as Msblast, must be done as soon as possible to stem the spread of the threat and help minimize the number of infections. Indeed, the SBTU determined that, in the event of a threat with similar characteristics to Msblast, a cleaner tool similar to BlastCln should be widely deployed to consumers as soon as possible. Consequently, the Microsoft anti-malware team worked to generalize and standardize the creation and release of cleaner tools. Essentially, the BlastCln tool became the basis for these tools and could be modified as appropriate to remove newly targeted threats. This work was also integrated into the Microsoft Software Security Incident Response Process (SSIRP), which is managed by the Microsoft Security Response Center (MSRC). For more information about SSIRP and the MSRC, see security/msrc/. Figure 1 depicts the release timelines for the Msblast tool and the two main virus cleaner tools released in 2004 to combat the Mydoom and Sasser worms. The Mydoom worm first appeared on January 26, 2004. Microsoft released a cleaner tool capable of removing the initial Mydoom variants to the Microsoft Download Center 11 days following the release of the threat. Eight days later (a total of 19 days after the release of the threat), the tool was made available on WU/AU. Microsoft built on this progress when the Sasser worm appeared on April 30, 2004. Sasser exploited a vulnerability, MS04-011, with attack vectors similar to MS03-026, meaning it had the potential to spread as widely and as quickly as Msblast. Aware of these similarities, members of the SSIRP team (including representatives from the anti-malware team) were on watch for signs of an in-the-wild threat when MS04-011 was published. The team monitored a variety of forums and network indicators, and was ready to develop and release a cleaner tool if necessary. When Sasser was released, the team moved quickly to build a cleaner tool, SassCln, capable of detecting and removing all variants of Sasser known at the time. The team released the cleaner tool to the Microsoft Download Center within two days of the threat being released in the wild. Two days later (a total of four days following the release of Sasser), Microsoft made the tool available on WU/AU.

Software development
Msblast significantly affected Microsoft software design and development, including specific impacts on Windows XP Service Pack 2 (SP2). These developments included: • Enabling the Windows Firewall by default. In addition to enabling the Windows Firewall by default for Windows XP users, Windows XP SP2 also closed a vulnerability in previous versions of Windows XP, where, as Windows started up, there was a small period of time for which networking was enabled but the firewall was not yet active. • Making it easier for users to enable Automatic Updates (AU). Immediately after installing Windows XP SP2, users are presented with a full-screen dialog box that prompts them explicitly to choose whether to enable AU. • Windows Security Center (WSC). The WSC feature in Windows XP SP2 alerts users if they have not chosen to enable AU, a firewall, or real-time anti-virus protection. WSC also alerts users if the anti-virus product they have installed is out of date. • RPC/DCOM authentication. The RPC interface was significantly locked down in Windows XP SP2 to prevent unauthenticated connections, such as the one that allowed Msblast to infect a computer.

Similar to the process followed for BlastCln, Microsoft monitored download and execution data for SassCln continuously during its release to WU/AU. About six months following the release of SassCln, Microsoft recorded a total of 1.2 million downloads and about 750 thousand executions. In other words, over one million computers infected with the
Initial outbreak Tool live on Download Center Msblast 8/11/2003 1/5/2004 2/5/2004 5/2/2004 Tool live on WU/AU 1/13/2004 2/13/2004 5/4/2004

Mydoom 1/26/2004

Faster release of cleaner tools for high-priority malware attacks
Following the release of BlastCln and a review of associated statistics, it became clear to the SBTU that targeting threats



Figure 1: Release schedule for individual malware cleaner tools.


VIRUS BULLETIN CONFERENCE OCTOBER 2005 ©2005 Virus Bulletin Ltd. No part of this reprint may be reproduced, stored in a retrieval system, or transmitted in any form without the prior written permission of the publishers.


worm were identified and the threat was removed from three quarters of a million computers. The importance of these figures, when compared to the respective figures from the BlastCln tool, is critical. Specifically, the number of Sasser infections was smaller than the number of Msblast infections by a factor of about 20. In fact, Microsoft identified more Msblast infections in the first six days following the release of the BlastCln tool than for Sasser throughout the entire release of the SassCln tool. The reasons for this dramatic decrease include: • More users were able to protect their computers from Sasser infection prior to the worm’s release by installing the update for the vulnerability, enabling a firewall, and installing an up-to-date anti-virus product, largely thanks to Microsoft’s Protect Your PC campaign and support from key security vendors. • Microsoft increased the speed with which it widely distributed a cleaner tool for Sasser. The more computers that are infected with worms such as Msblast and Sasser, the more the worms will spread to other vulnerable computers. Because a widely distributed Msblast removal tool was not released for months after the appearance of the original threat, the worm was able to spread to a much larger number of computers, when compared to Sasser, for which a cleaner tool was available only days after the release of the threat. Another important point derived from the SassCln download and installation figures is that the proportion of users who installed the tool after downloading it via WU/AU rose from 50% with BlastCln to 65% with SassCln. This difference was likely influenced by the PYPC campaign, which urged computer users to enable automatic installation of critical updates, and to the on-going outreach that occurred during the Sasser incident.

1. The Malicious Software Removal Tool is a cumulative cleaner tool. A virus family added to the first version of the tool is also included in subsequent releases. 2. The Malicious Software Removal Tool is updated with support for removing additional malware and re-released on the second Tuesday of every month, along with security bulletins. Sharing the same release day as the bulletins enables users to deploy and execute the tool along with other high-priority updates. 3. Due to the number of virus families detected and removed by the Malicious Software Removal Tool, it was not possible or desirable to target the delivery of the tool only to computers likely infected with these viruses. Thus, via WU/AU, the Malicious Software Removal Tool is delivered as a high-priority update to all computers. The first release of the Malicious Software Removal Tool targeted an aggregation of all the malware that Microsoft had removed with previous cleaner tools, with the addition of the Gaobot family. This list included Msblast, Mydoom, Nachi, and Sasser. By leveraging a more robust reporting mechanism, Microsoft obtained more information about infections found by the tool. All information communicated to Microsoft from the tool is anonymous and does not contain personally-identifiable information. Also, users can set a registry key if they want to opt out of sending this information to Microsoft. For more information, see Figure 2 shows the prevalence of the Msblast and Sasser families, which are highlighted, contrasted with the rest of the top 25 malware families that the Malicious Software Removal Tool, as of June 21, 2005, detects and removes. The numbers reflect the cumulative removals since the initial release of the
Rank Family Rbot Sdbot Gaobot Netsky Msblast Korgo Ispro Berbew Bagle FURootkit Spybot Sasser Bropia Mydoom Sober Mytob Zafi Nachi Hackdef Sobig Startpage Lovgate Kelvir Mimail Randex Removals 800,422 381,094 309,108 292,316 251,467 213,081 174,060 167,030 86,647 84,920 75,983 59,644 45,163 41,835 30,050 24,691 21,026 18,838 18,682 11,573 8,206 7,947 2,693 1,367 1,226

Post-Sasser virus cleaner tools
On January 11, 2005, Microsoft released the first version of the Windows Malicious Software Removal Tool. The purpose of this tool is to remove specific, prevalent malicious software from computers, on a consistent basis. The tool is intended mainly for consumers and home users who do not have up-to-date anti-virus software installed. Despite efforts from Microsoft and the security industry, the reality is that many users still do not install up-to-date anti-virus software, thus increasing the number of infected computers if malware goes unchecked. However, this tool is not intended as a replacement for up-to-date anti-virus software, due to its lack of an ‘on-access’ protection component and because it targets only a specific subset of the full virus library. The tool was released simultaneously to WU/AU, the Download Center, and (as an ActiveX control). The version posted to WU/AU was delivered initially to Windows XP computers only, although, in later months, Windows 2000 and Windows Server 2003 computers could also download the tool from WU/AU. Users could also download and run a standalone version of the tool from the Download Center and By releasing the tool to the Download Center, Microsoft enabled corporate users to download and deploy the tool to their enterprises. The three main differences between the Malicious Software Removal Tool and previous cleaner tools are:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25

Figure 2: Prevalence of the Msblast and Sasser families (as of 6/21/05).

VIRUS BULLETIN CONFERENCE OCTOBER 2005 ©2005 Virus Bulletin Ltd. No part of this reprint may be reproduced, stored in a retrieval system, or transmitted in any form without the prior written permission of the publishers.



tool in January and are recent as of June 21, 2005. Over this period of time, the tool was executed approximately 750 million times. Note that, in the removals column, multiple files infected with the same malware are counted only once, for each execution of the tool. For example, if a single execution of the tool cleaned 100 files on one computer, all infected with the Bagle.O virus, this counts as one removal in the table. This figure shows that Msblast continues to be moderately prevalent almost two years after its release. This number continues to grow, with about 800 new Msblast removals per day. However, these figures are relatively small compared to the total number of executions of the tool, approximately 750 million. Therefore, only about 0.03% of users who run the tool are infected with Msblast. This value represents a significant decrease from the number of Msblast detections recorded by the BlastCln tool. The continued prevalence of Msblast is likely due to infected computers which, for one reason or another, will never be updated or disinfected. These computers will serve as eternal carriers for the worm, infecting vulnerable computers, which are subsequently connected to WU to download the update and cleaner tool, as reflected in the figures above. Sasser removals are only a fraction of those for Msblast, consistent with the discussion in the previous section. Only about 200 removals per day are reported. Figure 3 shows the prevalence of Msblast, Sasser, and other malware families across Windows XP service packs. The percentages in the figure are normalized with the number of executions of the tool across these service packs.
Windows XP Malware family Rbot Sdbot Gaobot Netsky Msblast Korgo Ispro Berbew Bagle FURootkit Spybot Sasser Bropia Mydoom Sober Mytob Zafi Nachi Hackdef Sobig Startpage Lovgate Kelvir Mimail Randex Total Gold 61.87% 65.10% 62.22% 59.26% 78.85% 55.06% 49.07% 45.96% 53.22% 70.04% 49.22% 52.56% 36.21% 52.23% 53.44% 52.58% 55.05% 66.96% 38.75% 71.18% 60.96% 38.74% 41.74% 67.35% 60.71% 62.37% SP1 33.80% 28.89% 34.98% 29.79% 21.09% 42.86% 28.16% 49.04% 40.80% 28.47% 26.08% 45.65% 31.34% 37.85% 31.87% 28.25% 36.04% 32.52% 41.16% 20.27% 29.96% 19.71% 16.03% 24.74% 31.19% 32.71% SP2 4.33% 6.01% 2.80% 10.95% 0.06% 2.07% 22.77% 5.00% 5.98% 1.49% 24.70% 1.79% 32.45% 9.92% 14.70% 19.17% 8.90% 0.51% 20.09% 8.54% 9.09% 41.55% 42.23% 7.91% 8.10% 4.93%

From the total number of Msblast infections removed, there is only a 0.06% chance that the removal will be from a Windows XP SP2 computer vs. a 78.85% chance that the removal will be from a Windows XP Gold computer. The high skew towards Windows XP Gold/SP1 for Msblast is expected, since Windows XP SP2 computers cannot be infected by Msblast through its main replication vector (MS03-026/MS03-039), which was updated in Windows XP SP2, and since the BlastCln tool runs as part of upgrading to Windows XP SP2. In fact, it is surprising that the Windows XP SP2 removal number is greater than zero; this is likely due to malware that replicates through other mechanisms (for example, email) and drops Msblast on a computer. A similar pattern exists for Sasser, although the Windows XP SP2 figure is slightly higher because SassCln, unlike BlastCln, is not run as part of Windows XP SP2 setup. In fact, most malware listed in the table are more likely to be found on a Windows XP Gold or Windows XP SP1 computer than on a Windows XP SP2 computer. Malware with the lowest removal percentages for Windows XP SP2 (Rbot, Sdbot, Gaobot, Msblast, Sasser, etc.) mostly exploit software vulnerabilities that were patched in Windows XP SP2. Malware that rely more on social engineering techniques (Netsky, Mydoom, Sober, and so on) to replicate have Windows XP SP2 removal percentages closer to those for Windows XP and Windows SP1.

In summary: • In response to the impact of Msblast, Microsoft invested in a number of customer-focused initiatives such as Windows XP SP2 and the Protect Your PC campaign. • Microsoft released a cleaner tool to detect and remove Msblast approximately five months following the appearance of the worm in the wild. Data from this release indicated that the worm had spread to over 25 million computers, in the year following the release of the threat. • Microsoft recognized the positive impact and value that widely deployed virus removal tools could have with respect to curtailing the spread of worms such as Msblast, which can spread extensively. As a result, Microsoft streamlined the development and release process for these tools. • As a result of many improvements, including the release of a cleaner tool only days after the Sasser worm was found in the wild, Sasser infected only a fraction of the computers infected by Msblast. • With the release of the Windows Malicious Software Removal Tool, Microsoft will continue to be in a position to respond quickly to widespread malware, with a cleaner tool. The release of this tool also enables Microsoft to measure the prevalence of threats that are in the wild.

[1] Microsoft Security Bulletin MS03-026, MS03-026.mspx.

Figure 3: Normalized prevalence across Windows XP service packs.


VIRUS BULLETIN CONFERENCE OCTOBER 2005 ©2005 Virus Bulletin Ltd. No part of this reprint may be reproduced, stored in a retrieval system, or transmitted in any form without the prior written permission of the publishers.



Howard, Michael; ‘Michael Howard’s Web Log: Why Blaster did not Infect Window Server 2003’, 2004/05/23/139987.aspx. Microsoft Malicious Software Encyclopedia: Win32/Msblast, encyclopedia/details.aspx?name=Win32%2fMsblast. Symantec Security Response: W32.Blaster.Worm, data/w32.blaster.worm.html. Mcafee Virus Profile: W32/Lovsan.worm.a, default.asp?id=description&virus_k=100547.




VIRUS BULLETIN CONFERENCE OCTOBER 2005 ©2005 Virus Bulletin Ltd. No part of this reprint may be reproduced, stored in a retrieval system, or transmitted in any form without the prior written permission of the publishers.


To top