Lessons Learned From Blaster

CowboyRobot writes "It's been nearly a year since Blaster struck, causing hundreds of millions of dollars in fixes and lost revenue. Jim Morrison of Symantec goes step-by-step in looking at how the Blaster worm got out of control so quickly, and what lessons can be learned from that event, by studying how one utility company dealt with it." The story is written as a fun, technothriller narrative; here's an snippet: "The laptops, usually out in the field, were always a hit-and-miss proposition to find on the network and deliver a patch or to have the user take the machine to a field office. That meant that on the 16th they could see a flood of traffic launched against Microsoft. The second phase of Blaster, launching a DoS (denial of service) attack against windowsupdate.com, was imminent."

Lesson Learned...

[Terragen]

Don't run windows. :D

Re:Lesson Learned...

[Lshmael]

I think after that, nearly every Joe 6-pack finally realized that the thing in his "Start Menu" called "Windows Update" was something to use often.

Which is why the Sasser worm hit so few people? Yes, Blaster caused *some* people to realize it was necessary to run Windows Update, but others only downloaded the Blaster-specific RPC patch in August, causing them to get reinfected again in October and November with newer RPC worms like Gaobot, and again this spring with Sasser.

Re:How many times do people have to be told

[keefey]

I thought Blaster was a RPC virus, i.e. not one broacast via email? I'm sure that's the one that got me a couple of times before I installed a decent firewall (you have 5 seconds to close all work...). Bloody swine of a thing it was - I'd always seem to be winning at Counterstrike too! (Well, that was my excuse, anyway)

VPN's aren't perfect pipes

[LostCluster]

The main weakness that allowed ingress was that any outside machine with a VPN connection also has a real IP address as well. Those machines, since they were unpatched, were sitting ducks for the virus... and then the trusted nature of the VPN assured that the virus would spread to the inside.

A basic firewall on the deployed machine to drop any packet not from the VPN could have stopped this before it started...

Re:How many times do people have to be told

[LostCluster]

Blaster didn't require user intervention to run. Default Windows installations came with the RPC service turned on, and that was all it took to be at risk. If your machine listened on port 135, the virus had a way in.

Contractor Laptop

[eltoyoboyo]

A contractor using the guest offices brought Blaster inside. His laptop infected the security-counter image-storage system, which then found its way to the HR server. That in turn spawned the infections to the HR XP laptops where the patch failed.

The first thing you learn in ANY security job is that most breaches are from the inside.

As someone standing right behind the front lines, I will tell you that employees with laptops are the worst. Most end up with administrator access (not that hard to crack if you don't have it). And the fact that they bring their computers home and on the road makes them feel a certain entitlement to install whatever they feel like. Contractors are even worse, since most of the time these laptops ARE their personal PCs. Desktops and servers inside the DMZ are the least likely originators of malware. (Not to say you couldn't surf pr0n on the company mail server as an admin. But then you deserve what you get.)

Network admins need to lock down MAC addresses and start treating their network like the PBX folks. Nothing gets wired except approved company equipment.

A little too secure for our own good...

[LostCluster]

A key paragraph in the story...
"We had to do some research, but we found out that the way we locked down the users prevented the patch from running properly," lamented one of the policy admins. "What we discovered was that the software restriction policy for the local computer allowed only local computer administrators to select trusted publishers. Because our patch agent ran as a pseudo user, the agent did not have the necessary rights. This was causing the failure. We changed the group policy for the HR systems so that we can patch remotely from now on."

Sometimes, locking your system too tightly ends up locking the keys in the car. When you really need something to run, it doesn't...

Included in TCO?

[Quixote]

Every time a "Linux -vs- Microsoft" study comes out (for example , or see this), I never see any mention of the costs of these combatting these virii, even though virii have been plaguing MS systems from the DOS days. Why don't these "studies" include the cost of re-installing infected machines, anti-virus software, firewall software, continuous monitoring, etc. ?

On the one hand, virus writers are aggressively pursued and prosecuted with claimed damages of billions of dollars; on the other hand, these losses are not included in the TCO of Windows! What gives?

Inflexable payment policy comes back to bite...

[LostCluster]

The utility company lost more than $1 million in revenue that would normally have been generated from the pay systems during the time they were down.

Wait a second. Blaster didn't directly cut off any customers. How could the virus cost revenue?

Well, in the case of this story's Mona, it was because her power was cut off despite the fact she had the money to pay her bill through the last-minute pay system. That means a few days that she didn't use power, plus the cost of a needless disconnect that they couldn't charge for.

If the power company had a brain or heart, they would have not done any disconnects due to non-payment during this time frame. Sure, some deadbeats would get 3 days of free power, but the majority of people who missed their payment deadline would happily pay if just given the chance.

In short, they could have saved time and money if the bill collectors would have been told to take some time off...