Lessons Learned From Blaster

CowboyRobot writes "It's been nearly a year since Blaster struck, causing hundreds of millions of dollars in fixes and lost revenue. Jim Morrison of Symantec goes step-by-step in looking at how the Blaster worm got out of control so quickly, and what lessons can be learned from that event, by studying how one utility company dealt with it." The story is written as a fun, technothriller narrative; here's an snippet: "The laptops, usually out in the field, were always a hit-and-miss proposition to find on the network and deliver a patch or to have the user take the machine to a field office. That meant that on the 16th they could see a flood of traffic launched against Microsoft. The second phase of Blaster, launching a DoS (denial of service) attack against windowsupdate.com, was imminent."

Lesson Learned...

[Terragen]

Don't run windows. :D

Re:Lesson Learned...

[Prod_Deity]

First off... I personally agree with that statement.
Second... I was working a dead end call center job for an ISP when Blaster was running rampant.
Even though this was a Windows problem (and should have been sent to Microsoft), we trouble shooted it since it did technically stop a customer from getting online.
I think after that, nearly every Joe 6-pack finally realized that the thing in his "Start Menu" called "Windows Update" was something to use often.

Re:Lesson Learned...

[Lshmael]

I think after that, nearly every Joe 6-pack finally realized that the thing in his "Start Menu" called "Windows Update" was something to use often.

Which is why the Sasser worm hit so few people? Yes, Blaster caused *some* people to realize it was necessary to run Windows Update, but others only downloaded the Blaster-specific RPC patch in August, causing them to get reinfected again in October and November with newer RPC worms like Gaobot, and again this spring with Sasser.

Jim has left the building

[Zutroi_Zatatakowsky]

Eheh, I couldn't help but chuckle when I read "Jim Morrison". Totally destroys the seriousness of the article.

Re:Jim has left the building

[sentientbeing]

In further news Jim morrison, in the form of a spirit guide advises people to avoid compiling their own windows components due to the virus threat:

'If you build it- they will come....'

Re:How many times do people have to be told

[keefey]

I thought Blaster was a RPC virus, i.e. not one broacast via email? I'm sure that's the one that got me a couple of times before I installed a decent firewall (you have 5 seconds to close all work...). Bloody swine of a thing it was - I'd always seem to be winning at Counterstrike too! (Well, that was my excuse, anyway)

VPN's aren't perfect pipes

[LostCluster]

The main weakness that allowed ingress was that any outside machine with a VPN connection also has a real IP address as well. Those machines, since they were unpatched, were sitting ducks for the virus... and then the trusted nature of the VPN assured that the virus would spread to the inside.

A basic firewall on the deployed machine to drop any packet not from the VPN could have stopped this before it started...

Re:VPN's aren't perfect pipes

[thogard]

VPNs can be owned too so can "tursted" links to remote controled system. We had a (XP?) box deep inside our network get compromised with a virus that stayed in memory. It got there over a remote control system from another PC that was sometimes hooked to the net. The box deep inside the network then started hunting for other boxes to own, and it found a NT 4 server that could make outbound connections to the net and it set up a nice little email proxy. Lucky for me, my test network isn't as open as it appeared and my freebsd box clampled down on the outbound smtp traffic. A few new rules later (to let the SMTP traffic appear to go out) and the NT box was trying to spam AOL as fast as it could.

There are some tricky things out there that will take advantage of "internal trust" so my new rule is no PC talks to anything else but its samba, proxy or email server. Windows PC's can't talk to any other Windows PC.

Re:VPN's aren't perfect pipes

[HermanAB]

"my new rule is no PC talks to anything else but its samba, proxy or email server"

Good quality routers, eg. HP2524 can be configured for 'port to port security'. So it is actually very easy to configure a system to prevent PCs from blabbing to each other.

If the PCs can only see the servers and the servers are all Linux or Mac boxen, then the system is remarkably robust.

Re:How many times do people have to be told

[benna]

Blaster didn't spread through email. It used a DCOM exploit if I remember correctly.

I learned from Blaster six months before the fact.

[gfecyk]

Back when Messenger Service popups happened and started using $80 hardware firewalls that doubled as Internet sharing boxes.

When Blaster hit I was sitting pretty and so was every client that took my advice.

*yawn*

Re:How many times do people have to be told

[LostCluster]

Blaster didn't require user intervention to run. Default Windows installations came with the RPC service turned on, and that was all it took to be at risk. If your machine listened on port 135, the virus had a way in.

Contractor Laptop

[eltoyoboyo]

A contractor using the guest offices brought Blaster inside. His laptop infected the security-counter image-storage system, which then found its way to the HR server. That in turn spawned the infections to the HR XP laptops where the patch failed.

The first thing you learn in ANY security job is that most breaches are from the inside.

As someone standing right behind the front lines, I will tell you that employees with laptops are the worst. Most end up with administrator access (not that hard to crack if you don't have it). And the fact that they bring their computers home and on the road makes them feel a certain entitlement to install whatever they feel like. Contractors are even worse, since most of the time these laptops ARE their personal PCs. Desktops and servers inside the DMZ are the least likely originators of malware. (Not to say you couldn't surf pr0n on the company mail server as an admin. But then you deserve what you get.)

Network admins need to lock down MAC addresses and start treating their network like the PBX folks. Nothing gets wired except approved company equipment.

Trusted Computing is the answer.

[King_of_Prussia]

No, hold back your -1 troll mods, I don't mean that coathanger abortion of an idea that Microsoft has been diddling around with for a while, but a new kind of trust level for computer users. Say everytime a virus has to be removed from a Windows box because a user clicked an attachment a little value increments by one. Once it reaches 10 or so the computer starts throwing up helpful hints like "Don't click on things labelled 'Enlarge your Penii!', they can most likely not deliver on their claims!".

If it gets really high, eg 50 or so (your average AOL user) automatically turn on the Windows Firewall, and include a flag on every outgoing packet indicating that the user cannot be trusted to operate their computer in a safe fashion. Webmasters can then block traffic from these PC's at their discretion - Problem solved.

Re:Trusted Computing is the answer.

[l810c]

If it gets really high, eg 50 or so (your average AOL user) automatically turn on the Windows Firewall, and include a flag on every outgoing packet indicating that the user cannot be trusted to operate their computer in a safe fashion. Webmasters can then block traffic from these PC's at their discretion - Problem solved.

How would having Webmasters looking for a 'trusted' flag solve anything? Users don't infect websites. Webmasters from 'bad sites'(porn, warez, etc) would also have a flag telling them that they have a prime target currently browsing their site. Grab the ip and launch other more nefarious processes against the sitting ducks thus furthering the mayhem.

A little too secure for our own good...

[LostCluster]

A key paragraph in the story...
"We had to do some research, but we found out that the way we locked down the users prevented the patch from running properly," lamented one of the policy admins. "What we discovered was that the software restriction policy for the local computer allowed only local computer administrators to select trusted publishers. Because our patch agent ran as a pseudo user, the agent did not have the necessary rights. This was causing the failure. We changed the group policy for the HR systems so that we can patch remotely from now on."

Sometimes, locking your system too tightly ends up locking the keys in the car. When you really need something to run, it doesn't...

URL for GCIH analysis of Blaster

[JohnVH]

http://www.giac.org/practical/GCIH/John_VanHoogstr aten_GCIH.pdf

Included in TCO?

[Quixote]

Every time a "Linux -vs- Microsoft" study comes out (for example , or see this), I never see any mention of the costs of these combatting these virii, even though virii have been plaguing MS systems from the DOS days. Why don't these "studies" include the cost of re-installing infected machines, anti-virus software, firewall software, continuous monitoring, etc. ?

On the one hand, virus writers are aggressively pursued and prosecuted with claimed damages of billions of dollars; on the other hand, these losses are not included in the TCO of Windows! What gives?

NCC 1701-D on Blaster

[aardwolf204]

The conference room used for the first discussions had been converted to a war room. The whiteboards were filled with IP addresses gathered by the help desk of systems suspected of being infected and trying to propagate the worm. Another list for all of the nonfunctional pay systems covered the entire portable whiteboard. These systems would have to be patched before they could be used to receive payments again.

Red Alert! All senior officers to the battle bridge. Prepare for saucer seperation in T minus 3 minutes and counting.

Picard: Data, can you locate the origin of infection?
Data: It will take aproximatly 10 minutes to scan each subnet.
Picard: We don't have that kind of time. Number One, options?
Riker: Disconnect the OC3 and raise the firewall, leave no ports open.
Captain: That should buy us some time but we need a better solution than that.
Diana: I am sensing something captain, it feels as if the SUS server has fallen offline, we may have missed the latest patches
Data: Her hypothesis could be correct

We are the Borg, We will assimilate you!

Captain: Damn, and here I was thinking it was The Boy and his nanites again

No offense Wil :)

Re:Sadly OSX is Next

[MBCook]

Well, I think that OS X is inherently safer than Windows for various reasons including the Unix core and not being made by Microsoft. That said, if you take the standard precautions, you'll be fine.

Don't open attachments that you weren't expecting. Get a firewall. A REAL firewall, a HARDWARE firewall. It doesn't have to be expensive, just a little Linksys box or something else designed to act as a router between your PCs and your cable/xDSL modem. Keep your systems patched. Do these things and you'll be just fine.

But, it's the lowest hanging fruit that get eaten first. As long Windows is popular and there are people running the systems unpatched and doing stupid stuff like executing the newest screensaver they got in an e-mail, Windows will be THE target for viruses. OS X and Linux won't become popular targets for viruses untill they are more common, Microsoft does a better job, and the people who use them are less technical (this applies to Linux more than OS X). This paragraph is my speculation, of course.

Jim Morrison

The Blaster Worm awoke before dawn.
He put his boots on.

Inflexable payment policy comes back to bite...

[LostCluster]

The utility company lost more than $1 million in revenue that would normally have been generated from the pay systems during the time they were down.

Wait a second. Blaster didn't directly cut off any customers. How could the virus cost revenue?

Well, in the case of this story's Mona, it was because her power was cut off despite the fact she had the money to pay her bill through the last-minute pay system. That means a few days that she didn't use power, plus the cost of a needless disconnect that they couldn't charge for.

If the power company had a brain or heart, they would have not done any disconnects due to non-payment during this time frame. Sure, some deadbeats would get 3 days of free power, but the majority of people who missed their payment deadline would happily pay if just given the chance.

In short, they could have saved time and money if the bill collectors would have been told to take some time off...

Re:Transactions?

[EdMcMan]

There are even ATMs that run on Windows.

Blasters effect on Cisco

[JRHelgeson]

Blaster was a worm, and of worms in general I would say that there is little new to be learned from them. I did learn something new with blaster though.

I was doing some security work for an ISP at the time of blaster. They have a number of Cisco 12000 series GSR routers as well as Foundry Big Iron Switches. For those who are not familiar with the Cisco 12000 series routers, let it be sufficed to say that it is Cisco's biggest, baddest router that stands up to 6 feet tall and comes from the factory with a 4 barrel carburetor, dual testosterone modules and a custom paint job with flames painted on the side (pin stripes are optional). These switches are designed to handle hundreds of gigs of traffic across their backplane and through their interfaces. If the ISP were forewarned that they would be seeing 300 mbps of traffic coming from the MS Blaster worm, they would have said "Bring it on!"

For those of us that aren't CCIE's, Cisco routers and Layer 3 switches have a function called CEF, or Cisco Express Forwarding. CEF is a technology that by its simplest definition caches routes.

If a packet from my computer is destined for yahoo.com, it will first hit the DNS server to resolve the host name to its IP address. My computer will then send packets to my ISP with the destination IP of yahoo.com (66.218.71.198). My ISP's router, presuming it's a Cisco router with CEF enabled, will look at its internet BGP tables and determine the optimal route my packet should take on the internet to arrive at that destination. Once the router has processed the route, it caches it so that all future packets coming from my home IP address, destined for yahoo.com will automatically be routed using the cached route. This takes a tremendous load off the router CPU as each packet no longer needs to be processed by the CPU, hence the term "Express Forwarding".

What the blaster worm did was send out hundreds of thousands of ICMP pings per second. This usually wouldn't be a problem for the router, except for each packet was destined for a unique IP address. What started happening is that each route was looked up, routed, and stored in its cache for future packets - only there weren't any future packets. What happened next was the memory space allocated for caching CEF routes filled up, and once full, the router simply purged its cache so that every packet had to then go to the CPU to be routed. Once this happened, all hell broke loose.

CPU utilization on the routers jumped to 100%, which should never happen under normal conditions, but this was clearly not a normal condition, and the internet came to a crawl.

There we were, with a router that should handle hundreds of gigs across the backplane without breaking a sweat being brought to its knees by 100mb of traffic... it was incredible.

Re:Out of control?

[mabu]

I love the little flash advertisement which is attached to this article, claiming Microsoft outperforms Linux by a factor of 276%. They must be talking about worm propagation efficiency.

Massive distributed computing

[freeduke]

When this worm hit a lot of my friends, at home, I first tried to figure out what it did, beside restarting computers.

It did nothing to the files, just rebooted the computer, and waited for a precise date to attack Microsoft site. I wanted to participate to this huge distributed computing effort.

To do this, no patch was required: just open the control panel, clic on ugly icons, and go to the RPC panel. Here, I was surprised to see that the main annoying comportment of this worm was due to a default windows setting!

The default option on RPC failure is to "restart computer"! So I chose the "restart service" option for every failure and that worked fine! All my friends could now live with this worm and contribute to this distributed computing effort!

Default options in Windows are users' worst choices: restart the computer on every failure!! The most funny, an stupid, one is the default restart computer on... boot failure!

To Fix every virus under Windows, put a Knoppix CD in your box and then restart your computer for the last time.

Re:Missing the point

[gerardrj]

Well, there are three problems with windows update which IMO takes significant blame away from the users:

1. Microsoft's update system has been less than simple to date. Ex:
Update 00dflkjsd_9 - fixes a flaw in some obscure dll which you have no idea if you use or even have installed. Only install this update if you are having problems with some arbitrary function after installing update fskjsdf_3. ( I have no idea what update fskjsdf_3 IS, never mind if I've had trouble with it. If I install this anyway, will it cause me trouble that it was trying to fix?)
Yea, I made it up, but that's my impression of some items I've seen the few times I've had to update a windows machine. (I run OS X myself). This is compounded by MS's apparent refusal or inability to "roll up" updates in to "service packs" on a regular basis.

2. You have, until recently, been forced to launch MSIE and specifically visit WindowsUpdate to check for updates, Only MSIE works and there was no automated checking feature. To my knowledge auto-check is only available in XP. The large number of users in corporations don't have any need to upgrade from 2000, or 98/95 and don't have the auto-check feature.

3. Once you are at the site and see there are updates to install, you might have to reboot the system several times. MS is quite fond of "exclusive installers" where you can only choose the one update to install, then reboot and move on to others. From a clean install, this will usually require at least three reboots on an XP box. For a small home machine this may only take two minutes per reboot, but for self monitoring servers a reboot can take up to 10 minutes what with memory tests, system checks, RAID startup, clock syncing, etc.

The questions I have for Microsoft are:

Why can't you issue a service pack for XP already? All the patches are verified, just apply them cumulatively in a single unified installer.
Why aren't the existing patches on the new CDs and systems that people are purchasing? Surely MS has the clout to force the integrators to apply existing patches before shipping a system. There's absolutely no reasonable excuse for a brand new system from HP, Dell, or Gateway to arrive with security holes that were identified and patched two years ago.