'MSBlast' / LovSan Write up
Also Known As:
W32/Lovsan.worm [McAfee], Win32.Poza [CA], Lovsan [F-Secure], WORM_MSBLAST.A [Trend], W32/Blaster-A [Sophos], W32/Blaster [Panda]
Posted to www.able2know.com (this can be freely distributed with no restrictions).
History of this exploit/worm:
Around July 16th the Last Stage of Delirium (Polish 'White Hat' hackers) created 'proof of concept' (i.e. they actually executed a theoretical exploit) code to exploit a stack buffer overflow vulnerability in "Windows 2000 (sp 1-4), Windows XP (sp 1) and Windows 2003 Server (regardless of the service packs installed)" ( http://lsd-pl.net/special.html
). Special thanks go out to LSD for their responsibility in not releasing their code. Microsoft also thanks them. A pity their responsibility made little difference.
An American hacker and a Chinese hacking group (XFocus) released code for this exploit on July 25th ( http://www.xfocus.org/documents/200307/2.html
) without any code or special information to work with proving that with very vague details of an exploit malicious code can be created quickly, even without disclosure of the exploit's details. They only released code to work on 3 Windows Operating Systems but the code can easily be modified to use on the other vulnerable systems.
HD Moore (founder of the Metasploit Project) modified the code to exploit 7 operating systems. "I don't like broken exploits, so I fixed it," he said. He posted the code on a machine he hosted and was innundated with traffick and was taken offline. He had planned to disseminate the code off of a web server but I did not verify that it has happened.
The release of code to execute this exploit gave System administrators little time to patch and home users who are typically slower to do so even less.
Soon exploit tools were released allowing hackers to send commands through IRC networks. On aug 2nd the first traces of these attack programs were found but they were not worms. They did not self-propagate.
The next step was for someone to create a worm to tie into this exploit.
With the DefCon hacker convention on the weekend of Aug 2,3 it was widely expected that a worm would be released (not necessarily by people attending DefCon but simply because of the attention to hacking that the conference brings) that utilized this exploit. The Department of Homeland Security issued an alert on Aug 1st and the Federal Computer Incident Response Center (FedCIRC), the National Communications System (NCS) and the National Infrastructure Protection Center (NIPC) were keeping an eye out for the exploits.
The worm became an internet threat yesterday (Aug 11th). It was named "MSBlast" by its author. The Internet Storm Center ( http://isc.incidents.org/
) has claimed that it is spreading quickly (my anecdotal evidence backs this up). By midafternood on Aug 11th at least 7000 machines had been compromised according to cnet.
This worm has not yet reached it's peak. It will be fine-tuned by other hackers and modified to become more dangerous. This morning some hackers were already claiming to do so in some IRC channels.