worm blog: Decompiled Source For MS RPC DCOM Blaster Worm

« Virus and Worm Source Code 1 | Main | Slapper Worm Source Code »

Decompiled Source For MS RPC DCOM Blaster Worm

Originally from Robert Graham, this is the Blaster worm's decompiled source code. You can see how simple it is, and how easy it is to reconstruct a worm for an arbitrary exploit using this codebase. Just drop in a new exploit and retarget it. However, Blaster's efficiency was somewhat diminished in that it used a TFTP file transfer to move the worm executable around rather than direct injection. You'll want to compare Blaster (August, 2003) with Sasser (May, 2004) to see how well that mechanism works anymore (which is to say it's less effective than it was originally).

This file contains source code for the "msblast.exe" worm that was launched against the Internet on August 10, 2003.

This "source-code" was decompiled using "IDApro", an "interactive disassembler". IDA is the most popular tool for inspecting binary files. Note that IDA doesn't create the source itself, but just helps understand the binary so that source can be discovered.

Disclosing the source to blaster will not help blackhats. The Blaster worm is not very good. However, it is useful for whitehats to have a complete dissection of the worm.

Source: Decompiled Source For MS RPC DCOM Blaster Worm, originally from Robert Graham.

May 13, 2005 in Blaster, malware , tools | Permalink
Tell others: digg submit | del.icio.us this | Reddit

Comments

The TFTP weakness is a real one.

If you want other interesting decompilations, look at Slammer and Witty (~400 bytes of instruction can create a global incident) and at original code red (its ugly, but effective, and as it is position independant code, doesn't require anything like TFTP), and Scalper/Slapper (no decompilation necessary, as the worm is C code compiled on the target. Slapper reused the Scalper source code). Google for these and you can find em.

Posted by: Nicholas Weaver | May 13, 2005 11:31:56 AM

Is the disassember good for VB binaries?

Posted by: another worm writer | Jul 14, 2005 2:21:55 PM

whatsthis?

Posted by: sNp | Aug 19, 2005 1:03:10 AM

The link is now dead. (May 8th 2006) Right now you can find it at http://www.eviloctal.com/forum/htm_data/23/0408/1487.html

Posted by: Andy | May 8, 2006 10:15:41 PM

All the links here are dead. Can any one post right link

Posted by: ritesh ranjan | Jan 29, 2010 4:36:18 AM

The comments to this entry are closed.