worm blog: Win32/Blaster: A Case Study From Microsoft's Perspective

« Cooperative Automated worm Response and Detection ImmuNe ALgorithm (CARDINAL) inspired by T-cell Immunity and Tolerance | Main | Call for Papers: Journal of Computer Virology »

Win32/Blaster: A Case Study From Microsoft's Perspective

The Blaster worm is back, and bigger and badder than ever! No, not really, but lots of press about it lately. Most of it is centered around a paper from Microsoft that appeared a VBConf 2005 recently.

On August 11, 2003, the world of mobile malicious code changed with the release of the Blaster worm. Using a vulnerability in the Microsoft Windows 2000 and Windows XP operating systems to infect a computer, the threat replicated to more computer systems than any other malicious software in history.

Since the release of Blaster almost two years ago, Microsoft has invested considerable resources in reducing the number of users infected with this threat, in addition to putting mechanisms in place to help prevent the class of vulnerability that Blaster exploited.

This white paper provides deeply quantitative details and statistics that Microsoft has observed regarding the initial and continued effects of the worm on the global computing infrastructure and Internet users worldwide.

This white paper was originally presented at the 2005 Virus Bulletin Conference in Dublin, Ireland, on October 7, 2005.

Source: Win32/Blaster: A Case Study From Microsoft's Perspective, Matthew Braverman.

The followup press has been pretty interesting, too. See the following:

MSBlast infected more than 25 million, posted on SecurityFocus.
Two Years Later, Blaster Worm Still Squirming, by Ryan Naraine.

Analysis and Comments

I think the most telling piece is Table 3 in the Microsoft paper, namely how different kinds of malware identified and removed by Microsoft has been found in different Windows XP versions. Remember that XP Gold is the original version of XP, and that XP SP2 introduced a number of security fixes that prevent worms like Blaster from spreading. The most striking things about that table are twofold. First, XP SP2 has had a real impact on malware on Windows, which was one of the major goals of the project. You cannot ignore that fact. Secondly, not all kinds of malware are equally affected, namely Trojans and user-loaded (by hook or by crook) malware seems unaffected by XP SP2. Microsoft has a long way to go to stopping such attacks.

And finally, in that eWeek piece by Ryan, I had sworn I had said "It's not surprising that MS is removing hundreds of copies a day". In all of our studies we have always been about 10-fold below what Microsoft had said was Blaster's population. But, I can't say I'm that surprised by the number of "800 a day", given the numbers we measured.

Thanks to RL and RN for their heads up on the follow up articles to this paper.

December 6, 2005 in Blaster, editorial, microsoft, papers | Permalink
Tell others: digg submit | del.icio.us this | Reddit