myNetWatchman   KnowledgeBase

Pooling knowledge to
secure the internet.


mNW Reports  FAQ: mNW Reports




(Registered Users Only)


Look Up Incidents by IP Address
 

 

MSBlast Worm Propagation

As of 2003-08-13 06:00 UTC myNetWatchman has received reports of MSBlast-like scanning (tcp/135) from nearly 200,000 distinct Internet hosts. The following is a chart which maps the progress of MSblast over 10 minute intervals starting at 2003-08-11 16:00 UTC which appears to be when the worm was first launched:

Though the number of infected host is already rivaling the biggest worms of the last few years (Code Red, Nimda, Slammer, etc.), it is no where near as bad as it could be when you consider that there are likely 10s of MILLIONS of systems on the Internet which are vulnerable.

I believe MSBlast's impact has been muted due to several factors:

  • Relative slow propagation rate. It scans at most 10 IP/second vs. 100s/second for Code Red/Nimda and 1,000s/second for Slammer
  • Poor target IP address selection algorithm. A significant number of IP addresses that MSBlast attempts to infect are either Reserved, Invalid, unrouteable, or otherwise bogus IP addresses
  • Reliance on Trivial File Transfer Protocol to propagate the worm code. The worm uses TFTP to pull the worm code onto the next potential victim. Though TFTP does have mechanisms to ensure reliable file transfer, it is no where near as persistent and reliable as FTP or HTTP...especially when trying to operate under the additional network congestion that the worm itself generated
  • Swift movement by ISPs to block tcp/135 activity. Because the RPC exploit has been known for several weeks, most major ISPs have been anticipating a major worm release and have had filters at the ready.

Credits

These comments are a result of the collaborative research efforts of Philip Sloss, Steve Friedl, Ryan Permeh, and myself, Lawrence Baldwin.