The MSBlast, or Blaster, worm spread to more systems than any other piece of malicious software in history and led to significant changes in Microsoft's handling of security, a member of the company's anti-malware response team stated in a recently released paper.
The worm, which started spreading on August 11, 2003, compromised systems using a vulnerability in Microsoft Windows 2000 and Windows XP. More than 5 months later, the software giant released the Windows Blaster Worm Removal Tool. Windows Update offered the tool to people whose computers exhibited signs of the MSBlast worm, a group numbering more than 25 million unique computers in the six months following the tool's release, Matthew Braverman, program manager for Microsoft's anti-malware technology team, wrote in the paper.
The impact on Microsoft was enormous, Braverman stated in the paper.
"In the first five days after the release of MSBlast, Microsoft's Customer Service and Support organization received over three million calls--only a small subset of which were answered--from end-user and enterprise customers," Braverman wrote in Win32/Blaster: A Case Study from Microsoft's Perspective. Braverman gave the paper at the 2005 Virus Bulletin Conference in October, but Microsoft only released the paper publicly on December 1.
Initial analysis of the spread of MSBlast using sensor networks estimated that the worm had infected at most 500,000 systems. In April, early data from Microsoft showed that the scope of the worm was actually almost 20 times higher. With the latest data, Microsoft can reliably say that more than 25 million computers have been infected with MSBlast and, of those, approximately 12 million have been cleaned using the company's free tool.
The extent of the spread convinced Microsoft to create its Anti-Virus Reward Program program and expand its release of the removal tool for other types of malicious code. While the bounty has produced a notable success by leading to the author of the Sasser worm, the only break in the MSBlast case involved the arrest and conviction of a teenager that modified the original worm to create a minor variant.
Posted by: Robert Lemos