DECOMPILED SOURCE FOR MS RPC DCOM BLASTER WORM
<http://robertgraham.com/journal/030815-blaster.c>

This file contains source code for the "msblast.exe" worm
that was launched against the Internet on August 10, 2003.

This "source-code" was decompiled using "IDApro", an
"interactive disassembler". IDA is the most popular tool
for inspecting binary files. Note that IDA doesn't create
the source itself, but just helps understand the binary
so that source can be discovered.

Disclosing the source to blaster will not help blackhats.
The Blaster worm is not very good. However, it is
useful for whitehats to have a complete dissection of the
worm.

BUFORD is the pseudonym I give to the blackhat hacker who
wrote the worm. Many of my comments in the code talk about
conjectures I make about Buford.

This document contains many spelling and grammatical
errors. Also, while I have compiled it in order to see
how close I can get the binaries to match, I haven't
actually run it (and please don't compile/run it).


Why so slow?
The MS-RPC/DCOM vuln was the "worst-case-scenario" as far
as bugs go. It was the first "remote-hole" in the
"default-install" of a "desktop" operating system. Such
"remote-holes" in "servers" are the most popular for
hacking. Nimbda, CodeRed, and Slammer were all exploits
of "remote-holes" -- but since these bugs were in
optional components (web service, database) on desktops,
they didn't have the same reach as Blaster.


Blaster failed to take advantage of this fact. It was the
"best-case scenaro" for a worm. A normal worm would have
taken down the Internet for a few hours -- Blaster couldn't
have. For example, Buford (the programmer) didn't
acknowledge the TFTP packets, which meant that as more
congestion happened on the Internet, the less often Blaster
would successfully transfer itself to the new machine.
As a result, Blaster disabled the MS-RPC/DCOM service
on most machines rather than breaking into them, and it
didn't cause congestion problems on the Internet backbone.

Vulnerability references:
MS03-026
<http://www.microsoft.com/technet/security/bulletin/MS03-026.asp>
CA-2003-16
<http://www.cert.org/advisories/CA-2003-16.html>
CVE-2003-0352
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0352>
VU#568148
<http://www.kb.cert.org/vuls/id/568148>
win-rpc-dcom-bo
<http://xforce.iss.net/xforce/xfdb/12629>
Bugtraq-8205
<http://www.securityfocus.com/bid/8205>
IAVA 2003-A-0011
<http://infosec.navy.mil/pub/docs/advisories/FWIDS/IAVA_2003-A-001.doc>

Looks useful. Thanks :]. Good for the white hats here, the few and far between.. ;P

I guess it goes to show you that it doesn't take a genius to write a worm. I don't understand why the punishment for writing a worm is so steep, this goes to show you that it isn't hard.

peace

I would guess because those types of worms cause thousands of dollars of damage and lost revenue.

It supposedly did hundreds of billions of dollars worth of damage.

spam - old old code..........

then why bother to reply?
spamm0r

FLX

yes old but not detected! if anyone edit it with some offsets it would do the same
thing that it does before!

ow ur really thinking the wrong way.

#1 blocked on every network

#2 its a worm, its causes millions of damage. this is for forensic purposes only

#3 you didnt even wrote it. you have no right to use it.

#4 incomplete.

#1 do you really think all networks does block these actions? btw. wasn't there a guy who bypassed fws in minutes?

#2 i just told that it is undetected. all av's should know how to detect

#3 you'r right i didn't write it, but if i'm a asshole(i said if!) i would use it anyway!
i can use it! but i don't use it cause it isn't good enough and i don't need it!

#4 could easily be completed but it's just a wast of time to complete this worm.



cya

Nov 30 2003, 11:26 AM
Decompiled Source For Ms Rpc Dcom Blaster Worm

http://www.governmentsecurity.org/forum/in...?showtopic=4726

For More Replys

Black_Hat

'coz u're a stupid stupido stuppor! happy now?
it's all cushtie now, m8.