More than two years after Blaster turned the summer of 2003 into an IT administrators worst nightmare, the worm is still very much alive and there are fears within Microsoft that thousands of Windows machines will never be completely dewormed.
According to statistics culled from Microsofts Windows malicious software removal tool, between 500 and 800 copies of Blaster are removed from Windows machines per day.
“The continued prevalence of [Blaster] is likely due to infected computers which, for one reason or another, will never be updated or disinfected. These computers will serve as eternal carriers for the worm,” says Matthew Braverman, a program manager in Microsofts Anti-Malware Engineering Team, the unit at Redmond responsible for updating the free worm-zapping tool.
In a case study on Blaster presented to the Virus Bulletin conference in October, Braverman said Blaster ranked in the top five of the most prevalent worms removed by the anti-malware utility, which ships on Patch Tuesday every month.
Braverman said 79 percent of the removals were made from Windows XP Gold and 21 percent from Windows XP SP1.
On Windows XP SP2, infections are almost nonexistent, Braverman said, pointing out that XP SP2 systems went through a major post-Blaster security overhaul that means those systems cannot be infected through Blasters main replication vector.
“In fact, it is surprising that the Windows XP SP2 removal number is greater than zero; this is likely due to malware that replicates through other mechanisms (for example, e-mail) and drops MSBlast on a computer,” Braverman said.
The statistics also show a similar pattern for the Sasser worm that rocked corporate networks last year.
Overall, of the 25 malware families listed in Bravermans case study, most were removed from Windows XP systems that had not been upgraded with SP1 or SP2.
Jason Garms, architect and group program manager on the Anti-Malware Technology Team, believes the hundreds of daily Blaster removals are actually “reinfections” on machines that go back to an unpatched state.
In an interview, Garms said Blaster reinfections occur when Windows users reinstall the operating system from original media or roll back an OS install to a state where the Blaster patch is removed.
Even so, Garms said actual removals of Blaster were trending downward. When the case study was prepared, the tool was deleting 800 copies of the worm a day. Today, that number is closer to 500 a day and continuing to go down.
The Sasser worm, too, was less prevalent over time, moving from 12th on the case study list to 18th in early December.
The low rate of Blaster and Sasser detections on machines running Windows XP SP2 is a nod to Microsofts heavy investment on hardening the OS, Garms said.
One of the key additions to SP2 was an improved firewall that is turned on by default.
“We improved the functionality of the firewall and saw an immediate benefit to defend against malware that exploit network vulnerabilities.”
Garms also preached the gospel of turning on automatic updates to suck down security patches on Windows systems.
“The vast majority of SP2 users have turned it on, and we continue to encourage customers to turn on auto updates during the installation process.”
Jose Nazario, a security engineer at Arbor Networks Inc., has also been tracking the prevalence of Blaster two years after the worm outbreak and says it is rather surprising that Microsoft is still removing hundreds of copies a day.
“Blaster is no longer globally disruptive, so it has slipped our minds, but these numbers show that its still around. My feeling is that those are mainly infected home users, mostly on dial-up connections that never got around to patching and are finally getting the [worm removal] tool installed,” said Nazario, who also runs the Worm Blog.
In an interview with Ziff Davis Internet News, Nazario said the Microsoft white paper presents a very “telling picture” of the chunk of users still running the gold version of Windows XP, which is full of serious security holes.
“It tells us that theres a large chunk of the population that have not upgraded yet to SP1 or SP2 and theyre not downloading patches or even using auto-updates,” Nazario said.
“Based on those numbers, Blaster isnt going to go away anytime soon,” he said, noting that his own research has shown that Blaster infections have successfully transitioned to new hosts.
“We keep seeing the hosts change as the original systems are cleaned or shut off,” Nazario said.
