Blaster from the past: The worm that zapped XP 10 years ago

The Blaster worm was one in a string of attacks that prompted Microsoft to get serious about security

Ten years ago this week, the Blaster worm swept through Windows XP and Windows 2000 networks, bringing some government agencies to a halt and perhaps contributing to a major power blackout in the Northeast U.S.

Blaster, also dubbed the DCOM Worm and Lovsan, first appeared on Aug. 11, 2003, and exploited a known Windows vulnerability in a component that handled the RPC (Remote Procedure Call) protocol. Microsoft had patched the bug the month before.

The worm targeted Microsoft's Windows Update service and website for a distributed denial-of-service attack (DDoS). But because the hackers aimed at the wrong URL, the attack did not hamper Windows Update's operation.

Its side effect was worse, as it created a buffer overload on infected PCs, causing them to display an error message, crash and then reboot. At a minimum, tens of thousands of Windows PCs worldwide were affected.

Blaster also played a small role in the massive Aug. 14, 2003, blackout that knocked out power in parts of eastern Canada and many states in the Northeast and Midwest United States. An estimated 54 million people were affected by the outage.

But the worm's impact was larger than its immediate threat to Windows PCs.

Microsoft reacted to the attacks by issuing Windows XP Service Pack 2 (SP2) in August 2004, a year after Blaster. XP SP2, unlike previous service packs, included new features, among them several dedicated to security.

Some of the other initiatives, including a famous email that then-CEO Bill Gates issued to the company stressing the importance of security, had preceded Blaster. "When we face a choice between adding features and resolving security issues, we need to choose security," Gates wrote in that memo.

Blaster, in fact, was just one of a string of high-profile, quickly-spreading pieces of malware that hammered Windows machines, especially those running the then-relatively-new Windows XP. In 2001, it had been Code Red and Nimda; in 2002, it was SQL Slammer and then Blaster; and in 2003 along came Sasser.

"It's all a blur," said Wes Miller, now an analyst with Directions on Microsoft but in 2003 a program manager at Microsoft working in the Windows Core OS division.

To Miller, Code Red, Nimda, Slammer, Blaster and Sasser came so hard and fast that they blended into one long nightmare.

"Absolutely," said Miller when asked whether Blaster was one of the events that prompted Microsoft to focus on security in Windows XP SP2. But it wasn't the only worm to do that.

"Nimda was a slap in the face," Miller said of the worm that debuted Sept. 18, 2001, just a week after the terrorist attacks in New York and Washington, D.C. "But we didn't react as fast as we should have. We didn't respond. We should have done Windows XP SP2 before 2004."

Others remembered Blaster as a major milestone in malware, too.

"I'd put Blaster in my top 10 list due to the rapid rate in which it spread and for the huge number of systems it affected," said Andrew Storms, now director of DevOps at CloudPassage, in an email. In 2003, he was with nCircle, a security company that was acquired earlier this year by TripWire. "You have to remember that XP and 2000 were very popular systems at that time. They certainly had the large majority of the PC market share."

The year of Blaster was also when Microsoft kicked off a months-long security project. As part of its then-new Trustworthy Computing initiative -- touted by Gates in his email to the troops the year before -- Microsoft set aside product development to review the code of its operating systems, applications, and tools in a search for security holes.

That was not only a huge project, but had huge implications for most of a decade, as the time off from development was one of the contributing factors to the years-long delay of "Longhorn," the code name for what became Windows Vista, the OS flop that Microsoft put in its past only after it launched Windows 7 in 2009.

"Poor Longhorn," Miller reminisced.

But Blaster and its companions in chaos -- malware then was not financially motivated, but simply destructive -- also turned around Microsoft's security reputation. A laughingstock before Windows XP SP2, Windows security first became, well, not a laughingstock, then to many -- including Storms -- a benchmark for major software vendors.

"We have to remember that host-based firewalls on XP were not a default configuration at the time [of Blaster]," said Storms. "It was not until XP SP2 did users first get a host-based firewall that was part of the operating system. Prior to that, most users who were clued into the value of a firewall had to rely on third-party software. And let's not forget that most users did not have [Windows] Update configured for automatic updates."

Microsoft's ability to focus on security in the wake of Nimda, Slammer, Blaster and other worms also should be a reminder to critics of the Redmond, Wash. company's ability to execute, said Miller.

"Microsoft did a 180 on security then," he said. "That shows that maybe they can do it again in consumer technology."

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at  @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is gkeizer@computerworld.com.

See more by Gregg Keizer on Computerworld.com.

Join the discussion
Be the first to comment on this article. Our Commenting Policies