Blaster
Blaster is a 2003 Windows worm, also referred to in the provided content as LoveSan.B in some reporting. It rapidly infected unpatched Microsoft Windows 2000 and Windows XP systems by exploiting a publicly disclosed vulnerability in the Windows RPC service, allowing compromise without users opening email attachments. The worm propagated by scanning or spamming itself to large numbers of random IP addresses, causing widespread disruption and accounting, along with Slammer and Sasser, for a large share of incidents in the 2002–2006 period. The content also notes that the vulnerable code existed in Windows Server 2003, but Blaster did not successfully infect that platform because the /GS compiler security flag detected the buffer overrun and caused the RPCSS process to terminate. Blaster affected operational environments beyond enterprise IT; reporting cited in the content says related systems were infected during the 2003 U.S. East Coast blackout, and SCADA-related material states the worm spread into oil production environments after a notebook was connected during troubleshooting, causing production outages and millions of dollars in lost revenue. A modified Blaster variant was linked to Jeffrey Lee Parson, who admitted editing the original worm, adding a Trojan backdoor for access to infected computers, and releasing the modified version into the wild. The content further states that court papers said the original Blaster worm was created after the Chinese hacking collective Xfocus reverse engineered a Microsoft patch. High-confidence aliases and related names directly mentioned in the content include Blaster and LoveSan.B.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
A US teenager has been arrested under suspicion of creating the Blaster or LoveSan.B virus, and court papers reveal intriguing details about the origin of the Blaster worm. Jeffrey Lee Parson, 18, has admitted modifying the original Blaster worm using a text editor, adding a Trojan to allow backdoor access to infected computers and releasing it into the wild.
Techniques & procedures
9 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
Initial Access
1 technique
Initial Access
Execution
2 techniques
Execution
Jeffrey Lee Parson, 18, has admitted modifying the original Blaster worm using a text editor, adding a Trojan to allow backdoor access to infected computers and releasing it into the wild.
The code which Blaster took advantage of was in the released version of Windows 2003 :( but the worm itself did not infect Windows Server 2003 machines, here's why: the /GS flag. The buffer-overrun was detected by the -GS handling code, which caused the OS to shut the RCPSS process down.
Privilege Escalation
1 technique
Privilege Escalation
The code which Blaster took advantage of was in the released version of Windows 2003 :( but the worm itself did not infect Windows Server 2003 machines, here's why: the /GS flag. The buffer-overrun was detected by the -GS handling code, which caused the OS to shut the RCPSS process down.
Stealth
1 technique
Stealth
Discovery
1 technique
Discovery
Lateral Movement
1 technique
Lateral Movement
Blaster first appeared on Monday and quickly spread to computers worldwide by exploiting a known security vulnerability in Microsoft’s Windows operating system. By Friday, the worm, which targets a Windows component for handling RPC (Remote Procedure Call) protocol traffic called the Distributed Component Object Model (DCOM) interface...
Impact
1 technique
Impact
In addition to infecting vulnerable Windows machines, Blaster worm was programmed to launch a denial of service (DOS) attack against windowsupdate.com, an Internet domain owned by Microsoft and used to distribute software updates to Windows customers beginning on Saturday.
Recent activity
32 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A worm mentioned only in reference to historical coverage by the article's author.
A worm mentioned only in the author's biography as a past reporting topic; no operational details are provided in the article body.
A worm mentioned only in the author's biography as a past coverage topic; no operational details are provided in the article content.
A worm mentioned only in passing as part of the author's prior coverage history.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.