Identifying Blaster worm (and possibly variants?)

["Jon E. Mitchiner" <jon.mitchiner () GALLAUDET EDU>]

I was looking for a way last week to be able to automatically identify
someone who is infected with the blaster worm and take appropriate action
quickly.  I found the easiest way to do this was to monitor the DNS servers.

I tried following Symantec's suggestion to make a DNS entry for
windowsupdate.com -- this didnt work because Blaster spoofed the IPs and
making it difficult and too long to track the origin.

While I was monitoring the DNS server I noticed a strange characteristic
with the Blaster worm.  The worm would initially attempt to look up
"windowsupdate.com".  This could also be an individual who mis-typed the
website as windowsupdate.com rather than windowsupdate.microsoft.com.  The
strange thing is when the lookup for windowsupdate.com fails -- blaster
appends the domain name next.  For instance our domain name is
Gallaudet.edu -- blaster would then look up
"windowsupdate.com.gallaudet.edu".  If anyone looks up this address at
Gallaudet we assume immediately they are probably infected with the blaster
worm.

This has made identification a lot easier especially when students are
plugging their computers in their dorms and they were infected elsewhere
(e.g. from their home, etc.)

I hope this helps someone.

Jon Mitchiner

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.