Like clockwork, most worms are released after a known vulnerability is announced. MSBlast, like most other worms, came shortly after the announcement of a DCOM Remote Procedure Call (RPC) vulnerability in Windows NT, 2000, and XP systems. MSBlast does the typical things worms today do: it scans for IP addresses and then infects the vulnerable machines that it finds.
On 16 August, MSBlast began flooding Windowsupdate.com with a denial of service attack. One important difference between MSBlast and previous worms is that MSBlast uses DNS. This minor enhancement means that simply changing the IP address for Windowsupdate.com wasn't sufficient to keep it from being targeted.
The good news was that MSBlast didn't hurt Microsoft because it didn't have the correct hostname for the Windows Update Web site. In fact, MSBlast was programmed to attack the wrong Web site.
The Windows Update Web site is Windowsupdate.microsoft.com, not Windowsupdate.com. Microsoft had been redirecting HTTP requests from Windowsupdate.com to the correct location but wisely stopped this. As an added bonus, it removed DNS for this entirely so the MSBlast worm wouldn't issue requests and clog up Internet traffic. The result was that MSBlast basically did nothing to affect Microsoft, except perhaps infect new machines and generally cause headaches for network and system administrators worldwide.
We'll probably never know whether the authors of MSBlast intended to have their worm thwarted like this, but I find it difficult to believe this was a mistake. Anyone who's clever enough to release a worm onto the Internet isn't likely to make such a ridiculous error. And you can be sure the next worm from whoever wrote this one isn't going to be easily sidestepped.
Talkback
Also, and notible is that Microsoft ducked behind Akamai's linux based caching service.
I certainly hope you're joking when you're stating this:
"We'll probably never know whether the authors of MSBlast intended to have their worm thwarted like this, but I find it difficult to believe this was a mistake. Anyone who's clever enough to release a worm onto the Internet isn't likely to make such a ridiculous error."
Sentences like "difficult to believe this was a mistake" and "clever enough to release.."? I'm sorry, but, please! Everybody who knows how to access the Internet knows there's a bunch of toolkits out there where you're able to create viruses for known security flaws using drag&drop. You only need to change a couple of parameters and you're on your road down the criminal path.
*Of course* they did intend to take down Windows Update ... and they failed bigtime because they were too stupid like the rest of the virus-"authors" out there.