How Blaster Scans Semi-random target Scans a /24 from 0-254, not random hosts "Island hopping" 40% of the time, /24 within local /16 60% of the time random /24 Scan network for 135/TCP, listen on 69/UDP (TFTP) Attempt exploit when connection is found 80% of the time use XP offset, 20% use Win2k offset Then connect to 4444/TCP, send commands Download msblast.exe via TFTP, start msblast.exe