A'ight. Did some more digging myself in the mean time and there's not a lot to be found about this. The only responses I saw where people brushing this off as a side effect of blaster attacking windowsupdate.com. The explaination is that some DNS servers (hosts file?) are (mis)configured to return 127.0.0.1 when queried for windowsupdate.com. That would stop the attack from ever reaching the intended site. Blaster then sends a SYN to 127.0.0.1:80 with a spoofed source and doesn't get very far. So far so good. I can understand that. Unfortunately the resulting RST packets are send to the spoofed address/ports, which happen to be ours. But why on earth are these RST packets with source address 127.0.0.1 routed to the rest of the world? Why does it even leave the infected machine? Seems odd. I cannot see any reason for responses to packets send to the loopback address to even be able to leave the local machine. Isn't localhost the only one able to send something to localhost? Or is this some tcp/ip stack implementation feature?