[GTER] Re: W32/Blaster worm

Marcello de Lima Azambuja azambuja at lpc.ufrj.br
Tue Aug 12 00:02:22 -03 2003


Apenas complementando a mensagem da Liliana e do Klaus, segue o link e advisory
do SANS Institute:

http://isc.sans.org/diary.html?date=2003-08-11

O worm espalhou muito rápido, pelo jeito os administradores que não fizeram a
atualização vão ter muito trabalho essa semana. Desde as 18hs de hoje (08/11)
já recebi 574 tentativas de conexão apenas na porta 135 da minha conexão a
cabo virtua. :)

marduk:/var/log# cat daemon.log |grep -i "port 135 connection attempt" | wc -l
    574

Tenho uma cópia do worm aqui, caso alguém esteja interessado em analisar
também.

Falou,

-- 
Marcello de Lima Azambuja
PGP Key: FEC9 32F3 6CF4 FC57 75D9  06CF B959 F95E A5B5 649F



  Handlers Diary August 11th 2003

   Updated August 11th 2003 20:10 EDT

RPC DCOM WORM (MSBLASTER)

   This RPC DCOM worm started spreading early afternoon EDT (evening
   UTC). At this point, it is spreading rapidly.

   Increase in port 135 activity:
   http://isc.sans.org/images/port135percent.png

   **********
   NOTE: PRELIMINARY. Do not base your incidents response solely on this
   writeup.
   **********

   Executive Summary:
   A worm has started spreading early afternoon EDT (evening UTC Time)
   and is expected to continue spreading rapidly. This worms exploits the
   Microsoft Windows DCOM RPC Vulnerability announced July 16, 2003. The
   SANS Institute, and Incidents.org recommends the following Action
   Items:

   * Close port 135/tcp (and if possible 135-139, 445 and 593)
   * Monitor TCP Port 4444 and UDP Port 69 (tftp) which are used by the
   worm for activity related to this worm.
   * Ensure that all available patches have been applied, especially the
   patches reported in Microsoft Security Bulletin MS03-026.
   * This bulletin is available at
   http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
   * Infected machines are recommended to be pulled from the network
   pending a complete rebuild of the system.

   Technical Details:
   Names and Aliases: W32.Blaster.Worm (symantec),W32/Lovsan.worm
   (McAfee), WORM_MSBLAST.A (Trend Micro),Win32.Posa.Worm (CA),Lovsan
   (F-secure), MSBLASTER,Win32.Poza.

   Infection sequence:
   1. SOURCE sends packets to port 135 tcp with variation of dcom.c
   exploit to TARGET
   2. this causes a remote shell on port 4444 at the TARGET
   3. the SOURCE now sends the tftp get command to the TARGET, using the
   shell on port 4444,
   4. the target will now connect to the tftp server at the SOURCE.

   The name of the binary is msblast.exe. It is packed with UPX and will
   self extract. The size of the binary is about 11kByte unpacked, and
   6kBytes packed:

   MD5sum packed: 5ae700c1dffb00cef492844a4db6cd69 (6176 Bytes)

   So far we have found the following properties:

   - Scans sequentially for machines with open port 135, starting at a
   presumably random IP address
   - uses multiple TFTP servers to pull the binary
   - adds a registry key to start itself after reboot

   Name of registry key:
   SOFTWARE\Microsoft\Windows\CurrentVersion\Run, name: 'windows auto
   update'

   Strings of interest:
msblast.exe
I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your soft
ware!!
windowsupdate.com
start %s
tftp -i %s GET %s
%d.%d.%d.%d
%i.%i.%i.%i
BILLY
windows auto update
SOFTWARE\Microsoft\Windows\CurrentVersion\Run

   Existing RPC DCOM snort signatures will detect this worm. The worm is
   based on dcom.c

   Once you are infected, we highly recommend a complete rebuild of the
   site. As there have been a number of irc bots using the exploit for a
   few weeks now, it is possible that your system was already infected
   with one of the prior exploits. Do not connect an unpatched machine to
   a network.

   The worm may launch a syn flood against windowsupdate.com on the 16th.
   It has the ability to infect Windows 2000 and XP.

   The worm uses the RPC DCOM vulnerability to propagate. One it finds a
   vulnerable system, it will spawn a shell on port 4444 and use it to
   download the actual worm via tftp. The exploit itself is very close to
   'dcom.c' and so far appears to use the "universal Win2k" offset only.

   Other References:
   http://www.cert.org/advisories/CA-2003-19.html
   http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
   https://tms.symantec.com/members/AnalystReports/030811-Alert-DCOMworm.pdf
   http://www3.ca.com/virusinfo/virus.aspx?ID=36265
   http://www.datafellows.com/v-descs/msblast.shtml
   http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100547
   http://www.sarc.com/avcenter/venc/data/w32.blaster.worm.html
   http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A
   http://www.sophos.com/virusinfo/analyses/w32blastera.html
   http://xforce.iss.net/xforce/alerts/id/150
   http://vil.nai.com/vil/content/v_100547.htm

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: <https://eng.registro.br/pipermail/gter/attachments/20030812/de105652/attachment.sig>


More information about the gter mailing list