Site New Answers Search Boards ILM ILE Answers New Question New Questions New Poll Blog View Register Login

New Windows Worm (AKA WHY IS MY WINDOWS MACHINE ACTING UP)

Message Bookmarked
Bookmark Removed
-----BEGIN PGP SIGNED MESSAGE-----
CERT Advisory CA-2003-20 W32/Blaster worm
Original issue date: August 11, 2003
Last revised: --
Source: CERT/CC
A complete revision history is at the end of this file.
Systems Affected
* Microsoft Windows NT 4.0
* Microsoft Windows 2000
* Microsoft Windows XP
* Microsoft Windows Server 2003
Overview
The CERT/CC is receiving reports of widespread activity related to a
new piece of malicious code known as W32/Blaster. This worm appears to
exploit known vulnerabilities in the Microsoft Remote Procedure Call
(RPC) Interface.
I. Description
The W32/Blaster worm exploits a vulnerability in Microsoft's DCOM RPC
interface as described in VU#568148 and CA-2003-16. Upon successful
execution, the worm attempts to retrieve a copy of the file
msblast.exe from the compromising host. Once this file is retrieved,
the compromised system then runs it and begins scanning for other
vulnerable systems to compromise in the same manner. In the course of
propagation, a TCP session to port 135 is used to execute the attack.
However, access to TCP ports 139 and 445 may also provide attack
vectors and should be considered when applying mitigation strategies.
Microsoft has published information about this vulnerability in
Microsoft Security Bulletin MS03-026.
Lab testing has confirmed that the worm includes the ability to launch
a TCP SYN flood denial-of-service attack against windowsupdate.com. We
are investigating the conditions under which this attack might
manifest itself. Unusual or unexpected traffic to windowsupdate.com
may indicate an infection on your network, so you may wish to monitor
network traffic.
Sites that do not use windowsupdate.com to manage patches may wish to
block outbound traffic to windowsupdate.com. In practice, this may be
difficult to achieve, since windowsupdate.com may not resolve to the
same address every time. Correctly blocking traffic to
windowsupdate.com will require detailed understanding of your network
routing architecture, system management needs, and name resolution
environment. You should not block traffic to windowsupdate.com without
a thorough understanding of your operational needs.
We have been in contact with Microsoft regarding this possibility of
this denial-of-service attack.
II. Impact
A remote attacker could exploit these vulnerabilities to execute
arbitrary code with Local System privileges or to cause a
denial-of-service condition.
III. Solutions
Apply patches
All users are encouraged to apply the patches referred to in Microsoft
Security Bulletin MS03-026 as soon as possible in order to mitigate
the vulnerability described in VU#568148. These patches are also
available via Microsoft's Windows Update service.
Systems running Windows 2000 may still be vulnerable to at least a
denial-of-service attack via VU#326746 if their DCOM RPC service is
available via the network. Therefore, sites are encouraged to use the
packet filtering tips below in addition to applying the patches
supplied in MS03-026.
It has been reported that some affected machines are not able to stay
connected to the network long enough to download patches from
Microsoft. For hosts in this situation, the CERT/CC recommends the
following:
1. Physically disconnecting the system from the network
2. Check the system for signs of compromise.
+ In most cases, an infection will be indicated by the presence
of the registry key
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Run\windows auto update" with a value of msblast.exe. If
this key is present, remove it using a registry editor.
3. If you're infected, terminate the running copy of msblast.exe
using the Task Manager.
4. Take one of the following steps to protect against the compromise
prior to installing the Microsoft patch:
+ Disable DCOM as described below
+ Enabling Microsoft's Internet Connection Filter (ICF), or
another host-level packet filtering program to block incoming
connections for 135/tcp
5. Reconnect the system to the network and apply the patches in the
recommended manner
Trend Micro, Inc. has published a set of steps to accomplish these
goals. Symantec has also published a set of steps to accomplish these
goals.
Disable DCOM
Depending on site requirements, you may wish to disable DCOM as
described in MS03-026. Disabling DCOM will help protect against this
vulnerability but may also cause undesirable side effects. Additional
details on disabling DCOM and possible side effects are available in
Microsoft Knowledge Base Article 825750.
Filter network traffic
Sites are encouraged to block network access to the following relevant
ports at network borders. This can minimize the potential of
denial-of-service attacks originating from outside the perimeter. The
specific services that should be blocked include
* 69/UDP
* 135/TCP
* 135/UDP
* 139/TCP
* 139/UDP
* 445/TCP
* 445/UDP
* 4444/TCP
Sites should consider blocking both inbound and outbound traffic to
these ports, depending on network requirements, at the host and
network level. Microsoft's Internet Connection Firewall can be used to
accomplish these goals.
If access cannot be blocked for all external hosts, the CERT/CC
recommends limiting access to only those hosts that require it for
normal operation. As a general rule, the CERT/CC recommends filtering
all types of network traffic that are not required for normal
operation.
Because current exploits for VU#568148 create a backdoor, which is in
some cases 4444/TCP, blocking inbound TCP sessions to ports on which
no legitimate services are provided may limit intruder access to
compromised hosts.
Recovering from a system compromise
If you believe a system under your administrative control has been
compromised, please follow the steps outlined in
Steps for Recovering from a UNIX or NT System Compromise
Reporting
The CERT/CC is tracking activity related to this worm as CERT#30479.
Relevant artifacts or activity can be sent to cert@cert.org with the
appropriate CERT# in the subject line.
Appendix A. Vendor Information
This appendix contains information provided by vendors. When vendors
report new information, this section is updated and the changes are
noted in the revision history. If a vendor is not listed below, we
have not received their comments.
Microsoft
Please see Microsoft Security Bulletin MS03-026.
Appendix B. References
* CERT/CC Advisory CA-2003-19 -
http://www.cert.org/advisories/CA-2003-19.html
* CERT/CC Vulnerability Note VU#561284 -
http://www.kb.cert.org/vuls/id/561284
* CERT/CC Vulnerability Note VU#326746 -
http://www.kb.cert.org/vuls/id/326746
* Microsoft Security Bulletin MS03-026 -
http://microsoft.com/technet/security/bulletin/MS03-026.asp
* Microsoft Knowledge Base article 823980 -
http://support.microsoft.com?kbid=823980
Thanks
Our thanks to Microsoft Corporation for their review of and input to
this advisory.
______________________________________________________________________
Authors: Chad Dougherty, Jeffrey Havrilla, Shawn Hernan, and Marty
Lindner
______________________________________________________________________
This document is available from:
http://www.cert.org/advisories/CA-2003-20.html
______________________________________________________________________
CERT/CC Contact Information
Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for more
information.
Getting security information
CERT publications and other security information are available from
our web site
http://www.cert.org/
To subscribe to the CERT mailing list for advisories and bulletins,
send email to majordomo@cert.org. Please include in the body of your
message
subscribe cert-advisory
* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
______________________________________________________________________
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
______________________________________________________________________
Conditions for use, disclaimers, and sponsorship information
Copyright 2003 Carnegie Mellon University.
Revision History
August 11, 2003: Initial release
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQCVAwUBPzhJFGjtSoHZUTs5AQEO6wP5AZuyr1OG/U9RjZDAAatFmJUuTO8SFhtd
R+nfZ54ylZPGE8ewMiS0hiuKaaXsOyk46R+zcwuPfoKffaaQX7SvwkS5uVzRBU+E
PEnECSv6O8qL0uGR6BO8zmDncOhd8YouyXWGwMCRqpvH4rMHLRB8CIgKHyEoqBpl
r69lGr8lqtE=
=3GAW
-----END PGP SIGNATURE-----

I thought the SYN flood was particularly evil. You are all doomed!

Jon Williams (ex machina), Tuesday, 12 August 2003 03:43 (twenty-two years ago)

My laptop has been infected with this. *sniff* I've been forced onto my old desktop.

A hax0r in shining armor has offered to come to my rescue however.

Texas Sam (thatgirl), Tuesday, 12 August 2003 04:00 (twenty-two years ago)

Haven't people learned from the last 34343443 Windows Worms?

Jon Williams (ex machina), Tuesday, 12 August 2003 04:14 (twenty-two years ago)

What should we have learned Jon?

Texas Sam (thatgirl), Tuesday, 12 August 2003 04:16 (twenty-two years ago)

that Worms make Baby Jesus cry.

Kingfish (Kingfish), Tuesday, 12 August 2003 04:17 (twenty-two years ago)

http://www.bitemelivebait.com/jpg/worms2.jpg

electric sound of jim (electricsound), Tuesday, 12 August 2003 04:21 (twenty-two years ago)

oh great, now someone's going to start quoting lyrics from "The Wall"...

Kingfish (Kingfish), Tuesday, 12 August 2003 04:35 (twenty-two years ago)

leave us kids alone!!

electric sound of jim (electricsound), Tuesday, 12 August 2003 04:38 (twenty-two years ago)

Thank god for still having crappy old Win98.

Girolamo Savonarola, Tuesday, 12 August 2003 04:42 (twenty-two years ago)

To run windows update

Jon Williams (ex machina), Tuesday, 12 August 2003 11:37 (twenty-two years ago)

If it's possible for you, go here, download the appropriate patch, run it, and it will hopefully go away.

I had Norton Anti-Virus give me hell about this last night, it would detect the "Blaster.Worm", then threaten to shutdown my machine in 60 seconds. I had to reboot a few times, but i was able to get the time to download the patch, then install it, and now it's gone, and everything is (or seems) back to normal.

donut bitch (donut), Tuesday, 12 August 2003 13:17 (twenty-two years ago)

This got me last night, the COUNTOWN TO SHUTDOWN thing gave me ample opportunity to cry "IT'S A RACE AGAINST TIME" so silver lining, etc. l33t haxx0r budz saved my sorry ass also.

Alex in Rotherham (Alex in Doncaster), Tuesday, 12 August 2003 13:23 (twenty-two years ago)

My girlfriend's mother's computer is currently suffering from this, and it's shutting down the computer every time she tries to get online, which makes remedy difficult. I think they're getting a copy of the patch on floppy from her step-brother, though, who works for a national food company whose computers were shut down by this, too.

Tep (ktepi), Tuesday, 12 August 2003 13:27 (twenty-two years ago)

i have Norton AV and Zone Alarm running with any attachments by e-mail instantly flagged and marked...what other precautions can i take?

stevem (blueski), Tuesday, 12 August 2003 13:30 (twenty-two years ago)

Got o windows update.

Mr Noodles (Mr Noodles), Tuesday, 12 August 2003 13:40 (twenty-two years ago)

the microsoft security alert which is referenced is dated july 16th. i'm almost positive i've updated since then. when i visited update last night it had no updates for me, so i'm assuming i'm all up-to-date on this??

ron (ron), Tuesday, 12 August 2003 13:45 (twenty-two years ago)

my comp has this. fuxors. I will try and download the patch later. if i get online for long enough.

Ronan (Ronan), Tuesday, 12 August 2003 13:48 (twenty-two years ago)

Mine keeps giving me 60 second warnings too, though sometimes I get 5 or 10 minute windows before it does it. I am at work now and the comp is fine, hopefully I can download it later cos I'm not sure if I can do it here.

Ronan (Ronan), Tuesday, 12 August 2003 13:51 (twenty-two years ago)

I presume with a dial up its not quite so serious a problem. I bet I'll be back on this thread later though.

Ronan (Ronan), Tuesday, 12 August 2003 13:59 (twenty-two years ago)

I work at an ISP and this has ruined my day. This one is nasty because it spoofs IPs, because the exploit is only in the SYN portion of the connection. Nasty, nasty. Windows has doomed us all! Repent!

You're probably up to date ron.

Dale the Titled (cprek), Tuesday, 12 August 2003 14:24 (twenty-two years ago)

how do I know if I have this worm?

I keep getting Cannot find server messages alot.

jel -- (jel), Tuesday, 12 August 2003 15:19 (twenty-two years ago)

Any specific servers that you are trying to find? It could be a more general consequence of being on a network segment that's getting flooded with attempts rather than actually being infected. I don't know that much about Windows anymore, but I think the CERT advisory Jon posted upthread should help you determine if you've got it. But again, it could be that your network is just overloaded with incoming/outgoing traffic from the all the other computers in the world that have it.

Dale the Titled (cprek), Tuesday, 12 August 2003 15:50 (twenty-two years ago)

A fwend sez:

"it scans random IP addresses rather than gets attached to emails and/or web pages, and installs itself. and it's triggered to attack windowsupdate.microsoft.com on august 16th, so every unpatched and online machine will start giving it some this
weekend and windowsupdate might fall over horribly :-) and that way no-one will be able to download the patch necessary to fix the vulnerability that allows the worm to operate in the first place. work of art :-)"

Is this true? PS not affected as have a mac

Dave B (daveb), Tuesday, 12 August 2003 16:03 (twenty-two years ago)

yeah that seems to be the case. My machine is also immune.

Millar (Millar), Tuesday, 12 August 2003 16:22 (twenty-two years ago)

my comp is fucked with this, is it possible to download the update and save it to a disc and then use it? At the mo the download site is fucked too. I was 7 seconds away earlier on.

Ronan (Ronan), Tuesday, 12 August 2003 18:14 (twenty-two years ago)

I wonder if a worm like this is the reason why, every time I log onto a site (including this one) I get a message telling me that I have chosen to download a file from this site and asking me if I want to open it from its current location or save it to a file. I always hit "cancel" and it goes away, but the fact that it keeps popping up is annoying & worrying me.

jewelly (jewelly), Tuesday, 12 August 2003 18:42 (twenty-two years ago)

I haven't heard of that happening...

Ronan, check your email.

Dale the Titled (cprek), Tuesday, 12 August 2003 18:47 (twenty-two years ago)

I have Millenium Edition so I guess I'm not affected by this particular worm, but something screwy's going on.

jewelly (jewelly), Tuesday, 12 August 2003 18:49 (twenty-two years ago)

Here's the Microsoft patch, to protect yourself, and if you've been infected, here's where to go to remove it.

Frank Kogan (Frank Kogan), Tuesday, 12 August 2003 20:52 (twenty-two years ago)

But since I'm fundamentally a computer ignoramus, I have this question: I have Windows 98 Second Edition. Microsoft no longer supports it (5 years were up in June). When this security flaw
was pointed out to Microsoft last month, Microsoft created a patch for the versions of Windows that they do support. Now, my impression (from something I read then on their site, but haven't been able to find since) is that Microsoft didn't test 98 SE to find out whether it too was vulnerable to the flaw. They did include workarounds in their security bulletin, but to ignorant me, the workaround instructions were gibberish. Anyway, now that there's a computer worm based on the flaw (supposedly a poorly written worm, so not as destructive as the next one will be), what do I do? Supposedly (the NY Times story I read on this was not well written), one is vulnerable to this worm even without downloading a file or an email. Symantec (the people who put out the Norton Antivirus) claims that Windows 98 is not vulnerable to the worm, but, distrustful person that I am, I don't know if they say this merely because Microsoft hasn't said that Windows 98 specifically is vulnerable, or because they know especially what they're talking about. So, do I live my life as usual, or do I do something, and if so, what? If you have advice, that would be helpful (also, supply links to verify what you've heard.) Thanks.

Frank Kogan (Frank Kogan), Tuesday, 12 August 2003 21:00 (twenty-two years ago)

I am on a mac and so feel like someone out of Day of the Triffids.

N. (nickdastoor), Tuesday, 12 August 2003 21:04 (twenty-two years ago)

One of my favorite books when I read it (though that was 39 years ago).

Frank Kogan (Frank Kogan), Tuesday, 12 August 2003 21:09 (twenty-two years ago)

I think John Wyndham's were the first adult novels I read.

N. (nickdastoor), Tuesday, 12 August 2003 21:44 (twenty-two years ago)

This horrid worm thing has ceased our whole network across the country and I have been unable to work at all for 2 days now, and its getting worse as now the email system has completely crashed. Although my home PC is win98, my home internet line has been destroyed by a thunderstorm for 3 days now and still has not been fixed.

The end is extremely fucking nigh.

Fuzzy (Fuzzy), Wednesday, 13 August 2003 14:24 (twenty-two years ago)

ominously, i have not yet had a problem and now i have the Service Pack 2 upgrade and patch...will i survive?

stevem (blueski), Wednesday, 13 August 2003 14:27 (twenty-two years ago)

worm even without downloading a file or an email. Symantec (the people who put out the Norton Antivirus) claims that Windows 98 is not vulnerable to the worm, but, distrustful person that I am, I don't know if they say this merely because Microsoft hasn't said that Windows 98 specifically is vulnerable, or because they know especially what they're talking about. So, do I live my life as usual, or do I do something, and if so, what? If you have advice, that would be helpful (also, supply links to verify what you've heard.) Thanks.

Since it involves overflowing a buffer in the RPC routines you probably don't have to worry. Now I have to figure out if all the patches I installed on WIN95 are going to screw with my computer at home. But my mouse is busted (should I bother finding the break in the cable or shell out the 10 bucks for another?) so I can't find out or more specifically ain't going to screw around in Winblows without one. Since its running TCP syn packets out of your computer try finding that wonderful utility that counts your packets in and out of your modem/LAn connection and see if the outbound pckets go through the roof without surfing the web or checking your email.

Stevem, just go click on Tools/windowsupdate option on IE and take the time out of your day to down load most if not all of the patches supplied. It rarely hurts to do such an activity.

Mr Noodles (Mr Noodles), Wednesday, 13 August 2003 14:40 (twenty-two years ago)

Unless you have a bootlegged copy of XP. Like me.

Kenan Hebert (kenan), Wednesday, 13 August 2003 14:42 (twenty-two years ago)

It seems to be concentrating on XP and 2000. Anything else (according to symantec anyway) seems lower risk or immune, especially ME. But the worm itself is already targeting the website you go into to download the patch, so hurry...

C J (C J), Wednesday, 13 August 2003 14:46 (twenty-two years ago)

There's also a telltale registry key under Local System/Software/Microsoft/Windows/Running/ (something like that) that will show a MBlaster key. But, I wouldn't advise anyone to go into their registry unless they know what they're doing. Windows 98, ME, 95 are *not* affected because they don't have the NT codebase for RPC that is exploitable.

The Denial of Service doesn't start until Saturday, so slow site response for the patch is a result of everyone trying to grab it.

You all can grab it off of my university account (which they probably don't remember I have yet) if you want.

http://sweb.uky.edu/~cdcpre0/windows/Windows2000-KB823980-x86-ENU.exe
http://sweb.uky.edu/~cdcpre0/windows/WindowsXP-KB823980-x86-ENU.exe

Dale the Titled (cprek), Wednesday, 13 August 2003 14:51 (twenty-two years ago)

one year passes...
Windows not expected to be secure until 2011

"In a recent interview with Wired Magazine, Microsoft Security Program Manager Stephen Toulouse, when asked about their now 2 year old focus on security, comments "it's more of a 10-year timeline." He also reveals that he runs Firefox.

Elvis Telecom (Chris Barrus), Friday, 3 September 2004 22:19 (twenty-one years ago)


You must be logged in to post. Please either login here, or if you are not registered, you may register here.
Site New Answers Search Boards ILM ILE Answers New Question New Questions New Poll Blog View Register Login