Viruses/Worms

Viruses/Worms


08-14-2003, 06:52 AM


  » http://sudaneseonline.com/cgi-bin/sdb/2bb.cgi?seq=msg&board=2&msg=1060840335&rn=0

Post: #1
Title: Viruses/Worms
Author: BousH
Date: 08-14-2003, 06:52 AM

Security Brief for technicals

ISS X-Force has captured active samples of an automated Internet worm that
propagates via the MS RPC DCOM vulnerability documented in ISS X-Force
Alert titled "Flaw in Microsoft Windows RPC Implementation"
(http://xforce.iss.net/xforce/alerts/id/147. This worm is currently
propagating aggressively across the Internet.

Impact:

Any vulnerable desktop or server connected to the Internet may be
vulnerable to attack. All Windows 2000, Windows XP and Windows NT 4.0
computers that have not been patched are vulnerable to attack from the
automated worm, or manual attack. X-Force believes that hundreds of
thousands of computers may still be vulnerable. Unsuccessful propagation
attempts may crash vulnerable computers, or render them unstable.
Successful worm outbreaks have been known to cause significant localized
network latency, and widespread denial of service.

For the complete ISS X-Force Security Alert, please visit:
http://xforce.iss.net/xforce/alerts/id/150
-------------------------------------------------------------------------------------
Details Info from Symantec

When W32.Blaster.Worm is executed, it will do the following:
Creates a Mutex named "BILLY." If the mutex exists, the worm will exit.
Adds the value:
"windows auto update"="msblast.exe"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the worm runs when you start Windows.
Calculates a random IP address, A.B.C.0, where A, B, and C are random values between 0 and 255.
NOTE: 40% of the time, if C > 20, a random value less than 20 will be subtracted from C.
Once the IP address is calculated, the worm will attempt to find and exploit a computer on the local subnet, based on A.B.C.0. The worm will then count up from 0, attempting to find and exploit other computers, based on the new IP

Sends data on TCP port 135 that may exploit the DCOM RPC vulnerability.

NOTES:
This means the local subnet will become saturated with port 135 requests.
Due to the random nature of how the worm constructs the exploit data, this may cause computers to crash if it sends incorrect data.
While W32.Blaster.Worm cannot spread to Windows NT or Windows 2003 Server, unpatched computers running these operating systems may crash as the result of attempts by the worm to exploit them. However, if the worm is manually placed and executed on a computer that is running these operating systems, it can run and spread.

Creates a hidden Cmd.exe remote shell that will listen on TCP port 4444, allowing an attacker to issue remote commands on the infected system.

Listens on UDP port 69. When the worm receives a request from a computer it was able to connect to using the DCOM RPC exploit, it will send that computer Msblast.exe and tell it to execute the worm.

If the current month is after August, or if the current date is after the 15th, the worm will perform a DoS on Windows Update. The worm will activate the DoS attack on the 16th of this month, and continue until the end of the year.

You can manually delete by doing the following:
Disable System Restore (Windows XP).
Update the virus definitions.
End the Trojan process.
Run a full system scan and delete all the files detected as W32.Blaster.Worm.
Reverse the changes that the Trojan made to the registry.
Ending the Worm process:
Press Ctrl+Alt+Delete once.

Click Task Manager.
Click the Processes tab.
Double-click the Image Name column header to alphabetically sort the processes.
Scroll through the list and look for msblast.exe.
If you find the file, click it, and then click End Process.
Exit the Task Manager.
Reversing the changes made to the registry
Click Start, and then click Run. (The Run dialog box appears.)

Type regedit
Then click OK. (The Registry Editor opens.)
Navigate to the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
In the right pane, delete the value:
"windows auto update"="msblast.exe"
Exit the Registry Editor
Then Delete c:\windows\system32\msblast.exe
Full Info: http://securityresponse.symantec.com/avcenter/venc/data...32.blaster.worm.html
-------------------------------------------------------------------------------------
Automated Removal Tools
Symantec: W32.Blaster.Worm Removal Tool
McAfee: Stinger has been updated to include detection/removal of this threat
BitDefender: Anti Blaster Worm
Astonsoft: Anti MSBlast Worm
Computer Associates: Anti-Poza removal worm
-------------------------------------------------------------------------------------
Spreading algorithm from F-Secure
The worm uses a sequential scanning algorithm with random starting points. The algorithm has a mode when it favors networks surrounding the infected host.
An IP address has a following structure: A.B.C.D
First the worm fetches the IP address of the infected host and puts it into the variables above.
Based on a random number between 1 and 20 either the hosts IP is used as a basis of scanning or a totally random IP is generated.
If random number is greater or equal to 12 the host IP is used. In this case if C is greater then 20 the worm subtracts 20 from it. D is always set to 0.
If the worm chooses to use a totally random start IP it generates A B and C from random numbers:
______________________
Code:
A from 1 to 254
B from 0 to 253
C from 0 to 253
D is always 0
_____________________
Using these base addresses Lovsan starts to scan for vulnerable hosts. The algorithm scans 20 hosts at a time, the targets are successive IP address starting from the base address. The worm tries to connect to port 135 on all the 20 hosts and check if the connection is successful. In that case Lovsan uses one of many different DCOM exploits to infiltrate the host. There are two hardcoded values in the exploit which are randomly chosen. These values make the exploit work on either Windows 2000 or Windows XP systems. When the exploit starts on the remote machine it opens a shell through which the worm copies itself to the host using TFTP (Trivial File Transfer Protocol). The client for FTPS comes with Windows 2000/XP systems and the worm has a built-in TFTP server. After the worm is copied to the remote host it is started there through the shell.
You might also want to turn on Windows XP's internal firewall to prevent access to port 135:
http://www.microsoft.com/windowsxp/home/using/productdo..._enable_firewall.asp
More Info: http://www.datafellows.com/v-descs/msblast.shtml
-------------------------------------------------------------------------------------
More Info from Handlers Diary
Increase in port 135 activity: http://isc.sans.org/images/port135percent.png

Infection sequence:
1. SOURCE sends packets to port 135 tcp with variation of dcom.c exploit to TARGET
2. this causes a remote shell on port 4444 at the TARGET
3. the SOURCE now sends the tftp get command to the TARGET, using the shell on port 4444,
4. the target will now connect to the tftp server at the SOURCE.

The name of the binary is msblast.exe. It is packed with UPX and will self extract. The size of the binary is about 11kByte unpacked, and 6kBytes packed:
MD5sum packed: 5ae700c1dffb00cef492844a4db6cd69 (6176 Bytes)
Full Info: http://isc.sans.org/diary.html?date=2003-08-11
-------------------------------------------------------------------------------------
Disable DCOM info from eEye

Run Dcomcnfg.exe. If you are running Windows XP or Windows Server 2003 perform these additional steps:
Click on the Component Services node under Console Root.
Open the Computers sub-folder.
For the local computer, right click on My Computer and choose Properties.
For a remote computer, right click on the Computers folder and choose New then Computer. Enter the computer name.
Right click on that computer name and choose Properties.
Choose the Default Properties tab.
Select (or clear) the Enable Distributed COM on this Computer check box.
If you will be setting more properties for the machine, click the Apply button to enable (or disable) DCOM. Otherwise, click OK to apply the changes and exit Dcomcnfg.exe.
Reboot
Note: We have found that on Windows 2000 with Service Pack levels SP0, SP1, and SP2, disabling DCOM using the DCOMCNFG tool does not actually disable DCOM functionality. As a result, unpatched machines running the affected versions of Windows 2000 are still vulnerable, regardless of whether DCOM is indicated as disabled. We have contacted Microsoft about this problem and they are looking into it.

eEye has also released a free scanner to aid in the detection of vulnerable hosts:
http://www.eeye.com/html/Research/Tools/RPCDCOM.html
Full Advisory: http://www.eeye.com/html/Research/Advisories/AL20030811.html
-------------------------------------------------------------------------------------
Patches From Microsoft.com to fix RPC/DCOM bug
For Windows XP:
WindowsXP-KB823980-x86-ENU.exe
NOTE: Microsoft Windows XP Service Pack 1 is necessary for this file to run.
For Windows 2000:
Windows2000-KB823980-x86-ENU.exe
For Windows 2003:
WindowsServer2003-KB823980-x86-ENU.exe
For Windows NT 4.0:
Q823980i.EXE
-------------------------------------------------------------------------------------
Virus Vendors:
Symantec: W32.Blaster.Worm
TrendsMicro: WORM_MSBLAST.A
F-Secure: Lovsan
Computer Associates: Win32.Poza
McAfee: W32/Lovsan.worm
Sophos: W32/Blaster-A
Panda Software: W32/Blaster
RAV: Win32/MSBlast.A
BitDefender: Win32.Msblast.A
Norman: Blaster.A
ESET NOD32: Win32/Lovsan.A
Variant(s) Virus List:
Symantec: W32.Blaster.B.Worm, W32.Blaster.C.Worm
McAfee: W32/Lovsan.worm.b, W32/Lovsan.worm.c
F-Secure: Lovsan.B, Lovsan.C
TrendMicro: WORM_MSBLAST.B, WORM_MSBLAST.C
Sophos: W32/Blaster-B,
Computer Associates: Win32.Poza.B, Win32.Poza.C

Advisories:
Microsoft: What You Should Know About the Blaster Worm
Microsoft: Buffer Overrun In RPC Interface Could Allow Code Execution
CERT® Advisory CA-2003-19 Exploitation of Vulnerabilities in Microsoft RPC Interface
ISS Xforce: "MS Blast" MSRPC DCOM Worm Propagation
Symantec's Deepsite Analyse of the worm
eEye - 'Blaster' Worm Description and Technical Details
AusCERT: Worm (MSBLASTER) propagation for recent Microsoft RPC vulnerability
Department of Homeland Security Advisory: Potential For Significant Impact On Internet Operations Due To Vulnerability In Microsoft Operating Systems