CERT Advisory CA-2003-20 W32/Blaster worm

From: CERT Advisory (cert-advisory_at_cert.org)
Date: 08/12/03

  • Next message: CERT Advisory: "CERT Advisory CA-2003-21 GNU Project FTP Server Compromise"
    Date: Mon, 11 Aug 2003 22:21:08 -0400
    To: cert-advisory@cert.org


    CERT Advisory CA-2003-20 W32/Blaster worm

       Original issue date: August 11, 2003
       Last revised: --
       Source: CERT/CC

       A complete revision history is at the end of this file.

    Systems Affected

         * Microsoft Windows NT 4.0
         * Microsoft Windows 2000
         * Microsoft Windows XP
         * Microsoft Windows Server 2003


       The CERT/CC is receiving reports of widespread activity related to a
       new piece of malicious code known as W32/Blaster. This worm appears to
       exploit known vulnerabilities in the Microsoft Remote Procedure Call
       (RPC) Interface.

    I. Description

       The W32/Blaster worm exploits a vulnerability in Microsoft's DCOM RPC
       interface as described in VU#568148 and CA-2003-16. Upon successful
       execution, the worm attempts to retrieve a copy of the file
       msblast.exe from the compromising host. Once this file is retrieved,
       the compromised system then runs it and begins scanning for other
       vulnerable systems to compromise in the same manner. In the course of
       propagation, a TCP session to port 135 is used to execute the attack.
       However, access to TCP ports 139 and 445 may also provide attack
       vectors and should be considered when applying mitigation strategies.
       Microsoft has published information about this vulnerability in
       Microsoft Security Bulletin MS03-026.

       Lab testing has confirmed that the worm includes the ability to launch
       a TCP SYN flood denial-of-service attack against windowsupdate.com. We
       are investigating the conditions under which this attack might
       manifest itself. Unusual or unexpected traffic to windowsupdate.com
       may indicate an infection on your network, so you may wish to monitor
       network traffic.

       Sites that do not use windowsupdate.com to manage patches may wish to
       block outbound traffic to windowsupdate.com. In practice, this may be
       difficult to achieve, since windowsupdate.com may not resolve to the
       same address every time. Correctly blocking traffic to
       windowsupdate.com will require detailed understanding of your network
       routing architecture, system management needs, and name resolution
       environment. You should not block traffic to windowsupdate.com without
       a thorough understanding of your operational needs.

       We have been in contact with Microsoft regarding this possibility of
       this denial-of-service attack.

    II. Impact

       A remote attacker could exploit these vulnerabilities to execute
       arbitrary code with Local System privileges or to cause a
       denial-of-service condition.

    III. Solutions

    Apply patches

       All users are encouraged to apply the patches referred to in Microsoft
       Security Bulletin MS03-026 as soon as possible in order to mitigate
       the vulnerability described in VU#568148. These patches are also
       available via Microsoft's Windows Update service.

       Systems running Windows 2000 may still be vulnerable to at least a
       denial-of-service attack via VU#326746 if their DCOM RPC service is
       available via the network. Therefore, sites are encouraged to use the
       packet filtering tips below in addition to applying the patches
       supplied in MS03-026.

       It has been reported that some affected machines are not able to stay
       connected to the network long enough to download patches from
       Microsoft. For hosts in this situation, the CERT/CC recommends the
        1. Physically disconnecting the system from the network
        2. Check the system for signs of compromise.
              + In most cases, an infection will be indicated by the presence
                of the registry key
                \Run\windows auto update" with a value of msblast.exe. If
                this key is present, remove it using a registry editor.
        3. If you're infected, terminate the running copy of msblast.exe
           using the Task Manager.
        4. Take one of the following steps to protect against the compromise
           prior to installing the Microsoft patch:
              + Disable DCOM as described below
              + Enabling Microsoft's Internet Connection Filter (ICF), or
                another host-level packet filtering program to block incoming
                connections for 135/tcp
        5. Reconnect the system to the network and apply the patches in the
           recommended manner

       Trend Micro, Inc. has published a set of steps to accomplish these
       goals. Symantec has also published a set of steps to accomplish these

    Disable DCOM

       Depending on site requirements, you may wish to disable DCOM as
       described in MS03-026. Disabling DCOM will help protect against this
       vulnerability but may also cause undesirable side effects. Additional
       details on disabling DCOM and possible side effects are available in
       Microsoft Knowledge Base Article 825750.

    Filter network traffic

       Sites are encouraged to block network access to the following relevant
       ports at network borders. This can minimize the potential of
       denial-of-service attacks originating from outside the perimeter. The
       specific services that should be blocked include
         * 69/UDP
         * 135/TCP
         * 135/UDP
         * 139/TCP
         * 139/UDP
         * 445/TCP
         * 445/UDP
         * 4444/TCP

       Sites should consider blocking both inbound and outbound traffic to
       these ports, depending on network requirements, at the host and
       network level. Microsoft's Internet Connection Firewall can be used to
       accomplish these goals.

       If access cannot be blocked for all external hosts, the CERT/CC
       recommends limiting access to only those hosts that require it for
       normal operation. As a general rule, the CERT/CC recommends filtering
       all types of network traffic that are not required for normal

       Because current exploits for VU#568148 create a backdoor, which is in
       some cases 4444/TCP, blocking inbound TCP sessions to ports on which
       no legitimate services are provided may limit intruder access to
       compromised hosts.

    Recovering from a system compromise

       If you believe a system under your administrative control has been
       compromised, please follow the steps outlined in

              Steps for Recovering from a UNIX or NT System Compromise


       The CERT/CC is tracking activity related to this worm as CERT#30479.
       Relevant artifacts or activity can be sent to cert@cert.org with the
       appropriate CERT# in the subject line.

    Appendix A. Vendor Information

       This appendix contains information provided by vendors. When vendors
       report new information, this section is updated and the changes are
       noted in the revision history. If a vendor is not listed below, we
       have not received their comments.


         Please see Microsoft Security Bulletin MS03-026.

    Appendix B. References

         * CERT/CC Advisory CA-2003-19 -
         * CERT/CC Vulnerability Note VU#561284 -
         * CERT/CC Vulnerability Note VU#326746 -
         * Microsoft Security Bulletin MS03-026 -
         * Microsoft Knowledge Base article 823980 -


       Our thanks to Microsoft Corporation for their review of and input to
       this advisory.

       Authors: Chad Dougherty, Jeffrey Havrilla, Shawn Hernan, and Marty

       This document is available from:

    CERT/CC Contact Information

       Email: cert@cert.org
              Phone: +1 412-268-7090 (24-hour hotline)
              Fax: +1 412-268-6989
              Postal address:
              CERT Coordination Center
              Software Engineering Institute
              Carnegie Mellon University
              Pittsburgh PA 15213-3890

       CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
       EDT(GMT-4) Monday through Friday; they are on call for emergencies
       during other hours, on U.S. holidays, and on weekends.

    Using encryption

       We strongly urge you to encrypt sensitive information sent by email.
       Our public PGP key is available from

       If you prefer to use DES, please call the CERT hotline for more

    Getting security information

       CERT publications and other security information are available from
       our web site

       To subscribe to the CERT mailing list for advisories and bulletins,
       send email to majordomo@cert.org. Please include in the body of your

       subscribe cert-advisory

       * "CERT" and "CERT Coordination Center" are registered in the U.S.
       Patent and Trademark Office.

       Any material furnished by Carnegie Mellon University and the Software
       Engineering Institute is furnished on an "as is" basis. Carnegie
       Mellon University makes no warranties of any kind, either expressed or
       implied as to any matter including, but not limited to, warranty of
       fitness for a particular purpose or merchantability, exclusivity or
       results obtained from use of the material. Carnegie Mellon University
       does not make any warranty of any kind with respect to freedom from
       patent, trademark, or copyright infringement.

       Conditions for use, disclaimers, and sponsorship information

       Copyright 2003 Carnegie Mellon University.

       Revision History

       August 11, 2003: Initial release

    Version: PGP 6.5.8

    -----END PGP SIGNATURE-----

  • Next message: CERT Advisory: "CERT Advisory CA-2003-21 GNU Project FTP Server Compromise"