Re: DCOM worm analysis report: W32.Blaster.Worm

From: Graham, Robert (ISS Atlanta) (rgraham_at_ISS.NET)
Date: 08/12/03

  • Next message: X-Force: "ISS Security Brief: UPDATED MS Blast Denial of Service Attack"
    Date:         Mon, 11 Aug 2003 19:46:59 -0400
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    FYI:

    The ISS X-Force info on the worm is at:
    http://xforce.iss.net/xforce/alerts/id/150

    The ISS X-Force info on the vuln is at:
    http://xforce.iss.net/xforce/alerts/id/147

    Our X-Force guys think that the percentages mentioned in Symantec's
    advisory are reversed. We think the worm targets 80% WinXP, 20% Win2k
    (rather than the other way around). Not that this matters a lot, but I
    thought I'd mention it.

    Note that the worm has done a lot to severely slow down its progress:

    1. it DoSes lots of potential victims (because of the WinXP vs. Win2k
    problem); other exploits exist that do some fingeprinting of the MSRPC
    stack before attacking

    2. it does sequential scans, which is actually a lot worse than random
    scans for fast propagation

    3. it only has 20 "threads" of execution -- taking advantage of raw
    sockets would have been much worse (the Internet would have been
    "slammed")

    4. it only uses the ISystemActivator interface on port 135; my scans
    show a lot of vulnerable systems still out there that have other ports
    or other DCOM interfaces exposed

    5. it uses two separate connections (4444/tcp and 69/udp) to completely
    break into the target system, which is blocked by lots of firewalls,
    which means the service is DoSed without getting infected. If the hacker
    had used a trick like CodeRed to combine everything in the original
    connection, things would have been much worse.

    In other words, this is pretty much a "best-case-scenario" worm -- many
    of us had expected much worse.

    Symantec includes a Snort-like signature for their IDS in their
    advisory. I'd like to point out that the RealSecure/BlackICE signature
    for this vuln is "MSRPC_RemoteActivate_BO". We've had this deployed in
    our MSS operations for since July 17th, and haven't found any
    false-positives. The sig is based on a full protocol-analysis, so there
    shouldn't be any false-negatives, either.

    -----Original Message-----
    From: Mehta, Neel (ISS Atlanta)
    Sent: Monday, August 11, 2003 6:39 PM
    To: Rouland, Chris (ISSAtlanta); Graham, Robert (ISS Atlanta);
    Ingevaldson, Dan (ISS Atlanta)
    Subject: RE: DCOM worm analysis report: W32.Blaster.Worm

    The percentages are 80% XP, 20% Windows 2000 (not the 80% Windows 2000,
    20% XP that symantec claims). The snort signature mentioned in the
    advisory is prone to false positives because there are many other
    protocols that legitimately send that traffic. Somebody can easily
    modify this worm with a 5c character within 32 bytes and evade this
    signature.

    Note that the MSRPC_RemoteActivate_BO vuln-sig in RealSecure does a full
    protocol analysis on this, so is not prone to the above
    false-positives/false-negatives.

    -----Original Message-----
    From: Rouland, Chris (ISSAtlanta)
    Sent: Monday, August 11, 2003 6:29 PM
    To: Mehta, Neel (ISS Atlanta)
    Subject: FW: DCOM worm analysis report: W32.Blaster.Worm

     

    -----Original Message-----
    From: Dave Ahmad [mailto:da@SECURITYFOCUS.COM]
    Sent: Monday, August 11, 2003 5:39 PM
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    A Bugtraq user has already pointed out that a worm has been discovered
    in the wild that exploits the Microsoft Windows DCOM RPC Interface
    Buffer Overrun Vulnerability (Bugtraq ID 8205) to infect host systems.
    Symantec has been tracking its activity and is currently conducting
    analysis/full disassembly of the malicious code, which has been named
    "Blaster". The results of our analysis are being made available to the
    public at the following location:

    https://tms.symantec.com/members/AnalystReports/030811-Alert-DCOMworm.pd
    f

    It is expected that this report will be updated frequently as more
    information is discovered. Readers are advised to download/refresh it
    throughout the day to ensure that any new information is not missed.

    David Mirza Ahmad
    Symantec

    PGP: 0x26005712
    8D 9A B1 33 82 3D B3 D0 40 EB AB F0 1E 67 C6 1A 26 00 57 12

    --
    The battle for the past is for the future.
    We must be the winners of the memory war.
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    oooo
    Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
    With a growth rate exceeding 110%, the TICSA security practitioner
    certification is one of the hottest IT credentials available.  And now,
    for a limited time, you can save 33% off of the TICSA certification
    exam! To learn more about the TICSA certification, and to register as a
    TICSA candidate online, just go to
    http://www.trusecure.com/offer/s0100/
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    oooo
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
    With a growth rate exceeding 110%, the TICSA security practitioner
    certification is one of the hottest IT credentials available.  And now, for
    a limited time, you can save 33% off of the TICSA certification exam! To
    learn more about the TICSA certification, and to register as a TICSA
    candidate online, just go to
    http://www.trusecure.com/offer/s0100/
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    

  • Next message: X-Force: "ISS Security Brief: UPDATED MS Blast Denial of Service Attack"