Re: DCOM worm analysis report: W32.Blaster.Worm
From: Dan Hanson (dan_hanson_at_SYMANTEC.COM)
Date: Mon, 11 Aug 2003 20:55:11 -0600 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Hi, I'd just like to respond to the comments regarding the Snort signature
included with the Alert.
This Snort signature was initially developed when the vulnerability details
were made public and the first exploit appeared. The comment that this
signature can be trivially avoided by inserting a 0x5C character is, in my
opinion, incorrect. Referring back to the original details and exploit
released by xfocus, we see the code where the vulnerability occurs.
The overflow occurs when a "too long" NetBIOS machine name is encountered.
The length of a buffer assigned to hold the machine name is hardcoded at
0x20 (the max length of windows NetBIOS machine names in unicode) and the
copy routine will loop through the machine name until a 0x5C (a "\") is
encountered signifying the end of the machine name. If this 0x5C is within
the allocated buffer (0x20 or 32bytes) no overflow happens.
The snort signature included in our alert document, while prone to
theoretical false positives in the event an RPC service client has reason
to use something resembling NetBIOS machine names in unicode (we have seen
no occurrences of false positives thus far), should detect every
exploitation of this vulnerability.
I will note that we have received a report where a Snort instance did not
maintain state appropriately, and a false negative did occur. The TCPdump
file was tested with this signature (minus the established keyword to the
flow directive, as noted in our latest version of the alert), and detected
> Symantec includes a Snort-like signature for their IDS in their
> advisory. I'd like to point out that the RealSecure/BlackICE signature
> for this vuln is "MSRPC_RemoteActivate_BO". We've had this deployed in
> our MSS operations for since July 17th, and haven't found any
> false-positives. The sig is based on a full protocol-analysis, so there
> shouldn't be any false-negatives, either.
> -----Original Message-----
> From: Mehta, Neel (ISS Atlanta)
> Sent: Monday, August 11, 2003 6:39 PM
> To: Rouland, Chris (ISSAtlanta); Graham, Robert (ISS Atlanta);
> The snort signature mentioned in the
> advisory is prone to false positives because there are many other
> protocols that legitimately send that traffic. Somebody can easily
> modify this worm with a 5c character within 32 bytes and evade this
TMS Threat Analyst
Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
With a growth rate exceeding 110%, the TICSA security practitioner
certification is one of the hottest IT credentials available. And now, for
a limited time, you can save 33% off of the TICSA certification exam! To
learn more about the TICSA certification, and to register as a TICSA
candidate online, just go to