Re: DCOM worm analysis report: W32.Blaster.Worm

From: Dan Hanson (dan_hanson_at_SYMANTEC.COM)
Date: 08/12/03

  • Next message: Russ: "Re: reports of DCOM worm on the loose...Report #4"
    Date:         Mon, 11 Aug 2003 20:55:11 -0600
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    Hi, I'd just like to respond to the comments regarding the Snort signature
    included with the Alert.

    This Snort signature was initially developed when the vulnerability details
    were made public and the first exploit appeared. The comment that this
    signature can be trivially avoided by inserting a 0x5C character is, in my
    opinion, incorrect. Referring back to the original details and exploit
    released by xfocus, we see the code where the vulnerability occurs.

    http://www.xfocus.org/documents/200307/2.html

    The overflow occurs when a "too long" NetBIOS machine name is encountered.
    The length of a buffer assigned to hold the machine name is hardcoded at
    0x20 (the max length of windows NetBIOS machine names in unicode) and the
    copy routine will loop through the machine name until a 0x5C (a "\") is
    encountered signifying the end of the machine name. If this 0x5C is within
    the allocated buffer (0x20 or 32bytes) no overflow happens.

    The snort signature included in our alert document, while prone to
    theoretical false positives in the event an RPC service client has reason
    to use something resembling NetBIOS machine names in unicode (we have seen
    no occurrences of false positives thus far), should detect every
    exploitation of this vulnerability.
    I will note that we have received a report where a Snort instance did not
    maintain state appropriately, and a false negative did occur. The TCPdump
    file was tested with this signature (minus the established keyword to the
    flow directive, as noted in our latest version of the alert), and detected
    the worm.

    D

    > Symantec includes a Snort-like signature for their IDS in their
    > advisory. I'd like to point out that the RealSecure/BlackICE signature
    > for this vuln is "MSRPC_RemoteActivate_BO". We've had this deployed in
    > our MSS operations for since July 17th, and haven't found any
    > false-positives. The sig is based on a full protocol-analysis, so there
    > shouldn't be any false-negatives, either.

    -snip-

    > -----Original Message-----
    > From: Mehta, Neel (ISS Atlanta)
    > Sent: Monday, August 11, 2003 6:39 PM
    > To: Rouland, Chris (ISSAtlanta); Graham, Robert (ISS Atlanta);

    -snip-

    > The snort signature mentioned in the
    > advisory is prone to false positives because there are many other
    > protocols that legitimately send that traffic. Somebody can easily
    > modify this worm with a 5c character within 32 bytes and evade this
    > signature.

    Dan Hanson
    Symantec
    TMS Threat Analyst

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!

    With a growth rate exceeding 110%, the TICSA security practitioner
    certification is one of the hottest IT credentials available. And now, for
    a limited time, you can save 33% off of the TICSA certification exam! To
    learn more about the TICSA certification, and to register as a TICSA
    candidate online, just go to

    http://www.trusecure.com/offer/s0100/

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo


  • Next message: Russ: "Re: reports of DCOM worm on the loose...Report #4"

    Relevant Pages

    • Re: Intrusion Detection Evaluation Datasets
      ... is entirely possible to write one snort signature that will detect ... applicaiton no matter what the attack "signature" is. ... possible to write a signature to catch *any* instances exploiting a certain buffer overflow...but I'm more interested in the following. ... I didn't say their IDS can detect any attack instances, and I didn't say it's the best out there. ...
      (Focus-IDS)
    • Re: Intrusion Detection Evaluation Datasets
      ... is entirely possible to write one snort signature that will detect ... applicaiton no matter what the attack "signature" is. ... write a signature to catch *any* instances exploiting a certain buffer ... Paul Schmehl, Senior Infosec Analyst ...
      (Focus-IDS)
    • Re: What makes a senior developer?
      ... Author of the SCJA Certification Guide and What is WebSphere? ... Free WebSphere Tutorials: www.pulpjava.com ... Free Mock Java Certification Exams: ... If you don't know how a proper Usenet signature looks like, ...
      (comp.lang.java.programmer)
    • certification of signatures
      ... I have a real basic question about verifying your download for Fedora 7, ... gpg: WARNING: This key is not certified with a trusted signature! ... My question is do I need to worry about the lack of certification? ... does this have anything to do with the migration to new package keys? ...
      (Fedora)
    • Re: OEMCertifyModule
      ... The certification process already does that. ... encrypted signature which includes an MD5 hash of the entire module. ... therefore the signature validation also validates the module was not altered ... smaillet at EmbeddedFusion dot com ...
      (microsoft.public.windowsce.platbuilder)