Re: DCOM worm analysis report: W32.Blaster.Worm

From: Dan Hanson (dan_hanson_at_SYMANTEC.COM)
Date: 08/12/03

  • Next message: Russ: "Re: reports of DCOM worm on the loose...Report #4"
    Date:         Mon, 11 Aug 2003 20:55:11 -0600

    Hi, I'd just like to respond to the comments regarding the Snort signature
    included with the Alert.

    This Snort signature was initially developed when the vulnerability details
    were made public and the first exploit appeared. The comment that this
    signature can be trivially avoided by inserting a 0x5C character is, in my
    opinion, incorrect. Referring back to the original details and exploit
    released by xfocus, we see the code where the vulnerability occurs.

    The overflow occurs when a "too long" NetBIOS machine name is encountered.
    The length of a buffer assigned to hold the machine name is hardcoded at
    0x20 (the max length of windows NetBIOS machine names in unicode) and the
    copy routine will loop through the machine name until a 0x5C (a "\") is
    encountered signifying the end of the machine name. If this 0x5C is within
    the allocated buffer (0x20 or 32bytes) no overflow happens.

    The snort signature included in our alert document, while prone to
    theoretical false positives in the event an RPC service client has reason
    to use something resembling NetBIOS machine names in unicode (we have seen
    no occurrences of false positives thus far), should detect every
    exploitation of this vulnerability.
    I will note that we have received a report where a Snort instance did not
    maintain state appropriately, and a false negative did occur. The TCPdump
    file was tested with this signature (minus the established keyword to the
    flow directive, as noted in our latest version of the alert), and detected
    the worm.


    > Symantec includes a Snort-like signature for their IDS in their
    > advisory. I'd like to point out that the RealSecure/BlackICE signature
    > for this vuln is "MSRPC_RemoteActivate_BO". We've had this deployed in
    > our MSS operations for since July 17th, and haven't found any
    > false-positives. The sig is based on a full protocol-analysis, so there
    > shouldn't be any false-negatives, either.


    > -----Original Message-----
    > From: Mehta, Neel (ISS Atlanta)
    > Sent: Monday, August 11, 2003 6:39 PM
    > To: Rouland, Chris (ISSAtlanta); Graham, Robert (ISS Atlanta);


    > The snort signature mentioned in the
    > advisory is prone to false positives because there are many other
    > protocols that legitimately send that traffic. Somebody can easily
    > modify this worm with a 5c character within 32 bytes and evade this
    > signature.

    Dan Hanson
    TMS Threat Analyst

    Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!

    With a growth rate exceeding 110%, the TICSA security practitioner
    certification is one of the hottest IT credentials available. And now, for
    a limited time, you can save 33% off of the TICSA certification exam! To
    learn more about the TICSA certification, and to register as a TICSA
    candidate online, just go to


  • Next message: Russ: "Re: reports of DCOM worm on the loose...Report #4"