Re: reports of DCOM worm on the loose...Report #4

From: Russ (Russ.Cooper_at_RC.ON.CA)
Date: 08/12/03

  • Next message: Schmidt, Tobias E: "GPO blaster scripts -- http://www.winona.edu/its/downloads/msblast.htm" 
    Date:         Tue, 12 Aug 2003 09:30:21 -0400
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    Summary of information uncovered;

    1. Windows 2000 SP2 can install MS03-026. Microsoft still isn't supporting this configuration and insist you should test it, but I have had numerous reports from people who have successfully installed it. Windows 2000 SP2 systems have been successfully compromised.

    2. Windows Update and most 3rd party patch management applications will not offer you the ability to install MS03-026 on Windows 2000 SP2 systems. I have prepared an XML file for use with HFNetchk or MBSACli which will both check for, and recommend, MS03-026 on Windows 2000 SP2 systems.

    3. Came across another very large installation that had used St. Bernard's Update Expert to deploy MS03-026. They deployed to Windows 2000 SP3 systems. After rechecking, that installation discovered that MS03-026 had not deployed correctly, and all of those systems needed to have the patch re-applied either manually, or via HFNetchk/MBSA.

    4. The worm appears now to be entirely self contained. It works as follows;

    a) attacker runs a TFTP server due to the worm code.
    b) TCP135 connection from attacker to victim.
    c) a command shell is established on victim listening on TCP4444
    d) attacker sends command, via command shell, to cause victim to invoke TFTP.exe to attacker to retrieve msblast.exe
    e) attacker sends command, via command shell, to cause victim to invoke msblast.exe
    f) attacker drops connection victim command shell, victim command shell stops listening on 4444
    g) victim starts TFTP server and processes other instructions in msblast (to modify the registry keys, start attacks on TCP135, etc...)

    Ergo;

    - scanning for systems listening on 69 indicate successfully attacked systems (or valid TFTP Server)
    - scanning for systems listening on 4444 is short-lived, only during exchange with attacker
    - monitoring for systems using destination port 135 to 5 or more different IP addresses suggests attack traffic
    - you can probably safely ignore the list of IP addresses previously posted

    5. Monitoring your Firewall, Router, or other network logs should indicate infected systems. Since the IP address generation is random, it does not stay within your subnet range. Eventually an infected system will attack beyond your subnets and can be detected at logging points.

    6. Systems that are infected may display erratic behavior, including but not limited to, output of applications not being displayed, run but then disappear, or not run at all.

    7. Multiple copies of MSBlast.exe can run on the same victim.

    8. TFTP<number> files are incomplete TFTP downloads, and may or may not be present due to LovSAN. You may have had them from a previous virus/worm/trojan, or, due to a legitimate TFTP you did. Since they are temporary files, they can be safely deleted (and should be deleted.)

    9. So far no other port activity, 137, 139, or 445, has been associated with this worm. Such activity has been high for some time now due to other worms/trojans. Don't discount it, but there is no reason so far to believe it has to do with LovSAN.

    10. I do have confirmed reports of LANs with proper perimeter protection being infected due to infected laptops being brought into the LAN, and/or VPN connections to systems without adequate protection.

    11. The text that I believed was in the registry was not there.

    Uncorroborated Reports:
    - Adds a user to the Administrators group
    - Starts up NetBIOS services (if they aren't running)
    - eEye's DCOM Checker incorrectly reports NT 4 machines as being vulnerable, despite the patch being positively verified
    - Systems patched with MS03-026 may not be able to run Search or browse to the \winnt or \winnt\system32 directories. Drag and Drop may stop functioning
    - On Windows XP doing a System Restore to a date prior to the worm does get rid of the worm (which would be expected, but the system could quickly be re-compromised)
    - XP Home system using AOL Dial-up connection got infected
    - Worm has been found in Excel Spread*** and an RTF file (I've asked for copies, no reply yet)

    Resources:

    Modified MSSecure.XML file to use with HFNetchk/MBSA to detect Windows 2000 SP2 installations without the patch:
    http://www.ntbugtraq.com/LovSAN-W2KSP2.asp

    Symantec Removal Tool:
    http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

    Trend Micro Removal Tool:
    http://www.trendmicro.com/download/tsc.asp

    F-Secure Removal Tool:
    http://www.f-secure.com/v-descs/msblast.shtml

    Computer Associates Removal Tool:
    http://www3.ca.com/virusinfo/virus.aspx?ID=36265

    McAfee/NAI Removal Tool:
    http://vil.nai.com/vil/stinger/

    Cheers,
    Russ - NTBugtraq Editor

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!

    With a growth rate exceeding 110%, the TICSA security practitioner
    certification is one of the hottest IT credentials available. And now, for
    a limited time, you can save 33% off of the TICSA certification exam! To
    learn more about the TICSA certification, and to register as a TICSA
    candidate online, just go to

    http://www.trusecure.com/offer/s0100/

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

  • Next message: Schmidt, Tobias E: "GPO blaster scripts -- http://www.winona.edu/its/downloads/msblast.htm"
    • Quantcast