Re: New MS03-026 worm on the loose? ICMP traffic climbing fast
From: Russ (Russ.Cooper_at_RC.ON.CA)
Date: 08/19/03
- Previous message: Russ: "Re: www.windowupdate.com GONE - What about the little people?"
- Maybe in reply to: Jeffrey Thomas: "New MS03-026 worm on the loose? ICMP traffic climbing fast"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 18 Aug 2003 19:09:46 -0400 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
NAI has a LovSAN.D worm which delivers MSPatch.exe, that does exactly the same thing as the original MSBlast did.
Trend has MSBlast.D, F-Secure has LovSAN.D, NAI has W32/Nachi.Worm, and Symantec has W32.Welchia.Worm, these all are the same and do something different than the original MSBlast.
The "new" worm uses different ports to perform the remote shell (reports vary, see your AV Vendor). Some people have suggested that this new worm is actually beneficial, because, it appears to patch vulnerable systems. However, I am trying to get confirmation on a theory that it, in fact, isn't good after all.
Firstly, no worm is a good worm, regardless of what it does. Its a worm, and it propagates, and it manipulates people's systems without their knowledge or permission. We should never view this as "good". Things go awry, code doesn't always due what you want it to, it gets mangled in transit, other factors come into play, you can never be assured it will be "benign" always, on every system, forever.
Some speculation;
1. It copies TFTPD.exe from the %systemroot%\system32\dllcache directory. This file is only present on Windows 2000 Server and Advanced Server. So only these systems will be used to host propagation of the worm. There's no indication yet how long the TFTPD stays up and open, meaning others may enter your file system via it.
2. After setting up the remote shell, it instructs the victim system to download a copy of the worm from the host. If the attacker isn't a Windows 2000 Server or Advanced Server, the victim will not be able to download the worm file. Don't know yet what happens to such a victim.
Speculation: If the instruction to download the patch is contained in the worm executable, then many vulnerable systems that are attacked will reboot, but not be patched. Ergo, it will simply cause the systems to repeatedly reboot. Not exactly a good thing(tm). Those systems will also eventually get infected with one of the original blasters as they would have otherwise.
Cheers,
Russ - NTBugtraq Editor
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
With a growth rate exceeding 110%, the TICSA security practitioner
certification is one of the hottest IT credentials available. And now, for
a limited time, you can save 33% off of the TICSA certification exam! To
learn more about the TICSA certification, and to register as a TICSA
candidate online, just go to
http://www.trusecure.com/offer/s0100/
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
- Previous message: Russ: "Re: www.windowupdate.com GONE - What about the little people?"
- Maybe in reply to: Jeffrey Thomas: "New MS03-026 worm on the loose? ICMP traffic climbing fast"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
