Re: Blasting Blaster.Worm (aka LovSan Virus)

From: iDaemon Security (security_at_securedaemon.net)
Date: 08/13/03

  • Next message: Lloyd Taylor: "Re: Blasting Blaster.Worm (aka LovSan Virus)"
    To: Alavan <alavan@pangeatech.com>
    Date: 12 Aug 2003 20:30:52 -0600
    
    

    It is very well described in the Symantec Alerts we get.

    Here is a brief description of how it infects:

    1. worm finds host vulnerable to DCOM RPC exploit, attacks on 135/TCP
    (and UDP... it is safe to assume that traffic will use TCP and/or UDP,
    so please assume UDP is implied for the rest of my comments)
    2. worm causes buffer overflow, yielding a shell on 4444/TCP which
    intiates outbound tftp to the host it was infected from,downloading
    msblaster.exe and dropping it on the newly infected host which is
    rebooted so that msblaster.exe is run on startup
    3. msblaster.exe propagates outbound and listens on 69/TCP (which is
    tftp in case you don't have an /etc/services handy), infecting more
    hosts and serving out msblaster.exe via tftp

    Log/sniff/block 135/TCP, 4444/TCP (which is the port used by krb524, a
    Kerberos migration service), and 69/TCP.

    Regards,

    Chris

    On Tue, 2003-08-12 at 13:40, Alavan wrote:
    > All,
    >
    > We're a small ISP providing T-1 access to residents of apartment
    > communities. Several of our communities have been hit hard by this recent
    > worm. Trying to identify who's infected is difficult. We've tried logging
    > UDP, TCP and IP in general, but there's nothing telling getting logged.
    > Reports indicate that the Virus will try a DDOS on Microsoft's Windows
    > Update site on 8/16/03, but we saw 1500 small packets per second leaving a
    > site and couldn't log them via the Cisco router using the above method. I
    > assumed they were destined for MS. After the flood stopped (some unknown
    > reason), we traced the flood to a customer using usage stats on our
    > switches throughout the property.
    >
    > Turns out that the customer was infected with Blaster.Worm (lovsan). So, it
    > sure seems that it's doing more than initially indicated.
    >
    > Does anyone know exactly what protocol is being used by this
    > "msblaster.exe" or this other shell program created? Any easy way to sniff
    > and log via our Cisco router?
    >
    > Any advice would help. We've currently got another property with 1352
    > packets/second leaving a T-1 serial interface that only at 128/255, or
    > half-used. We never see that kind of pps.
    >
    > Thanks in advance.
    >
    > Alavan
    >
    >
    > ---------------------------------------------------------------------------
    > ----------------------------------------------------------------------------

    -- 
    iDaemon Security <security@securedaemon.net>
    Securedaemon.net
    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------
    

  • Next message: Lloyd Taylor: "Re: Blasting Blaster.Worm (aka LovSan Virus)"