Lol... :-) -----Original Message----- From: Joe [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 5:41 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] [OT] RPC DCOM WORM (MSBLASTER)
In case you been sleeping on the RPC DCOM hole (MS03-26), the time to patch was a couple of weeks ago, but if you still didn't... Duck... No actually patch! Now is not the time for your company to discover that a firewall doesn't protect all entrances to your network. http://isc.sans.org/diary.html?date=2003-08-11 Handlers Diary August 11th 2003 Updated August 11th 2003 19:35 EDT RPC DCOM WORM (MSBLASTER) This RPC DCOM worm started spreading early afternoon EDT (evening UTC). At this point, it is spreading rapidly. ********** NOTE: PRELIMINARY. Do not base your incidents response solely on this writeup. ********** Executive Summary: A worm has started spreading early afternoon EDT (evening UTC Time) and is expected to continue spreading rapidly. This worms exploits the Microsoft Windows DCOM RPC Vulnerability announced July 16, 2003. The SANS Institute, and Incidents.org recommends the following Action Items: * Close port 135/tcp (and if possible 135-139, 445 and 593) * Ensure that all available patches have been applied, especially the patches reported in Microsoft Security Bulletin MS03-026. * This bulletin is available at http://www.microsoft.com/technet/security/bulletin/MS03-026.asp * Infected machines are recommended to be pulled from the network pending a complete rebuild of the system. Increase in port 135 activity: http://isc.sans.org/images/port135percent.png Technical Details: Names and Aliases: W32.Blaster.Worm (symantec),W32/Lovsan.worm (McAfee), WORM_MSBLAST.A (Trend Micro),Win32.Posa.Worm (CA),Lovsan (F-secure), MSBLASTER,Win32.Poza. Infection sequence: 1. SOURCE sends packets to port 135 tcp with variation of dcom.c exploit to TARGET 2. this causes a remote shell on port 4444 at the TARGET 3. the SOURCE now sends the tftp get command to the TARGET, using the shell on port 4444, 4. the target will now connect to the tftp server at the SOURCE. The name of the binary is msblast.exe. It is packed with UPX and will self extract. The size of the binary is about 11kByte unpacked, and 6kBytes packed: MD5sum packed: 5ae700c1dffb00cef492844a4db6cd69 (6176 Bytes) So far we have found the following properties: - Scans sequentially for machines with open port 135, starting at a presumably random IP address - uses multiple TFTP servers to pull the binary - adds a registry key to start itself after reboot Name of registry key: SOFTWARE\Microsoft\Windows\CurrentVersion\Run, name: 'windows auto update' Strings of interest: msblast.exe I just want to say LOVE YOU SAN!! billy gates why do you make this possible ? Stop making money and fix your software!! windowsupdate.com start %s tftp -i %s GET %s %d.%d.%d.%d %i.%i.%i.%i BILLY windows auto update SOFTWARE\Microsoft\Windows\CurrentVersion\Run Existing RPC DCOM snort signatures will detect this worm. The worm is based on dcom.c Once you are infected, we highly recommend a complete rebuild of the site. As there have been a number of irc bots using the exploit for a few weeks now, it is possible that your system was already infected with one of the prior exploits. Do not connect an unpatched machine to a network. The worm may launch a syn flood against windowsupdate.com on the 16th. It has the ability to infect Windows 2000 and XP. The worm uses the RPC DCOM vulnerability to propagate. One it finds a vulnerable system, it will spawn a shell on port 4444 and use it to download the actual worm via tftp. The exploit itself is very close to 'dcom.c' and so far appears to use the "universal Win2k" offset only. Other References: http://www.cert.org/advisories/CA-2003-19.html http://www.microsoft.com/technet/security/bulletin/MS03-026.asp https://tms.symantec.com/members/AnalystReports/030811-Alert-DCOMworm.pd f http://www3.ca.com/virusinfo/virus.aspx?ID=36265 http://www.datafellows.com/v-descs/msblast.shtml http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100547 http://www.sarc.com/avcenter/venc/data/w32.blaster.worm.html http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSB LAST.A http://xforce.iss.net/xforce/alerts/id/150 http://vil.nai.com/vil/content/v_100547.htm List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
