TUCoPS :: Malware :: bt1411.txt

CERT Advisory CA-2003-20 W32/Blaster worm



----- Original Message ----- 
From: "CERT Advisory" <cert-advisory@cert.org>
To: <cert-advisory@cert.org>
Sent: Monday, August 11, 2003 6:21 PM
Subject: CERT Advisory CA-2003-20 W32/Blaster worm 


> 
> -----BEGIN PGP SIGNED MESSAGE-----
> 
> CERT Advisory CA-2003-20 W32/Blaster worm
> 
>    Original issue date: August 11, 2003
>    Last revised: --
>    Source: CERT/CC
> 
>    A complete revision history is at the end of this file.
> 
> Systems Affected
> 
>      * Microsoft Windows NT 4.0
>      * Microsoft Windows 2000
>      * Microsoft Windows XP
>      * Microsoft Windows Server 2003
> 
> Overview
> 
>    The  CERT/CC  is receiving reports of widespread activity related to a
>    new piece of malicious code known as W32/Blaster. This worm appears to
>    exploit  known  vulnerabilities in the Microsoft Remote Procedure Call
>    (RPC) Interface.
> 
> I. Description
> 
>    The  W32/Blaster worm exploits a vulnerability in Microsoft's DCOM RPC
>    interface  as  described  in VU#568148 and CA-2003-16. Upon successful
>    execution,   the  worm  attempts  to  retrieve  a  copy  of  the  file
>    msblast.exe  from  the compromising host. Once this file is retrieved,
>    the  compromised  system  then  runs  it and begins scanning for other
>    vulnerable  systems to compromise in the same manner. In the course of
>    propagation,  a TCP session to port 135 is used to execute the attack.
>    However,  access  to  TCP  ports  139  and 445 may also provide attack
>    vectors  and should be considered when applying mitigation strategies.
>    Microsoft  has  published  information  about  this  vulnerability  in
>    Microsoft Security Bulletin MS03-026.
> 
>    Lab testing has confirmed that the worm includes the ability to launch
>    a TCP SYN flood denial-of-service attack against windowsupdate.com. We
>    are  investigating  the  conditions  under  which  this  attack  might
>    manifest  itself.  Unusual  or unexpected traffic to windowsupdate.com
>    may  indicate an infection on your network, so you may wish to monitor
>    network traffic.
> 
>    Sites  that do not use windowsupdate.com to manage patches may wish to
>    block  outbound traffic to windowsupdate.com. In practice, this may be
>    difficult  to  achieve, since windowsupdate.com may not resolve to the
>    same    address    every   time.   Correctly   blocking   traffic   to
>    windowsupdate.com  will require detailed understanding of your network
>    routing  architecture,  system  management  needs, and name resolution
>    environment. You should not block traffic to windowsupdate.com without
>    a thorough understanding of your operational needs.
> 
>    We  have  been in contact with Microsoft regarding this possibility of
>    this denial-of-service attack.
> 
> II. Impact
> 
>    A  remote  attacker  could  exploit  these  vulnerabilities to execute
>    arbitrary   code   with   Local   System  privileges  or  to  cause  a
>    denial-of-service condition.
> 
> III. Solutions
> 
> Apply patches
> 
>    All users are encouraged to apply the patches referred to in Microsoft
>    Security  Bulletin  MS03-026  as soon as possible in order to mitigate
>    the  vulnerability  described  in  VU#568148.  These  patches are also
>    available via Microsoft's Windows Update service.
> 
>    Systems  running  Windows  2000  may still be vulnerable to at least a
>    denial-of-service  attack  via  VU#326746 if their DCOM RPC service is
>    available  via the network. Therefore, sites are encouraged to use the
>    packet  filtering  tips  below  in  addition  to  applying the patches
>    supplied in MS03-026.
> 
>    It  has been reported that some affected machines are not able to stay
>    connected  to  the  network  long  enough  to  download  patches  from
>    Microsoft.  For  hosts  in  this situation, the CERT/CC recommends the
>    following:
>     1. Physically disconnecting the system from the network
>     2. Check the system for signs of compromise.
>           + In most cases, an infection will be indicated by the presence
>             of the registry key
>             "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
>             \Run\windows  auto  update"  with  a value of msblast.exe. If
>             this key is present, remove it using a registry editor.
>     3. If  you're  infected,  terminate  the  running copy of msblast.exe
>        using the Task Manager.
>     4. Take  one of the following steps to protect against the compromise
>        prior to installing the Microsoft patch:
>           + Disable DCOM as described below
>           + Enabling  Microsoft's  Internet  Connection  Filter (ICF), or
>             another host-level packet filtering program to block incoming
>             connections for 135/tcp
>     5. Reconnect  the  system to the network and apply the patches in the
>        recommended manner
> 
>    Trend  Micro,  Inc.  has  published a set of steps to accomplish these
>    goals.  Symantec has also published a set of steps to accomplish these
>    goals.
> 
> Disable DCOM
> 
>    Depending  on  site  requirements,  you  may  wish  to disable DCOM as
>    described  in  MS03-026. Disabling DCOM will help protect against this
>    vulnerability  but may also cause undesirable side effects. Additional
>    details  on  disabling DCOM and possible side effects are available in
>    Microsoft Knowledge Base Article 825750.
> 
> Filter network traffic
> 
>    Sites are encouraged to block network access to the following relevant
>    ports   at  network  borders.  This  can  minimize  the  potential  of
>    denial-of-service  attacks originating from outside the perimeter. The
>    specific services that should be blocked include
>      * 69/UDP
>      * 135/TCP
>      * 135/UDP
>      * 139/TCP
>      * 139/UDP
>      * 445/TCP
>      * 445/UDP
>      * 4444/TCP
> 
>    Sites  should  consider  blocking both inbound and outbound traffic to
>    these  ports,  depending  on  network  requirements,  at  the host and
>    network level. Microsoft's Internet Connection Firewall can be used to
>    accomplish these goals.
> 
>    If  access  cannot  be  blocked  for  all  external hosts, the CERT/CC
>    recommends  limiting  access  to  only those hosts that require it for
>    normal  operation. As a general rule, the CERT/CC recommends filtering
>    all  types  of  network  traffic  that  are  not  required  for normal
>    operation.
> 
>    Because  current exploits for VU#568148 create a backdoor, which is in
>    some  cases  4444/TCP, blocking inbound TCP sessions to ports on which
>    no  legitimate  services  are  provided  may  limit intruder access to
>    compromised hosts.
> 
> Recovering from a system compromise
> 
>    If  you  believe  a  system under your administrative control has been
>    compromised, please follow the steps outlined in
> 
>           Steps for Recovering from a UNIX or NT System Compromise
> 
> Reporting
> 
>    The  CERT/CC  is tracking activity related to this worm as CERT#30479.
>    Relevant  artifacts  or activity can be sent to cert@cert.org with the
>    appropriate CERT# in the subject line.
> 
> Appendix A. Vendor Information
> 
>    This  appendix  contains information provided by vendors. When vendors
>    report  new  information,  this section is updated and the changes are
>    noted  in  the  revision  history. If a vendor is not listed below, we
>    have not received their comments.
> 
> Microsoft
> 
>      Please see Microsoft Security Bulletin MS03-026.
> 
> Appendix B. References
> 
>      * CERT/CC Advisory CA-2003-19 -
>        http://www.cert.org/advisories/CA-2003-19.html
>      * CERT/CC Vulnerability Note VU#561284 -
>        http://www.kb.cert.org/vuls/id/561284
>      * CERT/CC Vulnerability Note VU#326746 -
>        http://www.kb.cert.org/vuls/id/326746
>      * Microsoft Security Bulletin MS03-026 -
>        http://microsoft.com/technet/security/bulletin/MS03-026.asp
>      * Microsoft      Knowledge      Base      article      823980      -
>        http://support.microsoft.com?kbid=823980
> 
> Thanks
> 
>    Our  thanks  to Microsoft Corporation for their review of and input to
>    this advisory.
>    ______________________________________________________________________
> 
>    Authors:  Chad  Dougherty,  Jeffrey  Havrilla, Shawn Hernan, and Marty
>    Lindner
>    ______________________________________________________________________
> 
>    This document is available from:
>    http://www.cert.org/advisories/CA-2003-20.html
>    ______________________________________________________________________
> 
> CERT/CC Contact Information
> 
>    Email: cert@cert.org
>           Phone: +1 412-268-7090 (24-hour hotline)
>           Fax: +1 412-268-6989
>           Postal address:
>           CERT Coordination Center
>           Software Engineering Institute
>           Carnegie Mellon University
>           Pittsburgh PA 15213-3890
>           U.S.A.
> 
>    CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
>    EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
>    during other hours, on U.S. holidays, and on weekends.
> 
> Using encryption
> 
>    We  strongly  urge you to encrypt sensitive information sent by email.
>    Our public PGP key is available from
>    http://www.cert.org/CERT_PGP.key
> 
>    If  you  prefer  to  use  DES,  please  call the CERT hotline for more
>    information.
> 
> Getting security information
> 
>    CERT  publications  and  other security information are available from
>    our web site
>    http://www.cert.org/
> 
>    To  subscribe  to  the CERT mailing list for advisories and bulletins,
>    send  email  to majordomo@cert.org. Please include in the body of your
>    message
> 
>    subscribe cert-advisory
> 
>    *  "CERT"  and  "CERT  Coordination Center" are registered in the U.S.
>    Patent and Trademark Office.
>    ______________________________________________________________________
> 
>    NO WARRANTY
>    Any  material furnished by Carnegie Mellon University and the Software
>    Engineering  Institute  is  furnished  on  an  "as is" basis. Carnegie
>    Mellon University makes no warranties of any kind, either expressed or
>    implied  as  to  any matter including, but not limited to, warranty of
>    fitness  for  a  particular purpose or merchantability, exclusivity or
>    results  obtained from use of the material. Carnegie Mellon University
>    does  not  make  any warranty of any kind with respect to freedom from
>    patent, trademark, or copyright infringement.
>    ______________________________________________________________________
> 
>    Conditions for use, disclaimers, and sponsorship information
> 
>    Copyright 2003 Carnegie Mellon University.
> 
>    Revision History
> 
>    August 11, 2003: Initial release
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.5.8
> 
> iQCVAwUBPzhJFGjtSoHZUTs5AQEO6wP5AZuyr1OG/U9RjZDAAatFmJUuTO8SFhtd
> R+nfZ54ylZPGE8ewMiS0hiuKaaXsOyk46R+zcwuPfoKffaaQX7SvwkS5uVzRBU+E
> PEnECSv6O8qL0uGR6BO8zmDncOhd8YouyXWGwMCRqpvH4rMHLRB8CIgKHyEoqBpl
> r69lGr8lqtE=
> =3GAW
> -----END PGP SIGNATURE-----
> 

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH