__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
Blaster Worm (aka: W32.Blaster, MSBlast, Lovsan, Win32.Poza)
[CERTŪ Advisory CA-2003-20]
August 12, 2003 14:00 GMT Number N-133
______________________________________________________________________________
PROBLEM: The Blaster worm exploits the Microsoft RPC DCOM vulnerability
to propagate as described in CIAC Bulletin N-117. The purpose
of this malicious code is to infect as many computers as
possible to carry out a Distributed Denial of Service Attack
against the web site www.windowsupdate.com, which has been
coded in this worm to take place on August 16, 2003.
PLATFORM: Microsoft Windows NT 4.0
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
DAMAGE: Once installed on a machine, Blaster scans random IP ranges,
with the aim of finding more PCs to infect. In addition, it
creates a file in the system called msblast.exe which contains
the code of the worm. It creates a registry key to ensure it
is started when the operating system is restarted.
SOLUTION: Apply Microsoft patches as described in CIAC Bulletin N-117.
Keep anti-virus definition files updated.
______________________________________________________________________________
VULNERABILITY The risk is HIGH. Blaster is a high-profile and fast-spreading
ASSESSMENT: worm. A remote attacker could exploit the RPC/DCOM
vulnerability to execute arbitrary code with Local System
privileges or to cause a denial-of-service condition.
______________________________________________________________________________
LINKS:
CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/n-133.shtml
ORIGINAL BULLETIN: http://www.cert.org/advisories/CA-2003-20.html
ADDITIONAL MONITOR THE SITES BELOW FOR UPDATES
INFORMATION: - Microsoft MS03-026:
http://www.microsoft.com/technet/treeview/default.asp?url
=/technet/security/bulletin/MS03-026.asp
- Microsoft Knowledge Base article 823980
http://support.microsoft.com?kbid=823980
- DHS/FedCIRC Advisory FA-2003-20
http://www2.fedcirc.gov/advisories/FA-2003-20.html
- Computer Associates - Win32.Poza worm
http://www3.ca.com/solutions/collateral.asp?CT=27081&CID
=48952
- F-Secure Lovsan, MSBlast, Blaster worm
http://www.europe.f-secure.com/v-descs/msblast.shtml
- ISS Xforce MSRPC DCOM Worm Propagation
http://xforce.iss.net/xforce/alerts/id/150
- Network Associates - W32/Lovsan.worm
http://vil.nai.com/vil/content/v_100547.htm
- Panda Software's Virus Encyclopedia
http://www.pandasoftware.com/virus_info/encyclopedia/
- Sophos - W32/Blaster-A worm
http://www.sophos.com/support/disinfection/blastera.html
- Symantec - W32.Blaster.Worm
http://securityresponse.symantec.com/avcenter/venc/data/
w32.blaster.worm.html
- Trend Micro - WORM_MSBLAST.A
http://www.trendmicro.com/vinfo/virusencyclo/
default5.asp?VName=WORM_MSBLAST.A
______________________________________________________________________________
[***** Start CERTŪ Advisory CA-2003-20 *****]
CERTŪ Advisory CA-2003-20 W32/Blaster worm
Original issue date: August 11, 2003
Last revised: --
Source: CERT/CC
A complete revision history is at the end of this file.
Systems Affected
Microsoft Windows NT 4.0
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Overview
The CERT/CC is receiving reports of widespread activity related to a new
piece of malicious code known as W32/Blaster. This worm appears to exploit
known vulnerabilities in the Microsoft Remote Procedure Call (RPC)
Interface.
I. Description
The W32/Blaster worm exploits a vulnerability in Microsoft's DCOM RPC
interface as described in VU#568148 and CA-2003-16. Upon successful
execution, the worm attempts to retrieve a copy of the file msblast.exe
from the compromising host. Once this file is retrieved, the compromised
system then runs it and begins scanning for other vulnerable systems to
compromise in the same manner. In the course of propagation, a TCP session
to port 135 is used to execute the attack. However, access to TCP ports
139 and 445 may also provide attack vectors and should be considered when
applying mitigation strategies. Microsoft has published information about
this vulnerability in Microsoft Security Bulletin MS03-026.
Lab testing has confirmed that the worm includes the ability to launch
a TCP SYN flood denial-of-service attack against windowsupdate.com. We
are investigating the conditions under which this attack might manifest
itself. Unusual or unexpected traffic to windowsupdate.com may indicate
an infection on your network, so you may wish to monitor network traffic.
Sites that do not use windowsupdate.com to manage patches may wish to
block outbound traffic to windowsupdate.com. In practice, this may be
difficult to achieve, since windowsupdate.com may not resolve to the
same address every time. Correctly blocking traffic to windowsupdate.com
will require detailed understanding of your network routing architecture,
system management needs, and name resolution environment. You should not
block traffic to windowsupdate.com without a thorough understanding of
your operational needs.
We have been in contact with Microsoft regarding this possibility of this
denial-of-service attack.
II. Impact
A remote attacker could exploit these vulnerabilities to execute arbitrary
code with Local System privileges or to cause a denial-of-service condition.
III. Solutions
Apply patches
All users are encouraged to apply the patches referred to in Microsoft
Security Bulletin MS03-026 as soon as possible in order to mitigate the
vulnerability described in VU#568148. These patches are also available via
Microsoft's Windows Update service.
Systems running Windows 2000 may still be vulnerable to at least a
denial-of-service attack via VU#326746 if their DCOM RPC service is
available via the network. Therefore, sites are encouraged to use the
packet filtering tips below in addition to applying the patches supplied
in MS03-026.
It has been reported that some affected machines are not able to stay
connected to the network long enough to download patches from Microsoft.
For hosts in this situation, the CERT/CC recommends the following:
1.Physically disconnecting the system from the network
2.Check the system for signs of compromise.
In most cases, an infection will be indicated by the presence of the
registry key
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows
auto update" with a value of msblast.exe. If this key is present, remove
it using a registry editor.
3.If you're infected, terminate the running copy of msblast.exe using
the Task Manager.
4.Take one of the following steps to protect against the compromise
prior to installing the Microsoft patch:
Disable DCOM as described below
Enabling Microsoft's Internet Connection Filter (ICF), or another
host-level packet filtering program to block incoming connections for
135/tcp
5.Reconnect the system to the network and apply the patches in the
recommended manner
Trend Micro, Inc. has published a set of steps to accomplish these goals.
Symantec has also published a set of steps to accomplish these goals.
Disable DCOM
Depending on site requirements, you may wish to disable DCOM as
described in MS03-026. Disabling DCOM will help protect against this
vulnerability but may also cause undesirable side effects. Additional
details on disabling DCOM and possible side effects are available in
Microsoft Knowledge Base Article 825750.
Filter network traffic
Sites are encouraged to block network access to the following relevant
ports at network borders. This can minimize the potential of
denial-of-service attacks originating from outside the perimeter. The
specific services that should be blocked include
69/UDP
135/TCP
135/UDP
139/TCP
139/UDP
445/TCP
445/UDP
4444/TCP
Sites should consider blocking both inbound and outbound traffic to these
ports, depending on network requirements, at the host and network level.
Microsoft's Internet Connection Firewall can be used to accomplish
these goals.
If access cannot be blocked for all external hosts, the CERT/CC
recommends limiting access to only those hosts that require it for
normal operation. As a general rule, the CERT/CC recommends filtering
all types of network traffic that are not required for normal operation.
Because current exploits for VU#568148 create a backdoor, which is in
some cases 4444/TCP, blocking inbound TCP sessions to ports on which no
legitimate services are provided may limit intruder access to compromised
hosts.
Recovering from a system compromise
If you believe a system under your administrative control has been
compromised, please follow the steps outlined in
Steps for Recovering from a UNIX or NT System Compromise
Reporting
The CERT/CC is tracking activity related to this worm as CERT#30479.
Relevant artifacts or activity can be sent to cert@cert.org with the
appropriate CERT# in the subject line.
Appendix A. Vendor Information
This appendix contains information provided by vendors. When vendors
report new information, this section is updated and the changes are
noted in the revision history. If a vendor is not listed below, we
have not received their comments.
Microsoft
Please see Microsoft Security Bulletin MS03-026.
Appendix B. References
CERT/CC Advisory CA-2003-19 - http://www.cert.org/advisories/CA-2003-19.html
CERT/CC Vulnerability Note VU#561284 - http://www.kb.cert.org/vuls/id/561284
CERT/CC Vulnerability Note VU#326746 - http://www.kb.cert.org/vuls/id/326746
Microsoft Security Bulletin MS03-026
- http://microsoft.com/technet/security/bulletin/MS03-026.asp
Microsoft Knowledge Base article 823980
- http://support.microsoft.com?kbid=823980
Thanks
Our thanks to Microsoft Corporation for their review of and input to
this advisory.
Authors: Chad Dougherty, Jeffrey Havrilla, Shawn Hernan, and Marty Lindner
This document is available from:
http://www.cert.org/advisories/CA-2003-20.html
CERT/CC Contact Information
Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT/CC personnel answer the hotline
08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are
on call for emergencies during other hours, on U.S. holidays, and on
weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for more information.
Getting security information
CERT publications and other security information are available from
our web site
http://www.cert.org/
To subscribe to the CERT mailing list for advisories and bulletins,
send email to majordomo@cert.org. Please include in the body of your message
subscribe cert-advisory
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent
and Trademark Office.
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie Mellon
University makes no warranties of any kind, either expressed or implied as
to any matter including, but not limited to, warranty of fitness for a
particular purpose or merchantability, exclusivity or results obtained
from use of the material. Carnegie Mellon University does not make any
warranty of any kind with respect to freedom from patent, trademark, or
copyright infringement.
Conditions for use, disclaimers, and sponsorship information
Copyright 2003 Carnegie Mellon University.
Revision History
August 11, 2003: Initial release
[***** End CERTŪ Advisory CA-2003-20 *****]
_______________________________________________________________________________
CIAC wishes to acknowledge the contributions of CERT for the
information contained in this bulletin.
_______________________________________________________________________________
CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193 (7x24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@ciac.org
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://www.ciac.org/
Anonymous FTP: ftp.ciac.org
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
N-123: SGI Login Vulnerabilities
N-124: Sun Solaris 8 LDAP Clients May Log the Proxy Agent User's Password as Clear Text
N-125: Cumulative Patch for Microsoft SQL Server
N-126: Microsoft Unchecked Buffer in DirectX Could Enable System Compromise
N-127: Buffer Overflows in EXTPROC of Oracle Database Server
N-128: Oracle Buffer Overflow in E-Business Suite
N-129: Oracle Unauthorized Disclosure of Information in E-Business Suite
N-130: SGI IRIX nsd Server AUTH_UNIX gid list Vulnerability
N-131: Sun Solaris Runtime Linker ld.so.1(1) Vulnerability
N-132: Red Hat wu-ftpd Buffer Overflow Vulnerability
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
