Document 386185

August 20, 2003
11:30
MSBlaster Update
Bob McCoy
bobmccoy@microsoft.com
Technical Account Manager
Premier Support
Microsoft Corporation
Names




W32.Blaster.Worm (Symantec)
W32/Lovsan.worm (McAfee)
WORM_MSBLAST.A (Trendmicro)
Win32.Posa.Worm (Computer
Associates)
Symptoms


Computer reboots every few minutes
without user input
Computers become unresponsive
Who is Vulnerable?




Microsoft Windows NT 4.0 (affected)
Microsoft Windows 2000 (infected)
Microsoft Windows XP (infected)
Microsoft Windows Server 2003 (affected)
Infection Evidence


HKLM\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "windows auto
update" = “msblast.exe”
msblast.exe in the Windows System32
directory
Vulnerability Details



The vulnerability is in the part of RPC
that deals with message exchange over
TCP/IP
It occurs because of incorrect handling
of malformed messages
This particular vulnerability affects a
Distributed Component Object Model
(DCOM) interface with RPC, which
listens on RPC enabled ports
Vulnerability Details


An attacker who successfully exploited
this vulnerability would be able to run
code with Local System privileges on
an affected system
To exploit this vulnerability, an attacker
would need to send a specially formed
request to the remote computer on
specific RPC ports (port 135, 139, 445
or 593 or any other specifically
configured RPC port on the remote
machine)
What’s the Fix?

The patch corrects the vulnerability by
altering the DCOM interface to properly
check the information passed to it.
Anatomy of an Attack
Attacker
Target
Scan an IP address range
looking for a target with port 135
listening
Select which exploit code to
send:
Windows 2000 (20%)
Windows XP (80%)
Send exploit code to the target
via TCP port 135
1 of 3
Anatomy of an Attack
Attacker
Target
If target is unpatched, and …
Exploit code matches system
type: open remote command
shell listening on TCP port 4444
Exploit code does not match
system type: RPC subsystem
fails
Start TFTP server listening on
UDP port 69
Send a command to the target
via port 4444 directing target to
download MSBlast.exe from the
infector
Issue a TFTP “Get” command to
the infector via port 69
2 of 3
Anatomy of an Attack
Attacker
Send command via port 4444 to
execute MSBlast.exe
Disconnect from port 4444
Close the TFTP server
Target
Run MSBlast.exe which creates
registry entries that will cause it
to be run again when a user
subsequently logs onto the
system
Close the command shell
Begin DDoS (syn flood) attack
after 8/16 00:00
3 of 3
4 Steps for Home Users




Install/Enable a Firewall
Update Windows
Use Antivirus Software
Remove the Worm
Protect Your PC
http://www.microsoft.com/security/protect/
Went live Aug 18th
Firewalls


Windows XP and Windows Server 2003
include Internet Connection Firewall
Windows 2000 can use IPSec filtering
http://support.microsoft.com/?id=309798
ipseccmd -f 0+*:69:UDP *+0:69:UDP -n BLOCK -w REG -p
"Block TFTP" -r "Block client/server TFTP" -x




PXE RIS and ADS use TFTP
Specific port filtering only buys you some
time due to variants
Third party software firewalls
External firewalls
The Internal Threat


VPN port filtering
Quarantine / Sandbox



Network scan and shut off ports
Client logon scripts
Partners and trust – filtering at the
edge
Group Policy


Set IPSec filter
Restrict execution of msblast.exe



Watch out for variants
Custom scripts
Only works on Windows 2000 and later

XP Home ineligible for domain policy
Good Worm, Bad Worm


Latest variant looks for vulnerable
computers, patches & reboots them
Names: Nachi, Blaster-D, Welchia
http://www.microsoft.com/technet/security/virus/alerts/nachi.as
p




Increased network traffic (ICMP)
Scanning continues until 1/1/2004
It’s still a worm, and all the legal issues
associated with unauthorized access
Exploits RPC (MS03-026) and WebDAV
(MS03-007) vulnerabilities
Removal Tools

Network Associates
http://www.nai.com/us/promos/nai_lovsan.htm

Trend Micro
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VN
ame=WORM_MSBLAST.A

Symantec
http://securityresponse.symantec.com/avcenter/venc/data/w32.
blaster.worm.html

Computer Associates
http://www3.ca.com/virusinfo/virus.aspx?ID=36265

Sophos
http://www.sophos.com/support/disinfection/blastera.html#2
Stop the Rebooting
Windows must now restrart
because the Remote
Procedure Call (RPC)
service terminated
unexpectantly.
(unrepentantly)
Start | Run |
Services.msc |
Remote Procedure
Call (RPC) |
Recovery
Change recovery
option
Stop the Timer

Start | Run (R)
shutdown -a
Deployment Technologies





SMS with Feature Pack
Software Update Services (uses the
Automatic Update component)
Login script
Third party tools (St Bernard, Tivoli, et
al)
VBScript
http://support.microsoft.com/default.aspx?kbid=827227

SneakerNet
Software Update Services
Cryptographic Error



Cryptographic Services may not be
started
Database corruption in catroot2
Windows Update 643 Error and the
Catalog Database
http://support.microsoft.com/default.aspx?scid=kb;ENUS;817287
net stop cryptsvc
ren %systemroot%\system32\catroot2 oldcatroot2
net start cryptsvc
Installer Convergence



Many product teams ► many installer
technologies
Historically driven by architectural
differences
Two standards



Windows Installer (MSI)
Update.exe
Most will migrate after MSI 3.0 is
released
Patch Verification



SMS
Scan with MS Baseline Security
Analyzer
MS03-036 Scanner
http://www.microsoft.com/downloads/details.aspx?familyid=c8
f04c6c-b71b-4992-91f1-aaa785e709da

May give false positives on Win9x
machines that have DCOM98 installed
Support

NT 4.0 Server SP 6a



Win2000 SP 3 & 4



Workstation was not initially supported
Will not install with previous SPs
Will install on Win2000 SP 2, however, it’s
not supported
Hot fix support for DEC Alpha ended
December 31, 2001
Support Lifecycle
http://support.microsoft.com/lifecycle
System Confidence


“But the infection period = full access
by bad guys to your PC. How can you
100% know you have caught +
reversed every possible malicious
action? For 100% confidence you
must flatten & reinstall.”
Root compromise
http://www.cert.org/tech_tips/root_compromise.html
It Really Hurts
My customer has no less than 7
separate production configurations
(just for workstations), more than 1,000
applications in use (in multiple
languages), and machines located in
more than 135 countries, some of which
have total in-country bandwidths as low
as 32K total.
Windowsupdate.com




DDoS target of the worm (syn flood)
Attacks scheduled to begin 8/16/03 at
00:00 local
“A” records for windowsupdate.com
now point to 127.0.0.1
It was an easy redirect to the real
update site
"One strategy for cushioning the blow was to
extinguish the Windowsupdate.com" site, said
Microsoft spokesman Sean Sundwall. "We have no
plans to ever restore that to be an active site."
DDoS Schedule
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Jan
Feb
Mar
Apr
May
June
July
Aug
Sept
Oct
Nov
Dec
No DDOS attacks
DDOS attacks
Did we get lucky?






Hard coded URL to expendable domain
No intelligence about what client was
being attacked
Worm had to drag the payload in
behind it
Payload was fairly benign
Patch was available
Power failure in the NE US
Resources

Main MSBlast Page
http://www.microsoft.com/security/incident/blast.asp

Knowledge Base Article 823980
http://support.microsoft.com/default.aspx?scid=kb;enus;823980

PSS Security Response Team Alert
http://www.microsoft.com/technet/security/virus/alerts/msblast
er.asp

Microsoft Security Bulletin MS03-026
http://www.microsoft.com/technet/security/bulletin/ms03026.asp
More Info

Patch Management Whitepaper
http://www.microsoft.com/security/whitepapers/patch_manage
ment.asp

ISA Server helps block Blaster traffic
http://www.microsoft.com/isaserver/techinfo/prevent/blasterwo
rm.asp

Microsoft DCOM RPC Worm Alert
https://tms.symantec.com/members/AnalystReports/030811Alert-DCOMworm.pdf

Stanford report on RPC Exploits
http://securecomputing.stanford.edu/win-rpc.html

ISP White paper
http://www.microsoft.com/serviceproviders/security/isp_blaste
r.asp
TechNet Webcasts

What Network Administrators Should
Know About The Blaster Worm
Live Event: August 21, 2003 - 11:00am
to 12:30am Central Time
http://www.microsoft.com/usa/webcasts/upcoming/2342.asp

How To Recover Your Home Computer
From The Blaster Worm
Live Event: August 20, 2003 - 2:30pm to
4:00pm Central Time
http://www.microsoft.com/usa/webcasts/upcoming/2343.asp

How To Recover Your Home Computer
From The Blaster Worm
Live Event: August 21, 2003 - 2:30pm to
4:00pm
http://www.microsoft.com/usa/webcasts/upcoming/2344.asp
© 2002 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.