August 20, 2003 11:30 MSBlaster Update Bob McCoy bobmccoy@microsoft.com Technical Account Manager Premier Support Microsoft Corporation Names W32.Blaster.Worm (Symantec) W32/Lovsan.worm (McAfee) WORM_MSBLAST.A (Trendmicro) Win32.Posa.Worm (Computer Associates) Symptoms Computer reboots every few minutes without user input Computers become unresponsive Who is Vulnerable? Microsoft Windows NT 4.0 (affected) Microsoft Windows 2000 (infected) Microsoft Windows XP (infected) Microsoft Windows Server 2003 (affected) Infection Evidence HKLM\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run "windows auto update" = “msblast.exe” msblast.exe in the Windows System32 directory Vulnerability Details The vulnerability is in the part of RPC that deals with message exchange over TCP/IP It occurs because of incorrect handling of malformed messages This particular vulnerability affects a Distributed Component Object Model (DCOM) interface with RPC, which listens on RPC enabled ports Vulnerability Details An attacker who successfully exploited this vulnerability would be able to run code with Local System privileges on an affected system To exploit this vulnerability, an attacker would need to send a specially formed request to the remote computer on specific RPC ports (port 135, 139, 445 or 593 or any other specifically configured RPC port on the remote machine) What’s the Fix? The patch corrects the vulnerability by altering the DCOM interface to properly check the information passed to it. Anatomy of an Attack Attacker Target Scan an IP address range looking for a target with port 135 listening Select which exploit code to send: Windows 2000 (20%) Windows XP (80%) Send exploit code to the target via TCP port 135 1 of 3 Anatomy of an Attack Attacker Target If target is unpatched, and … Exploit code matches system type: open remote command shell listening on TCP port 4444 Exploit code does not match system type: RPC subsystem fails Start TFTP server listening on UDP port 69 Send a command to the target via port 4444 directing target to download MSBlast.exe from the infector Issue a TFTP “Get” command to the infector via port 69 2 of 3 Anatomy of an Attack Attacker Send command via port 4444 to execute MSBlast.exe Disconnect from port 4444 Close the TFTP server Target Run MSBlast.exe which creates registry entries that will cause it to be run again when a user subsequently logs onto the system Close the command shell Begin DDoS (syn flood) attack after 8/16 00:00 3 of 3 4 Steps for Home Users Install/Enable a Firewall Update Windows Use Antivirus Software Remove the Worm Protect Your PC http://www.microsoft.com/security/protect/ Went live Aug 18th Firewalls Windows XP and Windows Server 2003 include Internet Connection Firewall Windows 2000 can use IPSec filtering http://support.microsoft.com/?id=309798 ipseccmd -f 0+*:69:UDP *+0:69:UDP -n BLOCK -w REG -p "Block TFTP" -r "Block client/server TFTP" -x PXE RIS and ADS use TFTP Specific port filtering only buys you some time due to variants Third party software firewalls External firewalls The Internal Threat VPN port filtering Quarantine / Sandbox Network scan and shut off ports Client logon scripts Partners and trust – filtering at the edge Group Policy Set IPSec filter Restrict execution of msblast.exe Watch out for variants Custom scripts Only works on Windows 2000 and later XP Home ineligible for domain policy Good Worm, Bad Worm Latest variant looks for vulnerable computers, patches & reboots them Names: Nachi, Blaster-D, Welchia http://www.microsoft.com/technet/security/virus/alerts/nachi.as p Increased network traffic (ICMP) Scanning continues until 1/1/2004 It’s still a worm, and all the legal issues associated with unauthorized access Exploits RPC (MS03-026) and WebDAV (MS03-007) vulnerabilities Removal Tools Network Associates http://www.nai.com/us/promos/nai_lovsan.htm Trend Micro http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VN ame=WORM_MSBLAST.A Symantec http://securityresponse.symantec.com/avcenter/venc/data/w32. blaster.worm.html Computer Associates http://www3.ca.com/virusinfo/virus.aspx?ID=36265 Sophos http://www.sophos.com/support/disinfection/blastera.html#2 Stop the Rebooting Windows must now restrart because the Remote Procedure Call (RPC) service terminated unexpectantly. (unrepentantly) Start | Run | Services.msc | Remote Procedure Call (RPC) | Recovery Change recovery option Stop the Timer Start | Run (R) shutdown -a Deployment Technologies SMS with Feature Pack Software Update Services (uses the Automatic Update component) Login script Third party tools (St Bernard, Tivoli, et al) VBScript http://support.microsoft.com/default.aspx?kbid=827227 SneakerNet Software Update Services Cryptographic Error Cryptographic Services may not be started Database corruption in catroot2 Windows Update 643 Error and the Catalog Database http://support.microsoft.com/default.aspx?scid=kb;ENUS;817287 net stop cryptsvc ren %systemroot%\system32\catroot2 oldcatroot2 net start cryptsvc Installer Convergence Many product teams ► many installer technologies Historically driven by architectural differences Two standards Windows Installer (MSI) Update.exe Most will migrate after MSI 3.0 is released Patch Verification SMS Scan with MS Baseline Security Analyzer MS03-036 Scanner http://www.microsoft.com/downloads/details.aspx?familyid=c8 f04c6c-b71b-4992-91f1-aaa785e709da May give false positives on Win9x machines that have DCOM98 installed Support NT 4.0 Server SP 6a Win2000 SP 3 & 4 Workstation was not initially supported Will not install with previous SPs Will install on Win2000 SP 2, however, it’s not supported Hot fix support for DEC Alpha ended December 31, 2001 Support Lifecycle http://support.microsoft.com/lifecycle System Confidence “But the infection period = full access by bad guys to your PC. How can you 100% know you have caught + reversed every possible malicious action? For 100% confidence you must flatten & reinstall.” Root compromise http://www.cert.org/tech_tips/root_compromise.html It Really Hurts My customer has no less than 7 separate production configurations (just for workstations), more than 1,000 applications in use (in multiple languages), and machines located in more than 135 countries, some of which have total in-country bandwidths as low as 32K total. Windowsupdate.com DDoS target of the worm (syn flood) Attacks scheduled to begin 8/16/03 at 00:00 local “A” records for windowsupdate.com now point to 127.0.0.1 It was an easy redirect to the real update site "One strategy for cushioning the blow was to extinguish the Windowsupdate.com" site, said Microsoft spokesman Sean Sundwall. "We have no plans to ever restore that to be an active site." DDoS Schedule 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 Jan Feb Mar Apr May June July Aug Sept Oct Nov Dec No DDOS attacks DDOS attacks Did we get lucky? Hard coded URL to expendable domain No intelligence about what client was being attacked Worm had to drag the payload in behind it Payload was fairly benign Patch was available Power failure in the NE US Resources Main MSBlast Page http://www.microsoft.com/security/incident/blast.asp Knowledge Base Article 823980 http://support.microsoft.com/default.aspx?scid=kb;enus;823980 PSS Security Response Team Alert http://www.microsoft.com/technet/security/virus/alerts/msblast er.asp Microsoft Security Bulletin MS03-026 http://www.microsoft.com/technet/security/bulletin/ms03026.asp More Info Patch Management Whitepaper http://www.microsoft.com/security/whitepapers/patch_manage ment.asp ISA Server helps block Blaster traffic http://www.microsoft.com/isaserver/techinfo/prevent/blasterwo rm.asp Microsoft DCOM RPC Worm Alert https://tms.symantec.com/members/AnalystReports/030811Alert-DCOMworm.pdf Stanford report on RPC Exploits http://securecomputing.stanford.edu/win-rpc.html ISP White paper http://www.microsoft.com/serviceproviders/security/isp_blaste r.asp TechNet Webcasts What Network Administrators Should Know About The Blaster Worm Live Event: August 21, 2003 - 11:00am to 12:30am Central Time http://www.microsoft.com/usa/webcasts/upcoming/2342.asp How To Recover Your Home Computer From The Blaster Worm Live Event: August 20, 2003 - 2:30pm to 4:00pm Central Time http://www.microsoft.com/usa/webcasts/upcoming/2343.asp How To Recover Your Home Computer From The Blaster Worm Live Event: August 21, 2003 - 2:30pm to 4:00pm http://www.microsoft.com/usa/webcasts/upcoming/2344.asp © 2002 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
© Copyright 2024