Date: 18 August 2003
References: ESB-2003.0561 ESB-2003.0567 ESB-2003.0572 ESB-2003.0579 ESB-2003.0580 ESB-2003.0590 ESB-2003.0612 ESB-2003.0632 ESB-2003.0636 ESB-2003.0799
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
AusCERT Update AU-2003.011 - Worm (MSBLASTER) propagation for recent
Microsoft RPC vulnerability 12 August 2003
First released 12 August 2003
Revised 18 August 2003
AusCERT has received reports of the propagation of a new worm. This worm
exploits the Microsoft Windows DCOM RPC vulnerability announced July 16,
2003. Details of the original can be obtained via [1] and [4] (see the
REFERENCES below).
The new worm propagates by first gaining access to the target machine via
TCP port 135. After infection, the machine downloads the viral binary,
msblast.exe and begins scanning for vulnerable targets to repeat the
process. Additionally, an infected machine will listen for tftp connections
from other infected hosts and provide a hidden backdoor process for remote
command connections. On or after August 15, the infected machine will
attempt to conduct a DoS (denial of service) attack against Microsoft's
"Windows Update" site. Due to the combined impact of this DoS attack and
increased, legitimate attempts to contact http://www.windowsupdate.com,
network administrators should be aware that the outbound connections
generated at this time have the potential to cause local network
congestion.
If your machine is not currently infected, the patch available at [4]
should be applied and network filtering applied at both the network
perimeter and on vulnerable hosts (where possible) as follows:
Block all unnecessary traffic for the following ports (as per [1], [2] and
[3]):
* 135/TCP
* 135/UDP
* 139/TCP
* 139/UDP
* 445/TCP
* 445/UDP
* 593/TCP
An infected machine may also listen on the following ports which at a
minimum should be also blocked for inbound and, for 69/UDP, outbound
connections:
* 69/UDP
* 4444/TCP
A default network policy of denying inbound network connections to ports
on which no service should be available can prevent other connections to
machines infected with this or possible future variants of this worm.
If your machine becomes infected:
o Disconnect the machine from any network
o Apply the patch [4]
o Remove the worm [6], either manually or with a tool
o Ensure that anti-virus software is up to date
o Ensure that your firewall is enabled or install a personal firewall
If your machine is infected, the worm may shut down your computer and
prevent you from downloading the patch. In many cases, one or more of these
steps may help:
o enable the Internet Connection Firewall (ICF) on Windows XP, or install
a personal firewall such as Kerio, Tiny or ZoneAlarm - see [11] for help
enabling ICF or for links to personal firewall vendors.
o change the settings for the RPC service, detailed in [6] under the
"Important Notes" section.
This worm also has the aliases of W32.Blaster.Worm (Symantec),
W32/Lovsan.worm (McAfee), WORM_MSBLAST.A (Trend Micro), Win32.Posa.Worm
(CA), Lovsan (F-secure) and MSBLASTER,Win32.Poza.
See the REFERENCES ([5] to [10]) or contact your anti-virus vendor for
detailed description of this worm.
REFERENCES:
[1] AL-2003.11 -- Buffer Overrun In RPC Interface Could Allow Code Execution
(Q823980)
http://www.auscert.org.au/render.html?it=3260
[2] ESB-2003.0525 -- CERT Advisory CA-2003-19 -- Exploitation of
Vulnerabilities in the Microsoft RPC Interface
http://www.auscert.org.au/render.html?it=3299
[3] AU-2003.010 -- AusCERT Update - Exploit Code Publicly Available For Recent
Microsoft RPC Vulnerability
http://www.auscert.org.au/render.html?it=3291
[4] Microsoft Security Bulletin MS03-026
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
[5] F-Secure Virus Descriptions
http://www.datafellows.com/v-descs/msblast.shtml
[6] Symantec Security Response - W32.Blaster.Worm
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html
[7] Computer Associates Virus - Win32.Poza
http://www3.ca.com/virusinfo/virus.aspx?ID=36265
[8] McAfee Security
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100547
[9] Trend Micro
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A
[10] Sophos virus analysis: W32/Blaster-A
http://www.sophos.com/virusinfo/analyses/w32blastera.html
[11] What You Should Know About the Blaster Worm
http://www.microsoft.com/security/incident/blast.asp
Regards,
The AusCERT Team
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBP0BxLSh9+71yA2DNAQFZ2AP/WtfrcwgzGflR06t8OCq+cKE/80hpPAkT
QiSFrBccbkbgz//9yQpBwC7RJyqB1mxHbb99r58SkhDNK4CpM9Daa4MPfe4jMobI
rLlczWP++V0cZqkAmRXkB0NV/TjT6Hnna2qQe6rDhRcLJZT3hsrujVt7SfsPsi0F
LrTH6gJvITs=
=7KMU
-----END PGP SIGNATURE-----
|