AusCERT - AU-2003.011 -- AusCERT Update - Worm (MSBLASTER) propagation for recent Microsoft RPC vulnerability

HOME
About AusCERT
Membership
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
AU-2003.011 -- AusCERT Update - Worm (MSBLASTER) propagation for recent Microsoft RPC vulnerability
Date: 18 August 2003
References: ESB-2003.0561 ESB-2003.0567 ESB-2003.0572 ESB-2003.0579 ESB-2003.0580 ESB-2003.0590 ESB-2003.0612 ESB-2003.0632 ESB-2003.0636 ESB-2003.0799

Click here for printable version
-----BEGIN PGP SIGNED MESSAGE-----

AusCERT Update AU-2003.011 - Worm (MSBLASTER) propagation for recent
Microsoft RPC vulnerability 12 August 2003

First released 12 August 2003
Revised 18 August 2003

AusCERT has received reports of the propagation of a new worm. This worm
exploits the Microsoft Windows DCOM RPC vulnerability announced July 16,
2003.  Details of the original can be obtained via [1] and [4] (see the
REFERENCES below).

The new worm propagates by first gaining access to the target machine via
TCP port 135. After infection, the machine downloads the viral binary,
msblast.exe and begins scanning for vulnerable targets to repeat the
process. Additionally, an infected machine will listen for tftp connections
from other infected hosts and provide a hidden backdoor process for remote
command connections. On or after August 15, the infected machine will
attempt to conduct a DoS (denial of service) attack against Microsoft's
"Windows Update" site. Due to the combined impact of this DoS attack and
increased, legitimate attempts to contact http://www.windowsupdate.com,
network administrators should be aware that the outbound connections
generated at this time have the potential to cause local network
congestion.

If your machine is not currently infected, the patch available at [4]
should be applied and network filtering applied at both the network
perimeter and on vulnerable hosts (where possible) as follows:

Block all unnecessary traffic for the following ports (as per [1], [2] and
[3]):

     * 135/TCP
     * 135/UDP
     * 139/TCP
     * 139/UDP
     * 445/TCP
     * 445/UDP
     * 593/TCP

An infected machine may also listen on the following ports which at a
minimum should be also blocked for inbound and, for 69/UDP, outbound
connections:

     * 69/UDP
     * 4444/TCP

A default network policy of denying inbound network connections to ports
on which no service should be available can prevent other connections to
machines infected with this or possible future variants of this worm.

If your machine becomes infected:

  o Disconnect the machine from any network
  o Apply the patch [4]
  o Remove the worm [6], either manually or with a tool
  o Ensure that anti-virus software is up to date
  o Ensure that your firewall is enabled or install a personal firewall

If your machine is infected, the worm may shut down your computer and
prevent you from downloading the patch. In many cases, one or more of these
steps may help:

  o enable the Internet Connection Firewall (ICF) on Windows XP, or install
  a personal firewall such as Kerio, Tiny or ZoneAlarm - see [11] for help
  enabling ICF or for links to personal firewall vendors.

  o change the settings for the RPC service, detailed in [6] under the
  "Important Notes" section.

This worm also has the aliases of W32.Blaster.Worm (Symantec),
W32/Lovsan.worm (McAfee), WORM_MSBLAST.A (Trend Micro), Win32.Posa.Worm
(CA), Lovsan (F-secure) and MSBLASTER,Win32.Poza.

See the REFERENCES ([5] to [10]) or contact your anti-virus vendor for
detailed description of this worm.


REFERENCES:

[1] AL-2003.11 -- Buffer Overrun In RPC Interface Could Allow Code Execution
    (Q823980) 
    http://www.auscert.org.au/render.html?it=3260

[2] ESB-2003.0525 -- CERT Advisory CA-2003-19 -- Exploitation of 
    Vulnerabilities in the Microsoft RPC Interface 
    http://www.auscert.org.au/render.html?it=3299

[3] AU-2003.010 -- AusCERT Update - Exploit Code Publicly Available For Recent
    Microsoft RPC Vulnerability
    http://www.auscert.org.au/render.html?it=3291

[4] Microsoft Security Bulletin MS03-026
    http://www.microsoft.com/technet/security/bulletin/MS03-026.asp

[5] F-Secure Virus Descriptions
    http://www.datafellows.com/v-descs/msblast.shtml

[6] Symantec Security Response - W32.Blaster.Worm
    http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

[7] Computer Associates Virus - Win32.Poza
    http://www3.ca.com/virusinfo/virus.aspx?ID=36265

[8] McAfee Security
    http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100547

[9] Trend Micro
    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A

[10] Sophos virus analysis: W32/Blaster-A
    http://www.sophos.com/virusinfo/analyses/w32blastera.html

[11] What You Should Know About the Blaster Worm
    http://www.microsoft.com/security/incident/blast.asp


Regards,

The AusCERT Team

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBP0BxLSh9+71yA2DNAQFZ2AP/WtfrcwgzGflR06t8OCq+cKE/80hpPAkT
QiSFrBccbkbgz//9yQpBwC7RJyqB1mxHbb99r58SkhDNK4CpM9Daa4MPfe4jMobI
rLlczWP++V0cZqkAmRXkB0NV/TjT6Hnna2qQe6rDhRcLJZT3hsrujVt7SfsPsi0F
LrTH6gJvITs=
=7KMU
-----END PGP SIGNATURE-----