Date: 25 June 2004
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
A U S C E R T A L E R T
AL-2004.17 -- AUSCERT ALERT
Korgo Worm Variants Exploiting LSASS Vulnerability
24 June 2004
===========================================================================
PROBLEM:
New variants of a worm named Korgo, aka Padobot, are currently being
created and detected in the wild on a daily basis. AusCERT has
received reports that new variants are not being detected by some
anti-virus software with previous Korgo signatures. Reports to
AusCERT detail network traffic congestion, in addition to the potential
compromise of data through the creation of a backdoor on infected
computers.
The Korgo worm spreads through the LSASS vulnerability in the
Windows operating system, as detailed in the Microsoft Security
Bulletin MS04-011[1]. This is the same vulnerability which was
exploited by the Sasser, Bobax and Cycle worms.
PLATFORM:
Korgo variants spread through the remote exploitation of computers
running Windows 2000 and Windows XP, which have not been patched
as per directions from Microsoft Security Bulletin MS04-011[1].
IMPACT:
While it is possible for new variants of the worm to change behavior
and for the worm to update itself with new functionality, the basic
modes of prorogation and infection are similar.
Once a computer is infected with the worm, a connection is made from
the worm to one of several web sites which allow for the following:
- Download and execute files from the web site
- Download and execute files from another URL
- Send information to the web site regarding the infection
The worm will also perform the following:
- Open port 113/TCP and a random TCP port to allow for a copy of the
worm to be downloaded as part of the prorogation routine
- Create a copy of itself in the %System% directory with a random
filename of 5 to 8 characters in length
- Create/modify a registry entry with one of several names in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
pointing the worm executable "%System%\<random filename>.exe"
- Delete several registry "Run" keys, including those named:
* Windows Security Manager
* Disk Defragmenter
* System Restore Service
* Bot Loader
* WinUpdate
* Windows Update Service
* avserve.exe
* avserve2.exeUpdate Service
- Inject a function of the worm code into the Explorer.exe process
- Scan random IP addresses on port 445 attempting to exploit the
LSASS vulnerability and prorogate further
MITIGATION:
Administrators are urged to test and deploy patches detailed in the
Microsoft Security Bulletin MS04-011[1], in addition to ensuring
anti-virus software is installed and regularly updated on all
computers and servers.
To assist in ensuring Windows computers are appropriately patched,
administrators may wish to use the Microsoft Baseline Security
Analyzer (MBSA)[2] or Software Update Services (SUS)[3]. For more
details, see the AusCERT paper "Protecting your computer from
malicious code."[4]
Ingress and egress filtering on port 445/TCP where possible will
also providing another layer of defence against this and similar
malicious activity.
Removal tools for some variants of the Korgo worm are available
from anti-virus vendors, however it is recommended only to use the
tool for the specific variant detected. AusCERT encourages
administrators to visit their appropriate anti-virus web site for
additional information and updates on Korgo variants, and other virus
related information.
REFERENCES:
1 - http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
2 - http://www.microsoft.com/technet/security/tools/mbsahome.mspx
3 - http://www.microsoft.com/windowsserversystem/sus/default.mspx
4 - http://www.auscert.org.au/3352
- ---------------------------------------------------------------------------
The AusCERT team has made every effort to ensure that the information
contained in this security bulletin is accurate at the time of publication.
However, the decision to follow or act on information or advice contained in
this security bulletin is the responsibility of each user or organisation, and
should be considered in accordance with your organisation\'s site policies and
procedures. AusCERT takes no responsibility for consequences which may arise
from following or acting on information or advice contained in this security
bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
AusCERT maintains a World Wide Web service which is found on:
http://www.auscert.org.au.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
AUSTRALIA
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBQNuQsCh9+71yA2DNAQKLSAP/Q7R2nKOaaEjYjvk0WVfzCT8NCuOLIkoQ
0KFEpGQHWpgQgn0KtMYwjaG47aTbCgZu1ewA9LzjyK47FKnMb4BKG7upoWAtNlif
7lG6pyh6Ib30lffF3TfS0tjXow27cHPdvZVfpllQaaO/cIQa4tV5lwBWYoo8DwBK
8agSOIwiqAE=
=uUsV
-----END PGP SIGNATURE-----
|