Courtesy of Symantec for providing this information.
Please click
here for clearer, more and advisable
information with images.
_________________________________________________________________________________________________
The following
recommendations are for use by network
administrators. They can be used to mitigate the
Denial of Service payload which is set to activate on
August 16, 2003.
- Remove the A record on
the internal DNS for windowsupdate.com. This also
requires that the DNS cache be updated.
- Reroute windowsupdate.com
to a special internal IP address. This will alert
you to infected machines if you have a "listening
server" catching the syn flood.
- Reroute windowsupdate.com
to 127.0.0.1.
- If your DNS server
allows, reroute windowsupdate.com to the IP
0.0.0.0.
- Configure anti-spoofing
rules on routers if not already implemented. This
will prevent a high percentage of packets from
leaving the network. Using uRPF or egress ACLs
would be effective.
Based on the number of submissions received from
customers and based on information from Symantec's
DeepSight Threat Management System, Symantec Security
Response has upgraded this threat to a Category 4
from a Category 3 threat.
W32.Blaster.Worm is a worm that exploits the DCOM RPC
vulnerability (described in
Microsoft Security Bulletin MS03-026) using TCP
port 135. The worm targets only Windows 2000 and
Windows XP machines. While Windows NT and Windows
2003 Server machines are vulnerable to the
aforementioned exploit (if not properly patched), the
worm is not coded to replicate to those systems. This
worm attempts to download the msblast.exe file to the
%WinDir%\system32 directory and then execute it. The
worm has no mass-mailing functionality.
Additional information, and an alternate site from
which to download the Microsoft patch is available in
the Microsoft article
What You Should Know About the Blaster Worm and Its
Variants.
Users are recommended to block access to TCP port
4444 at the firewall level, and then block the
following ports, if they do not use the applications
listed:
- TCP Port 135, "DCOM RPC"
- UDP Port 69, "TFTP"
The worm also attempts to perform a Denial of Service
(DoS) on the Microsoft Windows Update Web server
(windowsupdate.com). This is an attempt to prevent
you from applying a patch on your computer against
the DCOM RPC vulnerability.
Click
here for more information on the vulnerability
that this worm exploits, and to find out which
Symantec products can help mitigate risks from this
vulnerability.
NOTE: This threat will be detected by virus
definitions having:
- Defs Version: 50811s
- Sequence Number: 24254
- Extended Version: 8/11/2003, rev. 19
Symantec Security Response has developed a removal
tool to clean infections of W32.Blaster.Worm.
W32.Blaster.Worm Webcast
The following webcast has been provided which details
mitigation and remediation strategies as well as a
detailed description of the DoS attack.
http://enterprisesecurity.symantec.com/content/webcastinfo.cfm?webcastid=63
The worm is...
Also Known As: |
W32/Lovsan.worm.a [McAfee], Win32.Poza.A [CA],
Lovsan [F-Secure], WORM_MSBLAST.A [Trend],
W32/Blaster-A [Sophos], W32/Blaster [Panda],
Worm.Win32.Lovesan [KAV] |
|
|
Type: |
Worm |
Infection Length: |
6,176
bytes |
|
|
|
|
|
|
Systems Affected: |
Windows
2000, Windows XP |
Systems Not Affected: |
Linux,
Macintosh, OS/2, UNIX, Windows 95, Windows 98,
Windows Me, Windows NT |
CVE References: |
CAN-2003-0352 |
|
|
|
|
Damage
-
Payload Trigger: If the date is the 16th of the
month until the end of that month if it's before
August, and every day from August 16 until December
31.
-
Payload: Performs Denial of Service against
windowsupdate.com
Distribution
When W32.Blaster.Worm is executed, it does the
following:
- Creates a Mutex named "BILLY." If the mutex
exists, the worm will exit.
- Adds the value:
"windows auto update"="msblast.exe"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the worm runs when you start Windows.
- Generates an IP address and attempts to infect
the computer that has that address. The IP address
is generated according to the following algorithms:
- For 40% of the time, the generated IP address
is of the form A.B.C.0, where A and B are equal
to the first two parts of the infected computer's
IP address.
C is also calculated by the third part of the
infected system's IP address; however, for 40% of
the time the worm checks whether C is greater
than 20. If so, a random value less than 20 is
subtracted from C. Once the IP address is
calculated, the worm will attempt to find and
exploit a computer with the IP address A.B.C.0.
The worm will then increment the 0 part of the IP
address by 1, attempting to find and exploit
other computers based on the new IP address,
until it reaches 254.
- With a probability of 60%, the generated IP
address is completely random.
- Sends data on TCP port 135 that may exploit the
DCOM RPC vulnerability. The worm sends one of two
types of data: either to exploit Windows XP or
Windows 2000. For 80% of the time, Windows XP data
will be sent; and for 20% of the time, the Windows
2000 data will be sent.
NOTES:
- The local subnet will become saturated with
port 135 requests.
- Due to the random nature of how the worm
constructs the exploit data, this may cause
computers to crash if it sends incorrect data.
This may manifest as svchost.exe generating
errors as a result of the incorrect data.
- While W32.Blaster.Worm cannot spread to the
Windows NT or Windows 2003 server, unpatched
computers running these operating systems may
crash as a result of the worm's attempts to
exploit them. However, if the worm is manually
placed and executed on a computer running these
operating systems, it can run and spread.
- Uses Cmd.exe to create a hidden remote shell
process that will listen on TCP port 4444, allowing
an attacker to issue remote commands on an infected
system.
- Listens on UDP port 69. When the worm receives
a request from a computer to which it was able to
connect using the DCOM RPC exploit, it will send
msblast.exe to that computer and tell it to execute
the worm.
- If the current date is the 16th through the end
of the month for the months of January to August,
or if the current month is September through
December, the worm will attempt to perform a DoS on
Windows Update. However, the attempt to perform the
DoS will succeed only if one the following
conditions is true:
- The worm runs on a Windows XP computer that
was either infected or rebooted during the
payload period.
- The worm runs on a Windows 2000 computer that
was infected during the payload period and has
not been restarted since it was infected.
- The worm runs on a Windows 2000 computer that
has been restarted since it was infected, during
the payload period, and the currently logged in
user is Administrator.
- The DoS traffic has the following
characteristics:
- Is a SYN flood on port 80 of
windowsupdate.com.
- Tries to send 50 HTTP packets every second.
- Each packet is 40 bytes in length.
- If it can't find a DNS entry for
windowsupdate.com the worm uses a destination
address of 255.255.255.255.
The worm contains the following text, which is never
displayed:
I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop
making money and fix your software!!
Symantec Gateway Security
- On August 12, 2003, Symantec released an update
for Symantec Gateway Security 1.0.
- Symantec's full application inspection firewall
technology protects against this Microsoft
vulnerability, blocking all the above listed TCP
ports by default. For maximum security, 3rd
generation full application inspection technology
intelligently blocks tunneling of DCOM traffic over
HTTP channels thus providing an extra layer of
protection not readily available on most common
network filtering firewalls.
Symantec Host IDS
On August 12, 2003, Symantec released an update for
Symantec Host IDS 4.1.
Intruder Alert
On August 12, 2003, Symantec released
Intruder Alert 3.6 W32_Blaster_Worm Policy.
Symantec Enterprise Firewall
Symantec's full application inspection firewall
technology protects against the W32.Blaster.worm,
blocking all the above listed TCP ports by default.
Symantec ManHunt
- Symantec ManHunt Protocol Anomaly Detection
technology detects the activity associated with
this exploit as "Portsweep." Although ManHunt can
detect activity associated with this exploit with
the Protocol Anomaly Detection technology, you can
use the "Microsoft DCOM RPC Buffer Overflow" custom
signature, released in
Security Update 4, to precisely identify the
exploit being sent.
-
Security Update 5 has been released to provide
signatures specific to W32.Blaster.Worm, to include
detection of more attributes of W32.Blaster.Worm.
- Symantec ManHunt Protocol Anomaly Detection
technology detects the activity associated with the
Denial of Service SYN flood. Security Response has
created a custom signature for ManHunt 3.0,
released in
Security Update 6, to detect this attack
specifically as a Blaster DoS Request.
Enterprise Security Manager
Symantec Security Response posted a
Response Policy for this vulnerability on July
17, 2003.
Symantec Vulnerability Assessment
Symantec Security Response posted a release that
detects and reports the vulnerability on July 17,
2003. Click
here for more details.
Symantec NetRecon
Symantec NetRecon can identify machines that are
susceptible to the W32.Blaster.Worm by identifying
the "Microsoft DCOM RPC Buffer Overflow"
vulnerability. Refer to Symantec NetRecon
SU6 for more details.
Symantec Security Response offers these
suggestions on how to configure Symantec products in
order to minimize your exposure to this threat.
|
Symantec Enterprise
Firewall
|
|
Symantec Security Response encourages all users
and administrators to adhere to the following basic
security "best practices":
- Turn off and remove unneeded services. By
default, many operating systems install auxiliary
services that are not critical, such as an FTP
server, telnet, and a Web server. These services
are avenues of attack. If they are removed, blended
threats have less avenues of attack and you have
fewer services to maintain through patch updates.
- If a
blended threat exploits one or more network
services, disable, or block access to, those
services until a patch is applied.
- Always keep your patch levels up-to-date,
especially on computers that host public services
and are accessible through the firewall, such as
HTTP, FTP, mail, and DNS services.
- Enforce a password policy. Complex passwords
make it difficult to crack password files on
compromised computers. This helps to prevent or
limit damage when a computer is compromised.
- Configure your email server to block or remove
email that contains file attachments that are
commonly used to spread viruses, such as .vbs,
.bat, .exe, .pif and .scr files.
- Isolate infected computers quickly to prevent
further compromising your organization. Perform a
forensic analysis and restore the computers using
trusted media.
- Train employees not to open attachments unless
they are expecting them. Also, do not execute
software that is downloaded from the Internet
unless it has been scanned for viruses. Simply
visiting a compromised Web site can cause infection
if certain browser vulnerabilities are not patched.
NOTE
Removal using the W32.Blaster.Worm Removal Tool
Symantec Security Response has developed a removal
tool to clean infections of W32.Blaster.Worm.
This is the easiest way to remove this threat and
should be tried first. To obtain the W32.Blaster.Worm
removal tool please see the following KB:
W32.Blaster.Worm Removal Tool
Manual Removal
As an alternative to using the removal tool, you can
manually remove this threat. The following
instructions pertain to all current and recent
Symantec antivirus products, including the Symantec
AntiVirus and Norton AntiVirus product lines.
- Restore Internet connectivity.
- End the worm process.
- Obtain the latest virus definitions.
- Scan for and delete the infected files.
- Reverse the changes made to the registry.
- Obtain the Microsoft HotFix to correct the DCOM
RPC vulnerability
For specific details, refer to the following
instructions:
1. Restoring Internet connectivity
In many cases, on both Windows 2000 and XP, changing
the settings for the Remote Procedure Call (RPC)
service may allow you to connect to the Internet
without the computer shutting down. To restore
Internet connectivity to your PC please follow these
steps:
- Click Start > Run. The Run dialog box
appears.
- Type:
SERVICES.MSC /S
in the open line, and then click OK. The Services
window opens.
- In the right pane, locate the Remote
Procedure Call (RPC) service.
CAUTION:
There is also a service named Remote
Procedure Call (RPC) Locator. Do not confuse the
two.
- Right-click the Remote Procedure Call (RPC)
service, and then click Properties.
- Click the Recovery tab.
- Using the drop-down lists, change First
failure, Second failure, and Subsequent failures
to "Restart the Service."
- Click Apply, and then OK.
CAUTION:
Make sure that you change these settings
back once you have removed the worm.
2. Ending the Worm process
- Press Ctrl+Alt+Delete once.
- Click Task Manager.
- Click the Processes tab.
- Double-click the Image Name column header to
alphabetically sort the processes.
- Scroll through the list and look for
Msblast.exe.
- If you find the file, click it, and then click
End Process.
- Exit the Task Manager.
3. Obtaining the latest virus definitions
Symantec Security Response fully tests all the virus
definitions for quality assurance before they are
posted to our servers. There are two ways to obtain
the most recent virus definitions:
For newer computer users
Running LiveUpdate, which is the easiest way to
obtain virus definitions: Virus definitions for
W32.Blaster.worm have been made available via the
LiveUpdate server since August 11th, 2003. To
obtain the latest virus definitions, click the
LiveUpdate button from within the main user
interface of your Symantec product. When running
LiveUpdate, ensure that only "Norton AntiVirus
Virus Definitions" are checked. Product updates can
be obtained at a later time.
For system administrators and advanced users
Downloading the definitions using the Intelligent
Updater: The Intelligent Updater virus definitions
are posted on U.S. business days (Monday through
Friday). You should download the definitions from
the Symantec Security Response Web site and
manually install them. To determine whether
definitions for this threat are available by the
Intelligent Updater, refer to the
Virus Definitions
(Intelligent Updater).
The
Intelligent Updater virus definitions are
available: Read "How
to update virus definition files using the
Intelligent Updater" for detailed
instructions.
4. Scanning for and deleting the infected files
- Start your Symantec antivirus program and make
sure that it is configured to scan all the files.
- Run a full system scan.
- If any files are detected as infected with
W32.Blaster.Worm, click Delete.
5. Reversing the changes made to the registry
CAUTION:
Symantec strongly recommends that you back up
the registry before making any changes to it.
Incorrect changes to the registry can result in
permanent data loss or corrupted files. Modify the
specified keys only. Read the document, "How
to make a backup of the Windows registry,"
for instructions.
- Click Start, and then click Run. (The Run
dialog box appears.)
- Type regedit
Then click OK. (The Registry Editor opens.)
- Navigate to the key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- In the right pane, delete the value:
windows auto update
- Exit the Registry Editor.
6. Obtaining the Microsoft HotFix to correct the
DCOM RPC vulnerability
W32.Blaster.Worm is a worm that exploits the DCOM RPC
vulnerability using TCP port 135 to infect your PC.
The W32.Blaster.Worm also attempts to perform a DoS
on the Microsoft Windows Update Web server
(windowsupdate.com) using your PC. To fix this, it is
important to obtain the Microsoft Hotfix at:
Microsoft Security Bulletin
MS03-026.
Additional information:
Additional information, and an alternate site from
which to download the Microsoft patch is available in
the Microsoft article
What You Should Know About the Blaster Worm and Its
Variants.
Revision History:
August 15, 2003:
- Added additional recommendation pertaining to
mitigating the DoS attack.
- Added reference to updates for Symantec
NetRecon and Symantec Vulnerability Assessment.
- Added link to Symantec webcast.
- Additional information about Symantec ManHunt
updates.
August 14, 2003:
- Provided recommendations for mitigating the DoS
attack.
- Updated DoS payload information.
- Added information about the DoS traffic.
August 13, 2003:
- Re-ordered major steps in removal instructions.
- Added the download location.
- Minor formatting updates.
- Removed Windows system restore instructions
from removal
August 12, 2003:
- Upgraded to Category 4 from Category 3, based
on increased rate of submissions.
- Added additional aliases.
- Updated the Technical Description section.
- Added information to the Removal on changing
the settings for RPC.
Write-up by: Douglas Knowles
|