| kalyanvarma.net :: tech :: security | Search |
Blaster worm updatesLooks like a worm based on the recent windows RPC exploit is slowly infecting the windows hosts on the net. In the past hour, there has been a lot of traffic and random machine reboots ( of even machines that are not even connected directly to the net, but inside a LAN - a sure sign of a worm). If you are sysadmin please block ports 135/139/445 and 4444 ( the worm executes commands remotely via this port ) at your router. I suspect it wont take down the net like what slammer did, but will cause lot of frustration to windows users. Updates ( last update : Sun Aug 17 14:19:00 EDT 2003 ) - A new varient of the worm called "Nachi" is doing its rounds today. It seems to be flooding lot of networks with ping ( ICMP ) packets. More info here. This worm exploits the same RPC vulnerability - www.windowsupdates.com is up and running ( which is the URL that is used by windows update), windowsupdates.com has been removed ( The URL that the worm was suppose to attack ) - even though the attack on microsoft has been disabled, the worm continues to spread slowly. [updated : Sat Aug 16 09:25:10 EDT 2003] - so far none of the infected machines have started a DDOS attack. Looks like the microsoft's move paid off - microsoft removed the DNS entry for windowsupdates.com and hence all the infected machines which are designed to attack this site will fail on Aug 16th [updated : Wed Aug 13 16:40:47 EDT 2003] - many offices were shut down around the globe because of this worm. Reports here and here - Looks like there are many varients of the worm going around. Few of them just make your windows act weird. - Worm removal tool is availabe. You can get it from here or here - nice summery by symantec here - McAfee, symantec and other anti virus companies have issued alerts and updates. Don't bother with them. Just install the MS patch and remove the file and you are done. - To fix the RPC bug on your machine, install this Microsoft patch : http://www.microsoft.com/technet/security/bulletin/MS03-026.asp - Its Officially called "MSBLASTER" worm - the scanning algorithm of the worm seems to be weak and pretty inefficient - removing the file msblast.exe prevents your machine from rebooting, but it can be easily infected again - the worm seems to fire off several concurrent TCP 135 scan threads - The worm survives a reboot. So it has to be removed manually - most people are getting the following error on their windows machines - "Windows must now restart because the remote procedure call RPC service terminated unexpectedly NT Authority System has initiated the shutdown since the RPC service terminated unexpectedly." - this worm might synflood windowsupdates.com on the 16th - lot of people are complaining about their machine rebooting randomly. Watch out, coz you are next ;) - apparently its named BILLY worm - Once it finds a vulnerable system, it will spawn a shell and use it to download the actual worm via tftp - The name of the binary is msblast.exe So far it exhibits the following properties: - Scans sequentially for machines with open port 135, starting at a presumably random IP address - uses multiple TFTP servers to pull the binary - adds a registery key to start itself after reboot ( reg key : SOFTWARE\Microsoft\Windows\CurrentVersion\Run, name: 'windows auto update') Strings of interest: msblast.exe I just want to say LOVE YOU SAN!! billy gates why do you make this possible ? Stop making money and fix your software!! windowsupdate.com start %s tftp -i %s GET %s %d.%d.%d.%d %i.%i.%i.%i BILLY windows auto update SOFTWARE\Microsoft\Windows\CurrentVersion\Run |