August 17, 2003
Will More Blasted Worms Make Site-specific Viruses The Norm?
The past week has seen lots of hoo-hah (sorry, media frenzy) about the Blaster worm and its deleterious effects upon 32-bit Windows versions. And in a very Klez-like move, rejuvenates itself. Of course, Blaster tries to be more cunning, but past August 16, it can re-attack on any day of September thru December. Come January 2004, and Blaster will remain dormant until the 16th of that month, before coming back to life. This post-16th day danger remains until August. Whereupon the cycle shall repeat itself.
I foresee repeat outbreak right through the rest of 2003 and well into 2004; just like Nimda/Code Red. There are lots of unpatched computer systems including those recently connected to the Internet. Belonging to users unaware that viruses strike anywhere anytime. As well as recent re-installs after a system crash has taken down a previous fully updated and secured Windows computer.
Stay alert for Troj/Backdoor-ARR (Troj/GrayBird.A); a new Trojan pretending to be a Blaster worm patch from Microsoft! This arrives as an email attachment and enables infected computers to be accessed and controlled remotely via the Internet. This access includes stealing passwords, sending emails and recording keystrokes.
The infected message titled "updated" is supposedly sent from 'webmaster@microsoft.com' and the message body reads
[.]As for the infamous blaster, well Worm_MSblast.A (W32/Lovsan.worm, W32/Blaster-A, W32.Blaster.Worm, Worm.Win32.Lovesan) specifically targets Windows NT, 2000, XP, 2003/.Net Server. And seeks to exploit the RPC DCOM Buffer Overflow vulnerability that allows a remote attacker to gain Administrative access (full control) to an infected computer and execute any and all executable code on the target computer. The worm continually scans IP addresses to seek out vulnerable computers running either Windows 2000 or XP with an open Port 135 to self-propagate. Blaster then attempts to create a remote shell on TCP Port 4444 and if successful instaryucts the infected computer to begin downloading code through UDP Port 69. Infected computers are used to launch a DDoS (Distributed Denial Of Service) attack against windowsupdate.com -- a URL used by Microsoft to release system updates and patches -- between 16-31 January to August, and any time from September thru December. For the moment, the effect of MSBlast.A has been nullified since this specific URL has been suspended by Microsoft. But it's just a matter of time before an enterprising hacker modifies the worm's code to launch a DDoS against another URL. Or worse, against a range of IP addresses! Installing the RPC update is just one of the many steps you can take. I also recommend installing Microsoft's Service Pack 4 for Windows 2000 or Windows XP Service Pack 1. If you are running a not-so-legal copy of either, search the Net for instructions on how to 'slipstream windows 2000 xp install'. You should use a firewall; even if you are part of an office network. Nobody is safe anymore. Even if your company has specific restrictions on installing software get yourself some protection. Make sure your firewall blocks access to Port 135. This is the same port used by Windows Messenger service to send messages to another Windows computer. Do note that this Messenger service is different from the instant messaging (MSN/Exchange/.Net) Messenger service. Also limit sharing of your computer's drives and other resources; even when on a network. Implement a 30-day password policy (i.e. changes passwords every 30 days). And make sure that even read-only access to your shared drives requires a password. Do regularly check your computer for MSBLAST.EXE (check Task Manager's running processes: Ctrl+Alt+Del or right-click on the System Tray). And each anti-virus vendor has a system scanner. I, once again, believe in Trend Micro's version. Begin by bring up Task Manager and locating the MSBLAST.EXE in the list of running processes. Select it, then click the End Process button. Refresh (View > Refresh Now) to make sure that the file has indeed been stopped. As an extra layer of security. Close Task Manager, wait at least 5 minutes, then re-open and recheck. You will need to steel yourself for some Registry editing to remove the worm's auto-start capability. Open Registry Editor (Start >Run type Regedit and press Enter). In the left panel locate HKEY_LOCAL_MACHINE>Software>Microsoft> Windows>CurrentVersion>Run. And in the right panel, find and remove "windows auto update" = MSBLAST.EXE. Then close the Registry Editor. And restart your computer. The firewall and open-port scanning abilities of Steve Gibson's ShieldsUp service have been greatly enhanced. I recommend visiting this site weekly to (re)check if your firewall is working as it should and that your data and computer are blocked from known threats. Ideally, you should get an all green signifying complete stealth (no computer present). As opposed to spots of blue (port found) or red (port open and responding to pings). The service is extremely popular with over 20 million visits! However do be careful with the results. Avoid blindly blocking everything that the site finds is open in a knee-jerk reaction. Windows 2000/XP need several ports to remain open if you connect to the Internet via cable Ethernet or a shared LAN proxy server. G Menon Click Here to Send me Mail
Microsoft began investigating a worm reported by Microsoft Product Support Services (PSS). A new worm commonly known as W32.Blaster.Worm has been identified that exploits the vulnerability that was addressed by Microsoft Security Bulletin MS03-026.
Download the attached update program. [.]
Attachment: 03-26updated.exe (319,670 bytes)
Post a Comment