Last revised: August 14, 2003
Source: CERT/CC
A complete revision history is at the end of this file.
Systems Affected
- Microsoft Windows NT 4.0
- Microsoft Windows 2000
- Microsoft Windows XP
- Microsoft Windows Server 2003
Overview
The CERT/CC is receiving reports of widespread activity related to a new piece of malicious code known as W32/Blaster. This worm appears to exploit known vulnerabilities in the Microsoft Remote Procedure Call (RPC) Interface.
I. Description
The W32/Blaster worm exploits a vulnerability in Microsoft's DCOM RPC interface as described in VU#568148 and CA-2003-16. Upon successful execution, the worm attempts to retrieve a copy of the file msblast.exe from the compromising host. Once this file is retrieved, the compromised system then runs it and begins scanning for other vulnerable systems to compromise in the same manner. In the course of propagation, a TCP session to port 135 is used to execute the attack. However, access to TCP ports 139 and 445 may also provide attack vectors and should be considered when applying mitigation strategies. Microsoft has published information about this vulnerability in Microsoft Security Bulletin MS03-026.
Lab testing has confirmed that the worm includes the ability to launch a TCP SYN flood denial-of-service attack against windowsupdate.com. We are investigating the conditions under which this attack might manifest itself. Unusual or unexpected traffic to windowsupdate.com may indicate an infection on your network, so you may wish to monitor network traffic.
Sites that do not use windowsupdate.com to manage patches may wish to block outbound traffic to windowsupdate.com. In practice, this may be difficult to achieve, since windowsupdate.com may not resolve to the same address every time. Correctly blocking traffic to windowsupdate.com will require detailed understanding of your network routing architecture, system management needs, and name resolution environment. You should not block traffic to windowsupdate.com without a thorough understanding of your operational needs.
We have been in contact with Microsoft regarding this possibility of this denial-of-service attack.
II. Impact
A remote attacker could exploit these vulnerabilities to execute
arbitrary code with Local System privileges or to cause a
denial-of-service condition.
(NOTE: Detailed instructions for recovering Windows XP systems from the W32/Blaster worm can be found in the W32/Blaster Recovery Tech Tip)
All users are encouraged to apply the patches referred to in
Microsoft Security Bulletin MS03-026
as soon as possible in order to mitigate the vulnerability described
in VU#568148.
These patches are also available via Microsoft's Windows Update service.
Systems running Windows 2000 may still be vulnerable to at least a
denial-of-service attack via VU#326746 if their
DCOM RPC service is available via the network. Therefore, sites are
encouraged to use the packet filtering tips below in addition to
applying the patches supplied in MS03-026.
It has been reported that some affected machines are not able to stay connected to the network long enough to download patches from Microsoft. For hosts in this situation, the CERT/CC recommends the following:
Trend Micro, Inc. has published
a set of steps to accomplish these goals. Symantec has also published
a set of steps to accomplish these goals.
Depending on site requirements, you may wish to disable DCOM as
described in MS03-026. Disabling
DCOM will help protect against this vulnerability but may also cause
undesirable side effects. Additional details on disabling DCOM and
possible side effects are available in Microsoft Knowledge Base
Article 825750.
Sites are encouraged to block network access to the following
relevant ports at network borders. This can minimize the potential of
denial-of-service attacks originating from outside the perimeter. The
specific services that should be blocked include
Sites should consider blocking both inbound and outbound
traffic to these ports, depending on network requirements, at the host
and network level. Microsoft's Internet
Connection Firewall can be used to accomplish these goals.
If access cannot be blocked for all external hosts, the CERT/CC
recommends limiting access to only those hosts that require it for
normal operation. As a general rule, the CERT/CC recommends filtering
all types of network traffic that are not required for normal
operation.
Because current exploits for VU#568148 create a
backdoor, which is in some cases 4444/TCP, blocking inbound TCP
sessions to ports on which no legitimate services are provided may
limit intruder access to compromised hosts.
If you believe a system under your administrative control has been
compromised, please follow the steps outlined in The CERT/CC is tracking activity related to this worm as
CERT#30479. Relevant artifacts or activity can be sent to
cert@cert.org with the appropriate CERT# in the subject line.
This appendix contains information provided by vendors. When vendors
report new information, this section is updated and the changes are
noted in the revision history. If a vendor is not listed below, we
have not received their comments.
Please see Microsoft Security Bulletin MS03-026.
Our thanks to Microsoft Corporation for their review of and input to this advisory.III. Solutions
Apply patches
Disable DCOM
Filter network traffic
Recovering from a system compromise
Reporting
Appendix A. Vendor Information
Microsoft
Appendix B. References
Thanks
Authors: Chad Dougherty, Jeffrey Havrilla, Shawn Hernan, and Marty Lindner
Copyright 2003 Carnegie Mellon University.
Revision History
August 11, 2003: Initial release
August 12, 2003: Updated recovery steps
August 12, 2003: Added link to the W32/Blaster Tech Tip
August 13, 2003: Added filenames of known variants to removal instructions
August 14, 2003: Added port to filter (593/TCP)