Original issue date: August 11, 2003<br> Last revised: August 14, 2003<br> Source: CERT/CC<br> <p> A complete revision history is at the end of this file. </p> <br> <h3>Systems Affected</h3> <ul> <li>Microsoft Windows NT 4.0</li> <li>Microsoft Windows 2000</li> <li>Microsoft Windows XP</li> <li>Microsoft Windows Server 2003</li> </ul> <a name="overview"></a> <h2>Overview</h2> <p>The CERT/CC is receiving reports of widespread activity related to a new piece of malicious code known as W32/Blaster. This worm appears to exploit known vulnerabilities in the Microsoft Remote Procedure Call (RPC) Interface. </p> <br> <a name="description"> <h2>I. Description</h2> <p>The W32/Blaster worm exploits a vulnerability in Microsoft's DCOM RPC interface as described in <a href="http://www.kb.cert.org/vuls/id/568148">VU#568148</a> and <a href="http://www.cert.org/advisories/CA-2003-16.html">CA-2003-16</a>. Upon successful execution, the worm attempts to retrieve a copy of the file <font face="courier">msblast.exe</font> from the compromising host. Once this file is retrieved, the compromised system then runs it and begins scanning for other vulnerable systems to compromise in the same manner. In the course of propagation, a TCP session to port 135 is used to execute the attack. However, access to TCP ports 139 and 445 may also provide attack vectors and should be considered when applying mitigation strategies. Microsoft has published information about this vulnerability in Microsoft Security Bulletin <a href="http://microsoft.com/technet/security/bulletin/MS03-026.asp"> MS03-026</a>. <p>Lab testing has confirmed that the worm includes the ability to launch a TCP SYN flood denial-of-service attack against <a href="http://windowsupdate.com/">windowsupdate.com</a>. We are investigating the conditions under which this attack might manifest itself. Unusual or unexpected traffic to windowsupdate.com may indicate an infection on your network, so you may wish to monitor network traffic.</p> <p>Sites that do not use windowsupdate.com to manage patches may wish to block outbound traffic to windowsupdate.com. In practice, this may be difficult to achieve, since windowsupdate.com may not resolve to the same address every time. Correctly blocking traffic to windowsupdate.com will require detailed understanding of your network routing architecture, system management needs, and name resolution environment. You should not block traffic to windowsupdate.com without a thorough understanding of your operational needs.</p> <p>We have been in contact with Microsoft regarding this possibility of this denial-of-service attack.</p> <a name="impact"> <h3>II. Impact</h3> <p>A remote attacker could exploit these vulnerabilities to execute arbitrary code with Local System privileges or to cause a denial-of-service condition. <a name="solution"> <h3>III. Solutions</h3> <p>(NOTE: Detailed instructions for recovering Windows XP systems from the W32/Blaster worm can be found in the <a href="http://www.cert.org/tech_tips/w32_blaster.html">W32/Blaster Recovery</a> Tech Tip) <a name="solution.patch"> <h4>Apply patches</h4> <p>All users are encouraged to apply the patches referred to in Microsoft Security Bulletin <a href="http://microsoft.com/technet/security/bulletin/MS03-026.asp">MS03-026</a> as soon as possible in order to mitigate the vulnerability described in <a href="http://www.kb.cert.org/vuls/id/568148">VU#568148</a>. These patches are also available via Microsoft's <a href="http://windowsupdate.microsoft.com/">Windows Update</a> service. <p>Systems running Windows 2000 may still be vulnerable to at least a denial-of-service attack via <a href="http://www.kb.cert.org/vuls/id/326746">VU#326746</a> if their DCOM RPC service is available via the network. Therefore, sites are encouraged to use the packet filtering tips below in addition to applying the patches supplied in <a href="http://microsoft.com/technet/security/bulletin/MS03-026.asp">MS03-026</a>. <p>It has been reported that some affected machines are not able to stay connected to the network long enough to download patches from Microsoft. For hosts in this situation, the CERT/CC recommends the following: <ol> <li>Physically disconnect the system from the network.</li> <li>Check the system for signs of compromise.</li> <ul type="disc"><li>In most cases, an infection will be indicated by the presence of the registry key <font face="courier">"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows auto update"</font> with a value of <font face="courier">msblast.exe</font>. Other possible values include <font face="courier">teekids.exe</font> and <font face="courier">penis32.exe</font>. If this key is present, remove it using a registry editor.</ul> <li>If you're infected, terminate the running copy of <font face="courier">msblast.exe</font>, <font face="courier">teekids.exe</font> or <font face="courier">penis32.exe</font> using the Task Manager.</li> <li>Search for and delete files named <font face="courier">msblast.exe</font>, <font face="courier">teekids.exe</font> or <font face="courier">penis32.exe</font>.</li> <li>Take one of the following steps to protect against the compromise prior to installing the Microsoft patch:</li> <ul type="disc"> <li>Disable DCOM as described in <a href="http://microsoft.com/technet/security/bulletin/MS03-026.asp">MS03-026</a> and Microsoft Knowledge Base Article <a href="http://support.microsoft.com/default.aspx?scid=kb;en-us;825750">825750</a>.</li> <li>Enable Microsoft's Internet Connection Firewall (<a href="http://www.microsoft.com/windowsxp/home/using/howto/homenet/icf.asp">ICF</a>) or another host-level packet filtering program to block incoming connections to port 135/TCP. Information about ICF is available in Microsoft Knowledge Base Article <a href="http://support.microsoft.com/default.aspx?scid=kb;en-us;283673">283673</a>.</li> </ul> <li>Reconnect the system to the network and apply the patches referenced in <a href="http://microsoft.com/technet/security/bulletin/MS03-026.asp">MS03-026</a>.</li> </ol> <p><a href="http://www.trendmicro.com/">Trend Micro, Inc.</a> has <a href="http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A">published</a> a set of steps to accomplish these goals. <a href="http://www.symantec.com">Symantec</a> has also <a href="http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html">published</a> a set of steps to accomplish these goals. <h4>Disable DCOM</h4> <p> Depending on site requirements, you may wish to disable DCOM as described in <a href="http://microsoft.com/technet/security/bulletin/MS03-026.asp">MS03-026</a>. Disabling DCOM will help protect against this vulnerability but may also cause undesirable side effects. Additional details on disabling DCOM and possible side effects are available in Microsoft Knowledge Base Article <a href="http://support.microsoft.com/default.aspx?scid=kb;en-us;825750">825750</a>. </p> <h4>Filter network traffic</h4> <p>Sites are encouraged to block network access to the following relevant ports at network borders. This can minimize the potential of denial-of-service attacks originating from outside the perimeter. The specific services that should be blocked include <ul> <li>69/UDP <li>135/TCP <li>135/UDP <li>139/TCP <li>139/UDP <li>445/TCP <li>445/UDP <li>593/TCP <li>4444/TCP </ul> <p>Sites should consider blocking both inbound <i>and</i> outbound traffic to these ports, depending on network requirements, at the host and network level. Microsoft's <a href="http://www.microsoft.com/windowsxp/home/using/howto/homenet/icf.asp">Internet Connection Firewall</a> can be used to accomplish these goals. <p>If access cannot be blocked for all external hosts, the CERT/CC recommends limiting access to only those hosts that require it for normal operation. As a general rule, the CERT/CC recommends filtering <b>all</b> types of network traffic that are not required for normal operation. <p>Because current exploits for <a href="http://www.kb.cert.org/vuls/id/568148">VU#568148</a> create a backdoor, which is in some cases 4444/TCP, blocking inbound TCP sessions to ports on which no legitimate services are provided may limit intruder access to compromised hosts. <h4>Recovering from a system compromise</h4> <p>If you believe a system under your administrative control has been compromised, please follow the steps outlined in</p> <dl><dd><a href="http://www.cert.org/tech_tips/win-UNIX-system_compromise.html">Steps for Recovering from a UNIX or NT System Compromise</a></dd></dl> <h4>Reporting</h4> <p>The CERT/CC is tracking activity related to this worm as CERT#30479. Relevant artifacts or activity can be sent to cert@cert.org with the appropriate CERT# in the subject line. <br> <a name="vendors"></a> <h2>Appendix A. Vendor Information</h2> <p> This appendix contains information provided by vendors. When vendors report new information, this section is updated and the changes are noted in the revision history. If a vendor is not listed below, we have not received their comments. </p> <a name="microsoft"> <h4><a href="http://www.microsoft.com/">Microsoft</a></h4> <blockquote> <p> Please see Microsoft Security Bulletin <a href="http://microsoft.com/technet/security/bulletin/MS03-026.asp">MS03-026</a>. </p> </blockquote> <!-- end vendor --> <br> <a name="references"></a> <h2>Appendix B. References</h2> <ul> <li>CERT/CC Advisory CA-2003-19 - <a href="http://www.cert.org/advisories/CA-2003-19.html">http://www.cert.org/advisories/CA-2003-19.html</a></li> <li>CERT/CC Vulnerability Note VU#561284 - <a href="http://www.kb.cert.org/vuls/id/561284">http://www.kb.cert.org/vuls/id/561284</a></li> <li>CERT/CC Vulnerability Note VU#326746 - <a href="http://www.kb.cert.org/vuls/id/326746">http://www.kb.cert.org/vuls/id/326746</a></li> <li>Microsoft Security Bulletin MS03-026 - <a href="http://microsoft.com/technet/security/bulletin/MS03-026.asp">http://microsoft.com/technet/security/bulletin/MS03-026.asp</a></li> <li>Microsoft Knowledge Base article 823980 - <a href="http://support.microsoft.com?kbid=823980">http://support.microsoft.com?kbid=823980</a></li> </ul> <h4>Thanks</h4> <p>Our thanks to Microsoft Corporation for their review of and input to this advisory.</p> <hr noshade width="100%"> <b>Authors</b>: <a href="mailto:cert@cert.org?subject=CA-2003-20%20Feedback">Chad Dougherty, Jeffrey Havrilla, Shawn Hernan, and Marty Lindner</a><br> <!--#include virtual="/include/footer_nocopyright2.html" --> <p>Copyright 2003 Carnegie Mellon University.</p> <p>Revision History <p> <small> August 11, 2003: Initial release<br> August 12, 2003: Updated recovery steps<br> August 12, 2003: Added link to the W32/Blaster Tech Tip<br> August 13, 2003: Added filenames of known variants to removal instructions<br> August 14, 2003: Added port to filter (593/TCP) </small> </p> |