[NEWS] - New virus exploiting DCOM/RPC security hole

CougTek

Hairy Aussie
Joined
Jan 21, 2002
Messages
8,729
Location
Québec, Québec
First sample of the Lovsan worm was received at 19:22 GMT on 11th of August, 2003.

This 6176 byte executable "msblast.exe" contains about 11kB of uncompressed code, which apparently exploits the MS03-026 DCOM/RPC hole.


The vulnerability :

Lovsan exploits a vulnerability, "Buffer Overrun In RPC Interface" which is also known as DCOM/RPC and MS03-026. This vulnerability was discovered on July 16th, 2003. More information is available on this vulnerability at

http://www.microsoft.com/technet/security/bulletin/MS03-026.asp

News Source

Submitted by Jan Kivar
 

Fushigi

Storage Is My Life
Joined
Jan 23, 2002
Messages
2,890
Location
Illinois, USA
To ensure you're not infected: http://vil.nai.com/vil/stinger/ and Download Stinger.

Here's more from Microsoft:

PSS Security Response Team Alert - New Virus: W32.Blaster.worm Update

SEVERITY: CRITICAL

DATE: August 12, 2003

PRODUCTS AFFECTED: Windows XP, Windows 2000, Windows Server 2003, Windows NT 4.0, NT 4.0 Terminal Services Edition

Update: PSS Security has updated the recovery procedures in this bulletin. Windows 9X operating systems are not affected by this virus.

**********************************************************************

PRODUCTS AFFECTED: Windows XP, Windows 2000, Windows Server 2003, Windows NT 4.0, NT 4.0 Terminal Services Edition


WHAT IS IT?

The Microsoft Product Support Services Security Team is issuing this alert to inform customers about a new worm named W32.Blaster.Worm which is spreading in the wild. This virus is also known as: W32/Lovsan.worm (McAfee), WORM_MSBLAST.A (Trendmicro), Win32.Posa.Worm (Computer Associates). Best practices, such as applying security patch MS03-026 should prevent infection from this worm.

Date discovered: August 11, 2003. Customers who had previously applied the security patch MS03-026 are protected. To deterimine if the virus is present on your machine see the technical details below.


IMPACT OF ATTACK:

Spread through open RPC ports. Customer's machine gets re-booted or the file "msblast.exe" exists on customer's system.


TECHNICAL DETAILS:

This worm scans a random IP range to look for vulnerable systems on TCP port 135. The worm attempts to exploit the DCOM RPC vulnerability patched by MS03-026.

Once the Exploit code is sent to a system, it downloads and executes the file MSBLAST.EXE from a remote system via TFTP. Once run, the worm creates the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "windows auto update" = msblast.exe I just want to say LOVE YOU SAN!! bill

Symptoms of the virus: Some customers may not notice any symptoms at all. A typical symptom is the system is rebooting every few minutes without user input. Customers may also see:

- Presence of unusual TFTP* files
- Presence of the file msblast.exe in the WINDOWS SYSTEM32 directory

To detect this virus, search for msblast.exe in the WINDOWS SYSTEM32 directory or download the latest anti-virus software signature from your anti-virus vendor and scan your machine.

For additional information on recovering from this attack please contact your preferred anti-virus vendor.


RECOVERY:

Security best practices suggest that previously compromised machines be wiped and rebuilt to eliminate any undiscovered exploits that can lead to a future compromise. See Cert Advisory:

Steps for Recovering from a UNIX or NT System Compromise. http://www.cert.org/tech_tips/win-UNIX-system_compromise.html

However, many Anti-Virus companies have written tools to remove the known exploit associated with this particular worm. To download the removal tool from your antivirus vendor follow procedures outlined below.


For Windows XP

1. First, enable the built in firewall such as Internet Connection Firewall (ICF) in Windows XP: http://support.microsoft.com/?id=283673

--In Control Panel, double-click "Networking and Internet Connections", and then click "Network Connections".
--Right-click the connection on which you would like to enable ICF, and then click "Properties".
--On the Advanced tab, click the box to select the option to “Protect my computer or network”.

2. Second, download the MS03-026 security patch from Microsoft:

Windows XP (32 bit)
http://download.microsoft.com/downl...e-b7a52a983f01/WindowsXP-KB823980-x86-ENU.exe

Windows XP (64 bit)
http://download.microsoft.com/downl...-cfc7c5c67df5/WindowsXP-KB823980-ia64-ENU.exe

3. Third, install or update your antivirus signature software

4. Then, download the worm removal tool from your antivirus vendor.


For Windows 2000 systems, where Internet Connection Firewall (ICF) is not available, the following steps will help block the affected ports so that the system can be patched. These steps are based on a modified excerpt from the article; HOW TO: Configure TCP/IP Filtering in Windows 2000. http://support.microsoft.com/?id=309798

1. Configure TCP/IP security on Windows 2000:

--Select "Network and Dial-up Connections" in the control panel.
--Right-click the interface you use to access the Internet, and then click "Properties".
--In the "Components checked are used by this connection" box, click "Internet Protocol (TCP/IP)", and then click "Properties".
--In the Internet Protocol (TCP/IP) Properties dialog box, click "Advanced".
--Click the "Options" tab.
--Click "TCP/IP filtering", and then click "Properties".
--Select the "Enable TCP/IP Filtering (All adapters)" check box.
--There are three columns with the following labels:
TCP Ports
UDP Ports
IP Protocols
--In each column, you must select the "Permit Only" option.
--Click OK.

2. Download the MS03-026 security patch for Windows 2000 from Microsoft at: http://download.microsoft.com/downl...b4b9d42049d5/Windows2000-KB823980-x86-ENU.exe

3. Install or update your antivirus signature software

4. Then, download the worm removal tool from your antivirus vendor.

For additional details on this worm from anti-virus software vendors participating in the Microsoft Virus Information Alliance (VIA) please visit the following links:

Network Associates: http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100547

Trend Micro: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A

Symantec: http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

Computer Associates: http://www3.ca.com/virusinfo/virus.aspx?ID=36265

For more information on Microsoft’s Virus Information Alliance please visit this link: http://www.microsoft.com/technet/security/virus/via.asp

As always, please make sure to use the latest Anti-Virus detection software signature from your Anti-Virus vendor to detect new viruses and their variants.


PREVENTION:

Turn on Internet Connection Firewall (Windows XP or Windows Server 2003) or use a third party firewall to block TCP ports 135, 139, 445 and 593; UDP port 135, 137,138; also UDP 69 (TFTP) and TCP 4444 for remote command shell.

To enable the Internet Connection Firewall in Windows: http://support.microsoft.com/?id=283673

-In Control Panel, double-click Networking and Internet Connections, and then click Network Connections.
-Right-click the connection on which you would like to enable ICF, and then click Properties.
-On the Advanced tab, click the box to select the option to “Protect my computer or network”.

This worm utilizes a previously-announced vulnerability as part of its infection method. Because of this, customers must ensure that their computers are patched for the vulnerability that is identified in Microsoft Security Bulletin MS03-026. http://www.microsoft.com/technet/security/bulletin/MS03-026.asp.

Install the patch MS03-026 from Windows Update:

Windows NT 4 Server & Workstation http://download.microsoft.com/download/6/5/1/651c3333-4892-431f-ae93-bf8718d29e1a/Q823980i.EXE
Windows NT 4 Terminal Server Edition http://download.microsoft.com/download/4/6/c/46c9c414-19ea-4268-a430-53722188d489/Q823980i.EXE
Windows 2000 http://download.microsoft.com/downl...b4b9d42049d5/Windows2000-KB823980-x86-ENU.exe
Windows XP (32 bit) http://download.microsoft.com/downl...e-b7a52a983f01/WindowsXP-KB823980-x86-ENU.exe
Windows XP (64 bit) http://download.microsoft.com/downl...-cfc7c5c67df5/WindowsXP-KB823980-ia64-ENU.exe
Windows 2003 (32 bit) http://download.microsoft.com/downl...9390b9/WindowsServer2003-KB823980-x86-ENU.exe
Windows 2003 (64 bit) http://download.microsoft.com/downl...50425/WindowsServer2003-KB823980-ia64-ENU.exe

As always, please make sure to use the latest Anti-Virus detection from your Anti-Virus vendor to detect new viruses and their variants.

RELATED MICROSOFT SECURITY BULLETINS: http://www.microsoft.com/technet/security/bulletin/MS03-026.asp

RELATED KB ARTICLES: http://support.microsoft.com/?kbid=826955

This article will be available within 24 hours.

RELATED LINKS: http://www.microsoft.com/security/incident/blast.asp

If you have any questions regarding this alert please contact your Technical Account Manager or Application Development Consultant.

PSS Security Response Team
 

blakerwry

Storage? I am Storage!
Joined
Oct 12, 2002
Messages
4,203
Location
Kansas City, USA
Website
justblake.com
i can see real reason to ignore the automatic updates... several of the updates are known to cause more problems than they fix. I, personally, would not setup auto updates on my own computer.
 

zx

Learning Storage Performance
Joined
Nov 22, 2002
Messages
287
Location
Beauport, Québec, Canada
blakerwry said:
i can see real reason to ignore the automatic updates... several of the updates are known to cause more problems than they fix. I, personally, would not setup auto updates on my own computer.

Especially true in an entreprise environnement, with mission critical servers.
 

Will Rickards WT

Learning Storage Performance
Joined
Jun 19, 2002
Messages
433
Location
Pennsylvania, USA
Website
www.willrickards.net
Howell said:
What uses DCOM? If DCOM were to become corrupted what would be affected?

Any client server app that relies on a server component and a client component communicating via COM calls. I wrote one of these once. Then we realized that DCOM was way too slow for our purposes. So we rearchitected the app to compensate, removing the DCOM requirement.
For the average user there is no need to have dcom.
There may be apps that use it in a corporate environment though.
 

Howell

Storage? I am Storage!
Joined
Feb 24, 2003
Messages
4,740
Location
Chattanooga, TN
Will Rickards WT said:
There may be apps that use [DCOM] in a corporate environment though.

Would Office 97 fall into this catagory? Where I work one of the infected was having difficulty running the network installation of Office. VB modules failing to load or somesuch. Or would it be due to network ports on his machine being tied in knots.

BTW, the total infection count at my location was 5. At the IT headquarters location they were nearly completely unprotected and spent all day fighting it.
 

Jan Kivar

Learning Storage Performance
Joined
Feb 3, 2003
Messages
410
e_dawg said:
Thanks to Clocker's warning on July 31, I patched my system just in case. Good call, man!

Yes, thanks Clocker. I did say that this would do some serious damage. This variant doesn't, but the next will.

Somebody should do a "virus" which updates the unprotected systems, exploiting the same hole...

Cheers,

Jan
 

Will Rickards WT

Learning Storage Performance
Joined
Jun 19, 2002
Messages
433
Location
Pennsylvania, USA
Website
www.willrickards.net
Howell said:
Will Rickards WT said:
There may be apps that use [DCOM] in a corporate environment though.

Would Office 97 fall into this catagory? Where I work one of the infected was having difficulty running the network installation of Office. VB modules failing to load or somesuch. Or would it be due to network ports on his machine being tied in knots.

BTW, the total infection count at my location was 5. At the IT headquarters location they were nearly completely unprotected and spent all day fighting it.

I don't know for sure but anything that doesn't run locally may be affected.
 

Jan Kivar

Learning Storage Performance
Joined
Feb 3, 2003
Messages
410
The ability to crash systems from network is scary. Especially in corporate networks. One instance can crash dozens of systems. And it's pretty impossible to deny the ports, as they are used in Windows' networking.

Jan
 

Howell

Storage? I am Storage!
Joined
Feb 24, 2003
Messages
4,740
Location
Chattanooga, TN
Microsoft is continually updating this page with information on the vulnerability.
http://support.microsoft.com/default.aspx?scid=kb;en-us;823980

In addition, I have heard whispers that sometimes the xxx80 security patch may seem to install and gives many indications of being installed, but the files are not changed. Especially if the patch was located on a network resource when you started the install, but not exclusively. This may be unsubstantiated rumor but maybe we should think about running this tool against machines we think are ready.
http://www.eeye.com/html/Research/Tools/RPCDCOM.html
 

Tea

Storage? I am Storage!
Joined
Jan 15, 2002
Messages
3,749
Location
27a No Fixed Address, Oz.
Website
www.redhill.net.au
Kudos to Microsoft for putting the patch on their front page and in red so it's easy to see. They ain't burying it somewhere on a sub-page and trying to pretend everything is normal. Good on 'em.
 

Tannin

Storage? I am Storage!
Joined
Jan 15, 2002
Messages
4,448
Location
Huon Valley, Tasmania
Website
www.redhill.net.au
This is what she calls a "credibility pozt", Merc. She figures that if she finds some small, positive thing to say about Microsoft now and then, more people will believe here when she goes off on one of her extended rants.

But yes, she's right: MS have handled this one gracefully and I respect them a little more than I did last week. (Which still doesn't add up to very much respect, of course, but 0.0002% is better than 0.0001%.)
 

zx

Learning Storage Performance
Joined
Nov 22, 2002
Messages
287
Location
Beauport, Québec, Canada
Tannin said:
But yes, she's right: MS have handled this one gracefully and I respect them a little more than I did last week. (Which still doesn't add up to very much respect, of course, but 0.0002% is better than 0.0001%.)

Double the respect! WOW!
 

zx

Learning Storage Performance
Joined
Nov 22, 2002
Messages
287
Location
Beauport, Québec, Canada
Howell said:
Will Rickards WT said:
There may be apps that use [DCOM] in a corporate environment though.

Would Office 97 fall into this catagory? Where I work one of the infected was having difficulty running the network installation of Office. VB modules failing to load or somesuch. Or would it be due to network ports on his machine being tied in knots.

Some people reported to me problems with Office 97. But, one did tell me that it was exactly after installing the patch that the problem occur. Maybe Office 97 has some problems with the new files in the patch (ole32.dll comes to mind).

They solved the problem by upgrading to Office 2000. They could not un-install or re-install Office 97.
 

Howell

Storage? I am Storage!
Joined
Feb 24, 2003
Messages
4,740
Location
Chattanooga, TN

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
22,275
Location
I am omnipresent
"What we're finding now is that through a combination of the availability of broadband..."

What color is the sky in their world?
 

SteveC

Storage is cool
Joined
Jul 5, 2002
Messages
789
Location
NJ, USA
Will Rickards WT said:
Mercutio has to remember that he is a minority.
Most of us have broadband available to us, no?

It may be available in most areas, but most people are still on dial-up.

As of April 2003, most users in the US connect to the Internet using dial-up modems of 56Kbps or less. 51.13% use 56Kbps modems, 9.47% use 28/33.3Kbps, and 3.95% use 14.4Kbps modems. All told 64.55% of home users in the US connect to the Internet at 56Kbps or less (see Figure 1).
Source

However, by the time Longhorn comes out, well over 50% of people will be on broadband.
 

Howell

Storage? I am Storage!
Joined
Feb 24, 2003
Messages
4,740
Location
Chattanooga, TN
SteveC said:
However, by the time Longhorn comes out, well over 50% of people will be on broadband.

And for those who still are not, it would help to use some kind of download management technology with automatic bandwidth throttling.
 

Handruin

Administrator
Joined
Jan 13, 2002
Messages
13,927
Location
USA
There should be a recall system for serious defects like this...perhaps even a lemon law to help protect consumers and businesses from serious damage. Now that microsoft makes the user active their software, they should mail out the patch for free.
 
Top