Advertisment

Blasted worm!

author-image
CIOL Bureau
Updated On
New Update

Advertisment

The past week has seen lots media frenzy about the

Blaster worm and its deleterious effects upon 32-bit Windows versions. And

in a very Klez-like move, rejuvenates itself. Of course, Blaster tries to be

more cunning, but past August 16, it can re-attack on any day of September

through December. Come January 2004, and Blaster will remain dormant until the

16th of that month, before coming back to life. This

post-16th day danger remains until August. Whereupon the cycle

shall repeat itself.

I foresee repeat outbreak right rhrough the rest of 2003 and well into 2004;

just like Nimda/Code Red. There are lots of unpatched computer systems

including those recently connected to the Internet. Belonging to users

unaware that viruses strike anywhere anytime. As well as recent re-installs

after a system crash has taken down a previous fully updated and secured

Windows computer.

Being Blasted

Worm_MSblast.A (W32/Lovsan.worm, W32/Blaster-A, W32.Blaster.Worm,

Worm.Win32.Lovesan) specifically targets Windows NT, 2000, XP, 2003/.Net

Server. And seeks to exploit the HREF="http://www.microsoft.com/technet/treeview/?url=/technet/security/bulle

tin/MS03-026.asp" TARGET="_blank">RPC DCOM Buffer Overflow vulnerability

that allows a remote attacker to gain Administrative access (full control)

to an infected computer and execute any and all executable code on the

target computer.

Advertisment

The worm continually scans IP addresses to seek out vulnerable computers

running either Windows 2000 or XP with an open Port 135 to self-propagate.

Blaster then attempts to create a remote shell on TCP Port 4444 and if

successful instructs the infected computer to begin downloading code

through UDP Port 69.

Infected computers are used to launch a DDoS (Distributed Denial Of Service)

attack against windowsupdate.com -- a URL used by Microsoft to release

system updates and patches -- between 16-31 January to August, and any time

from September thru December.

For the moment, the effect of MSBlast.A has been nullified since this

specific URL has been suspended by Microsoft. But it's just a matter of time

before an enterprising hacker modifies the worm's code to launch a DDoS

against another URL. Or worse, against a range of IP addresses!

Advertisment

Blast-Proofing..

Installing the RPC update is just one of the many steps you can take. I also

recommend installing Microsoft's Service Pack 4 for Windows 2000 or Windows

XP Service Pack 1. If you are running a not-so-legal copy of either, search

the Net for instructions on how to 'slipstream windows 2000 xp install'.

You should use a firewall; even if you are part of an office network. Nobody

is safe anymore. Even if your company has specific restrictions on

installing software get yourself some protection. Make sure your firewall

blocks access to Port 135. This is the same port used by Windows Messenger

service to send messages to another Windows computer. Do note that this

Messenger service is different from the instant messaging

(MSN/Exchange/.Net) Messenger service.

Also limit sharing of your computer's drives and other resources; even when

on a network. Implement a 30-day password policy (i.e. changes passwords

every 30 days). And make sure that even read-only access to your shared

drives requires a password.

Advertisment

..On Automatic..

Do regularly check your computer for MSBLAST.EXE (check Task Manager's

running processes: Ctrl+Alt+Del or right-click on the System Tray). And each

anti-virus vendor has a system scanner. I, once again, believe in Trend

Micro's TARGET="_blank">version.

..And Manually

Begin by bring up Task Manager and locating the MSBLAST.EXE in the list of

running processes. Select it, then click the End Process button. Refresh

(View > Refresh Now) to make sure that the file has indeed been stopped. As

an extra layer of security. Close Task Manager, wait at least 5 minutes,

then re-open and recheck.

You will need to steel yourself for some Registry editing to remove the

worm's auto-start capability. Open Registry Editor (Start >Run type Regedit

and press Enter). In the left panel locate

HKEY_LOCAL_MACHINE>Software>Microsoft>

Windows>CurrentVersion>Run. And in the right panel, find and remove "windows

auto update" = MSBLAST.EXE. Then close the Registry Editor. And restart your

computer.

Advertisment

Jast as I wrapped this week's column, I received a mail alert from HREF="http://www.messagelabs.com/" TARGET="_blank">Message Labs about

Troj/Backdoor-ARR (Troj/GrayBird.A); a new Trojan pretending to be a Blaster

worm patch from Microsoft! It arrives as an email attachment and enables

infected computers to be accessed and controlled remotely via the Internet.

This access includes stealing passwords, sending emails and recording

keystrokes.

The infected message titled "updated" is supposedly sent from

'webmaster@microsoft.com' and the message body reads



"<.>



Microsoft began investigating a worm reported by Microsoft

Product Support Services (PSS). A new worm commonly known as

W32.Blaster.Worm has been identified that exploits the vulnerability that
was addressed by Microsoft Security Bulletin MS03-026.


Download the

attached update program. <.>


Attachment: 03-26updated.exe (319,670

bytes)


Final Touches

The firewall and open-port scanning abilities of Steve Gibson's HREF="https://grc.com/x/ne.dll?bh0bkyd2" TARGET="_blank">ShieldsUp

service have been greatly enhanced. I recommend visiting this site weekly to
(re)check if your firewall is working as it should and that your data and
computer are blocked from known threats. Ideally, you should get an all

green signifying complete stealth (no computer present). As opposed to spots

of blue (port found) or red (port open and responding to pings). The service

is extremely popular with over 20 million visits!

Advertisment

However do be careful with the results. Avoid blindly blocking everything

that the site finds is open in a knee-jerk reaction. Windows 2000/XP need

several ports to remain open if you connect to the Internet via cable

Ethernet or a shared LAN proxy server.

G Menon href="mailto:seeol

freeloader@Ph&

#114;eaker.net">Click here to send me mail

Disclaimer: Govind Menon's views are his own and does not necessarily reflect the views of CIOL.

tech-news