The past week has seen lots media frenzy about the
Blaster worm and its deleterious effects upon 32-bit Windows versions. And
in a very Klez-like move, rejuvenates itself. Of course, Blaster tries to be
more cunning, but past August 16, it can re-attack on any day of September
through December. Come January 2004, and Blaster will remain dormant until the
16th of that month, before coming back to life. This
post-16th day danger remains until August. Whereupon the cycle
shall repeat itself.
I foresee repeat outbreak right rhrough the rest of 2003 and well into 2004;
just like Nimda/Code Red. There are lots of unpatched computer systems
including those recently connected to the Internet. Belonging to users
unaware that viruses strike anywhere anytime. As well as recent re-installs
after a system crash has taken down a previous fully updated and secured
Windows computer.
Being Blasted
Worm_MSblast.A (W32/Lovsan.worm, W32/Blaster-A, W32.Blaster.Worm,
Worm.Win32.Lovesan) specifically targets Windows NT, 2000, XP, 2003/.Net
Server. And seeks to exploit the
HREF="http://www.microsoft.com/technet/treeview/?url=/technet/security/bulle
tin/MS03-026.asp" TARGET="_blank">RPC DCOM Buffer Overflow vulnerability
that allows a remote attacker to gain Administrative access (full control)
to an infected computer and execute any and all executable code on the
target computer.
The worm continually scans IP addresses to seek out vulnerable computers
running either Windows 2000 or XP with an open Port 135 to self-propagate.
Blaster then attempts to create a remote shell on TCP Port 4444 and if
successful instructs the infected computer to begin downloading code
through UDP Port 69.
Infected computers are used to launch a DDoS (Distributed Denial Of Service)
attack against windowsupdate.com -- a URL used by Microsoft to release
system updates and patches -- between 16-31 January to August, and any time
from September thru December.
For the moment, the effect of MSBlast.A has been nullified since this
specific URL has been suspended by Microsoft. But it's just a matter of time
before an enterprising hacker modifies the worm's code to launch a DDoS
against another URL. Or worse, against a range of IP addresses!
Blast-Proofing..
Installing the RPC update is just one of the many steps you can take. I also
recommend installing Microsoft's Service Pack 4 for Windows 2000 or Windows
XP Service Pack 1. If you are running a not-so-legal copy of either, search
the Net for instructions on how to 'slipstream windows 2000 xp install'.
You should use a firewall; even if you are part of an office network. Nobody
is safe anymore. Even if your company has specific restrictions on
installing software get yourself some protection. Make sure your firewall
blocks access to Port 135. This is the same port used by Windows Messenger
service to send messages to another Windows computer. Do note that this
Messenger service is different from the instant messaging
(MSN/Exchange/.Net) Messenger service.
Also limit sharing of your computer's drives and other resources; even when
on a network. Implement a 30-day password policy (i.e. changes passwords
every 30 days). And make sure that even read-only access to your shared
drives requires a password.
..On Automatic..
Do regularly check your computer for MSBLAST.EXE (check Task Manager's
running processes: Ctrl+Alt+Del or right-click on the System Tray). And each
anti-virus vendor has a system scanner. I, once again, believe in Trend
Micro's
TARGET="_blank">version.
..And Manually
Begin by bring up Task Manager and locating the MSBLAST.EXE in the list of
running processes. Select it, then click the End Process button. Refresh
(View > Refresh Now) to make sure that the file has indeed been stopped. As
an extra layer of security. Close Task Manager, wait at least 5 minutes,
then re-open and recheck.
You will need to steel yourself for some Registry editing to remove the
worm's auto-start capability. Open Registry Editor (Start >Run type Regedit
and press Enter). In the left panel locate
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run. And in the right panel, find and remove "windows
auto update" = MSBLAST.EXE. Then close the Registry Editor. And restart your
computer.
Jast as I wrapped this week's column, I received a mail alert from
HREF="http://www.messagelabs.com/" TARGET="_blank">Message Labs about
Troj/Backdoor-ARR (Troj/GrayBird.A); a new Trojan pretending to be a Blaster
worm patch from Microsoft! It arrives as an email attachment and enables
infected computers to be accessed and controlled remotely via the Internet.
This access includes stealing passwords, sending emails and recording
keystrokes.
The infected message titled "updated" is supposedly sent from
'webmaster@microsoft.com' and the message body reads
"<.>
Microsoft began investigating a worm reported by Microsoft
Product Support Services (PSS). A new worm commonly known as
W32.Blaster.Worm has been identified that exploits the vulnerability that
was addressed by Microsoft Security Bulletin MS03-026.
Download the
attached update program. <.>
Attachment: 03-26updated.exe (319,670
bytes)
Final Touches
The firewall and open-port scanning abilities of Steve Gibson's
HREF="https://grc.com/x/ne.dll?bh0bkyd2" TARGET="_blank">ShieldsUp
service have been greatly enhanced. I recommend visiting this site weekly to
(re)check if your firewall is working as it should and that your data and
computer are blocked from known threats. Ideally, you should get an all
green signifying complete stealth (no computer present). As opposed to spots
of blue (port found) or red (port open and responding to pings). The service
is extremely popular with over 20 million visits!
However do be careful with the results. Avoid blindly blocking everything
that the site finds is open in a knee-jerk reaction. Windows 2000/XP need
several ports to remain open if you connect to the Internet via cable
Ethernet or a shared LAN proxy server.
G Menon
href="mailto:seeol
freeloader@Ph&
#114;eaker.net">Click here to send me mail
Disclaimer: Govind Menon's views are his own and does not necessarily reflect the views of CIOL.