RPC/DCOM/mblast.exe thread discussions/notices

Well hell.....Murphy's law has struck again.

I just got my computer hooked back up and running again....unfortunately that included reformatting my hard-drive and reinstalling Windows XP Home.
I use a free dial-up ISP that is scanned like crazy all the time, and now here I am with non of my updates and patches.

I've managed to get the 60 second shutdown to stop through services.msc, but am still having trouble staying connected to windows update. I havn't managed to download any of my updates.
I did download the patch mentioned above, I am wondering about the prerequisites.

I'm sure if I search posts I could find these answers already posted somewhere...but I'm trying to limit the time I spend online until I figure out what to do with this.

One last problem....I can't get a connection established from behind a firewall...I've tried with the xp firewall, as well as Nortons Firewall...both of those end up giving me "username or password is invalid on the domain" messages.


This is very irritating! (lol)

Just as a heads up, one of our hony pots just caught a version of this worm that isn't picked up by the latest AV's (they are still picking up other versions.). So eather some jerk recompiled it, or its automorphic..I hope its the first....otherwise this is very bad news for people not behind firewalls(most home users.)

Howdy,

We all know that this thing is opening a listener on 4444. I have some administrators reporting that when they nmap for 4444 on their networks, they'll see several open, then on a second scan, they're all closed. "Like it's trying to hide from us..."

Couple that with the postings here about people have a hard time removing it, make me wonder if the two aren't related.

Has anyone seen signs that this is listening, then if it receives a "bad" tickle, it hides itself away for a while? Could this be using some kind of port knocking?

Myk

Yeah, the worm listens on port 4444, i scanned myself and i found that i to had port 4444 open.

Quote:

---

Originally posted here by Maverick811




Anyone feel free to correct me if I am wrong, but Windows Update doesn't really have anything to do with this worm - however, I'd advise against disabling Windows Update - ideally you are going to want to stay fully patched with updates as Microsoft releases them, using Windows Update. Microsoft has released a patch for this vulnerability and I would advise you strongly to apply it. The patch is available here: http://support.microsoft.com/?kbid=823980

---

I have to disagree with one point here. I have had many systems broken by indows updates, so Iwould never tell anyone to have that auto update crap turned on...good patch managment and installing the patches you need is what is needed here. For this one I noted that family members didn't use any remote administration on their win2k/XP boxes so I disabled RPC months ago.(work is a difernt issue,we are hideing behind the firewall while the QA guys finish patch testing agenst our in house apps.)

Quote:

---

Originally posted here by Mykol
Howdy,

We all know that this thing is opening a listener on 4444. I have some administrators reporting that when they nmap for 4444 on their networks, they'll see several open, then on a second scan, they're all closed. "Like it's trying to hide from us..."

Couple that with the postings here about people have a hard time removing it, make me wonder if the two aren't related.

Has anyone seen signs that this is listening, then if it receives a "bad" tickle, it hides itself away for a while? Could this be using some kind of port knocking?

Myk

---

IMHO the scans are enough to cause the port to break - nessus found on the scan but then reported the port closed. Subsequent checking later (~1-2 hours) showed no signs of port 4444 reactivating (it only did after a reboot).

What I think is more interesting are the ports open 2500 or therabouts

WTF are they doing? - You can telnet to them but they seem to do nothing.

<paranoid>Perhaps typing the correct sting in there will activate the DOS on windows update earlier</paranoid>

Anyone know how M$ are going to protect themselves on Sunday?

I think this behaviour is more due to the worm exiting the shell. When the worm uses the dcom/rpc exploit and creates a shell on the remote system. It then tftp's a file down to the system, installs it in the registry, and starts it. It then exits the shell. This is all done pretty quickly.

When the worm uses the exploit, RPC crashes and subsequent exploits to port 135 on that machine will not work till you reboot the pc.

What you are seeing is most likely the port being opened and the worm doing its thing and then shutting the shell. When the worm opens the shell, its only open for the duration of it spreading. After the worm does it thing, you would not be able to connect to port 4444 and get a command prompt as if it was a listening port. When the worm shuts the shell, the port is subsequently closed.

Quote:

---

Originally posted here by Grinler
What you are seeing is most likely the port being opened and the worm doing its thing and then shutting the shell. When the worm opens the shell, its only open for the duration of it spreading. After the worm does it thing, you would not be able to connect to port 4444 and get a command prompt as if it was a listening port. When the worm shuts the shell, the port is subsequently closed.

---

My observations do not support this theory. From what I have observed port 4444 stays open after the tftp attemp until an attempt to connect is made

In an effort to "streamline" the discussion, some of the threads on the RPC/DCOM/mblast (whatever it's called today) will be merged here. :D

Steve,

I have not seen that here in my lab nor have I heard anyone able to get into a shell on the exploits coat tails. Maybe im missing something.

Are you saying after a machine that you know of gets infected, you can portscan and see the port 4444 still open, and when you portscan again its gone? Is it possible you portscanned the host as it was being exploited thus, the port was open?

Anyone seeing any variations to the w32.Blaster.worm? I think I was the victim last week (very similar symptoms) but the filenames (along with sizes and hash sigs) are different.

" Infected machines will begin a concerted distributed denial of service attack (DDoS) on the domain "windowsupdate.com" this coming Saturday the 16th. However, since the correct domain name used by Windows systems is "windowsupdate.microsoft.com", Microsoft will be able to dodge this bullet simply by changing the IP address for "windowsupdate.com" to "127.0.0.1". Since this IP is a non-routable alias for each system's own local network interface, the DDoS attack won't go anywhere. "

oooh.. that's interesting, I didn't know that. whoever programmed it is retarded then, if they got the most crucial part of the DDoS attack wrong, haha

Hi Guys..
As per my usual Heads up.. only Higher risk Threats are listed here.. ie Symantec's Cat 2 or higher.. This is also a member of the RPC/DCOM Family
Symantec Info Page

W32.Randex.E , W32/Spybot.worm.lz

This ones entry is due to its Distribution Capability. And relationship to MsBlaster..

Threat Assesment

Quote:

---

Wild:- Low
Damage:- Low (well there is some damage)
Distribution:- Medium

Payload:
Compromises security settings: Opens a hidden remote cmd.exe shell.
Distribution

Ports: TCP 113, TCP 4444, UDP 69
Target of infection: Machines with vulnerable DCOM RPC Services running

---

Summary of Threat

Quote:

---

W32.Randex.E is an Internet Relay Chat (IRC) Trojan Horse that allows its creator to control a computer by using IRC. It is also a worm that can use the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) to spread itself

---

I Do recomend following through to the link from McAfee for more details..

Technical Details

Quote:

---

The worm contains its own IRC client, allowing it to connect to specified IRC servers and join a channel to listen for the commands from the worm's creator.

One such command is to exploit the DCOM RPC vulnerability: The worm generates random IP addresses. Once the IP address is generated, it pings the IP addresses to find whether the computer is active. Then, it sends data on TCP port 113, which may exploit the DCOM RPC vulnerability.

---

Read each of the info pages from Symantec, McAfee and Trend Micro for a good grounding in this one..

This threat is listed on the other AV Sites as:-
Sophos
McAfee
Trend-Micro Rated damage as High and distribution high
Sophos
Grisoft (not much info here - but just for you AVG Fans

Cheers

Quote:

---

Originally posted here by Plastic
oooh.. that's interesting, I didn't know that. whoever programmed it is retarded then, if they got the most crucial part of the DDoS attack wrong, haha

---

It's not incorrect. Windowsupdate.com is a redirect to the real site when the worm was created. There will still be huge slowdowns as people still clamour to get the patch. If admins of networks are smart, they download the patch to a central location and distribute it from there.

Plus, I'm sure that a variant is in the works that would go to both. The more they close, the more ideas will crop up. The big thing is for people to stay aware.

In fact, if you look at the fact that they give about a week from release to the target date it makes one wonder if the worm was done to a) encourage admins to patch ASAP (so we don't see repeats of Sapphire -- 6 month old hole that no one patched for SQL) b) to see how the industry/MS would react to this situation. Nothing like prodding something to see the effect.

Well this is great, windows update was down for at least two hours last night (whent to technet for the patch but had fun watching windows update) , people scrambleing for the patch did this worms jod for it. So I guess Mblaster was a sucess as it launched a sucessfull DDOS on windows update.

Well, it was bound to happen. I just got this from the Full Disclosure mailing list:

Quote:

---

http://www.theinquirer.net/?article=11018

KASPERSKY LABS claimed this afternoon that there's already a new version of the Blaster/Lovesan worm on the loose.

And it says that's likely to mean a repeat of the outbreak we've seen during this week. The new variety of Lovesan/Blaster exploits the same vulnerability.

Kaspersky says that the number of infected systems is around the 300,000 mark, and the new variety may double this number.

"In the worst case, the world community can face a global Internet slow down and regional disruption... to the World Wide Web," said Eugene Kaspersky, head of the labs.

The new variety uses the name TEEKIDS.EXE instead of MSBLAST.EXE, different code compression, and different signatures in the body of the worm.

---

Information regarding and removal instructions for the 'b' version of MSBlast
http://www.sarc.com/avcenter/venc/da...er.b.worm.html

I have been following the discussion both here, on the news sites and on the mailing lists (allthough it is not fun to read a zillion messages a day) and it seems to me like the author of msblast.exe just released his worm because he wanted to be the first one with the worm. It was bad coded, highly inefficient.
But with all the different versions of the original exploit (dcom.c) it looks like we have not seen the last of this.

So my advice to everybody is to install a firewall/anti-virus combination on EVERY computer you have access to (offcourse ask for permissions of the owner) and educate the users. If people would be properly firewalled this would not be on the news right now.

Furthermore I read that some ISP's are temporarely blocking/filtering the affected ports. Allthough I dont think ISP's should filter/block ports in this case I say 'KUDDOS'

Quote:

---

Originally posted here by Cerveza


Furthermore I read that some ISP's are temporarely blocking/filtering the affected ports. Allthough I dont think ISP's should filter/block ports in this case I say 'KUDDOS'

---

Yupe, some of ISP's over here already blocked/filtered ports 135, it means if "kiddies" have their dcom.c exploits in their box.. "they" cannot run it to scan other hosts or vice versa.

That sounds..very bad to me...maybe "they" will have bigger attack real worm coming up.

Quote:

---

Yupe, some of ISP's over here already blocked/filtered ports 135, it means if "kiddies" have their dcom.c exploits in their box.. "they" cannot run it to scan other hosts or vice versa.

---

Exactly.
Allthough I normally dont agree with ISP's blockinf/filtering ports (I could be running irc on port 12345 or http on 37337) in this case I think it is a good (temporary) solution.
I don't think it is the ISP's responsibility to block certain ports because I think people should be able to run whatever they want (within law restrictions that is) even RPC UPnP or whatever on their computers.
I even know of some people that used SubSeven as a Remote Administration Tool on their own machines (/me scratches head).
But in this case it could be a good thing to prevent the worms from further spreading and eventually DoSsing windowsupdate.com (which has been down all day AFAIK BTW).

This worm is a big slap in the face of the thrusthworthy computing initiative imo, even the 'delayed because of security' Windows 2003 is vulnarable.

If you ask me (you dont but anyway) ports like this (and netbios UPnP etc) should not be open by default. People that want to use the service should start the service manually. But 'that is just my opinion. I could be wrong'.

Hi, yesterday I was able to repair several infected computers now I can't seem to get any fixed.
the computers give an error message and freeze
symantec repair stops at file "kelt b", then windows want to send an error message and shut down the repair program

Blaster B & C have been identified..

The symantec Security response Site has the details.. It looks like the Symantec removal tool info state removal of A & B..

oh the link http://securityresponse.symantec.com/

With removal .. I have a couple of the tools.. If one don't work , I use the other....

Funny thing getting a lot of win 9x machines .. ppl spooked by the news.. Spybot fixes these..lol

Noticed an increase in scans on the netbios ports, 137 in particular, as well almost matching the 135? coincidence?


Cheers

Here is another version of the DCOM shizzle that I could not find information for on any AV sites.
http://www.securityfocus.com/archive...9/2003-08-15/0
It looks like some sort of autorooter but not like a worm.
And it open port 666 not 4444

So, how much port 135 traffic is everyone seeing at their firewall?
At work, in 24 hours (starting tuesday 11:00 (GMT-5)), we've had just about 23000 hits on a /26 ip block!

Ammo

Cerveza,

Yeah that is Kaht2 which is the autor00ter/scanner for the dcom exploit. Its basically useless now for the script kiddings, thankfully, due to most ISP intelligently blocking port 135.

Kaht1 was a autor00ter for Webdav exploit.

i go to school this morning and over the intercome i hear "please dont go on the internet on any of the balck computers (we just got about 100 of these new dell comps with win xp pro on them) there is a virus on them" well pretty much all of are computers are the "black" ones so yeah i though that was kinda funny.

This sorta has to do with this virus.....I wasn't sure what to do about the virus so I disable the RPC in services. Now I can't get into properties to reenable the RPC. Then whenever I try to install the patch to get rid of the worm it says I need the cryptography working, and I can't figure out what that is. So...if you have any advice, its greatly needed. Thank you.




Jaimie

Quote:

---

You can enable RPC by using the sp_serveroption system stored procedure. To enable RPC from the ProductSQL server, you can use the following:

USE master
EXEC sp_serveroption 'ProductSQL', 'rpc', 'true'




To enable RPC to the ProductSQL server, you can use the following:

USE master
EXEC sp_serveroption 'ProductSQL', 'rpc out', 'true'

---

Quote:

---

Go to the following site and download the removal tool for the worm.
http://www.sarc.com/avcenter/venc/da...ster.worm.html
After you remove it, reboot and then click on start/run and type in sfc /scannow.
This will repair all of the original files and you will be back in order.
I had to do it tonight myself, and it fixed everything.

---

http://www.computing.net/windowsxp/w...rum/73906.html

I'm not sure if anyone has run across this yet but even if they have, I think it is worth repeating:

* If you apply SP4 or any other SP to a box, you must re-install the RPC patch afterwards and then reboot even though the damn thing doesn't tell you to do so (the RPC patch that is).

What we have seen is people trying to be diligent by applying service packs and afterwards, they have shown up as vulnerable again. Yes, we reported this to MS but hae heard nothing back yet.

Anyway, just an FYI for those who are in the trenches trying to remediate this garbage.

Quote:

---

Originally posted here by ammo
So, how much port 135 traffic is everyone seeing at their firewall?
At work, in 24 hours (starting tuesday 11:00 (GMT-5)), we've had just about 23000 hits on a /26 ip block!

Ammo

---

Most certainly an increase on my end here. I'd say that I'm averaging about 8 attempts to connect on port 135 every 3/4 minutes (all blocked of course).

That's a pretty good number of hits there, Ammo!

Quote:

---

What we have seen is people trying to be diligent by applying service packs and afterwards, they have shown up as vulnerable again.

---

I guess better late than never, right? Seriously though, just another example of the need to patch...

That's good info to know, thehorse13 - I appreciate it....

Anyone with access to BBC 1, looks like they are going to do a peice on msblast in a few mins on the news

Quote:

---

Anyone with access to BBC 1, looks like they are going to do a peice on msblast in a few mins on the news

---

bugger... missed it...!!!

Checking my firewall logs this morning.. yeh it is 8am here.. absolutly no hits on port 135, 69, 137 in the last 2.5 hrs.. get the feeling the ISP is blocking those ports.. I wonder how many others are doing the same..

Cheers

I use two ISPs...............as of 06.00GMT today (14 August) FreeUK appeared to be doing this. My other one (Tiscali) was not, and I was getting a lot of hits up until about 2 hours ago (21.30Hrs GMT).

I did post (and got told off for!) the info that lavasoft have an update for Ad-aware that detects this malware..............also found a couple of other bad guys on my box, so it is worth the effort.........

This is newer than my last Ad-aware update post BTW

Cheers

Johnno

What I've done is (for windows machines that don't need to use RPC, like my own machines at home) route port 135 through my router to an internal IP address that doesn't exist. In the VERY unlikely event that I got this thing, it wouldn't be able to communicate to the outside because the port it's trying to come back through would go to a null destination. Of course, mandatory updates on antivirus is already done as is updating Microsoft's OS line.

If anyone out there needs to automate the patching for a lot of windows machines, you can do this:

1: Download the Windows 2000 patch or the Windows XP patch. Save it to the desktop.

2: Rename said patch to patch.exe or something similar. It will make the next step easier.

3: Create a new file on the desktop called autorun.inf. Open it in notepad and put the following lines in:

Code:

---

[autorun]
open=patch.exe -o -f -u

---

4: Burn these two files to a cd. Because of the autorun.inf and Window's inherent autoplay feature, the patch will automatically run. The -o means it will overwrite existing files, the -f means it will force all processes to die upon reboot signal, and the -u means it will be in unattended mode which makes life a lot easier for administrators running around trying to automate this process on dozens or more workstations.

Problem: it has to be run as administrator (or power users that can add patches to the system) so it's only a little better if you have dozens of regular standard user workstations.

Just got my hands on the source code for the Blaster worm now.
Got it by a good friend in my mail some hours ago, so soon I gonna have some fun with examining it and see how it's made :)

Grinler..anyone

I am trying to find a binary or source code source for the W32/Blaster to put it into our lab for testing. Unfortunatly the gov. agency we support will not allow the Ops support staff change any machine untill in-house testing for effect is compleated. Buearocracy ya gotta love it.

I got the binary but unfortunately do not have access to the computer its stored on due to the power outage.

Zrekam, Mind sharing the source? Would love to take a look at it.

here is a snippet of the worms exploit code:
<Snippet>
loc_4AF: ; CODE XREF: seg000:000004A8j

sub esp, 34h

mov esi, esp

call GetKernel32BaseAddy

mov [esi], eax ; EAX is the base address of kernel32.dll

push dword ptr [esi]

push 0EC0E4E8Eh ; corresponds to LoadLibraryA

call ScanForAPI

mov [esi+8], eax

push dword ptr [esi]

push 0CE05D9ADh ; WaitForSingleObject

call ScanForAPI

mov [esi+0Ch], eax

push 6C6Ch

push 642E3233h

push 5F327377h ; ws32_2.dll

push esp

call dword ptr [esi+8]

mov [esi+4], eax ; esi + 4 = HModule of ws32_2.dll

push dword ptr [esi]

push 16B3FE72h ; CreateProcessA

call ScanForAPI

mov [esi+10h], eax

push dword ptr [esi]

push 73E2D87Eh ; ExitProcess

call ScanForAPI

mov [esi+14h], eax

push dword ptr [esi+4]

push 3BFCEDCBh ; WSAStartup

call ScanForAPI

mov [esi+18h], eax

push dword ptr [esi+4]

push 0ADF509D9h ; WSASocketA

call ScanForAPI

mov [esi+1Ch], eax

push dword ptr [esi+4]

push 0C7701AA4h ; bind

call ScanForAPI

mov [esi+20h], eax

push dword ptr [esi+4]

push 0E92EADA4h ; listen

call ScanForAPI

mov [esi+24h], eax

push dword ptr [esi+4]

push 498649E5h ; accept

call ScanForAPI

mov [esi+28h], eax

push dword ptr [esi+4]

push 79C679E7h ; closesocket

call ScanForAPI

mov [esi+2Ch], eax

xor edi, edi

sub esp, 190h

push esp

push 101h

call dword ptr [esi+18h] ; WSAStartup returns 0 if successful

push eax

push eax

push eax

push eax

inc eax

push eax

inc eax

push eax ; call wsasocketa
</snippet>

This is just a little bit of the blaster worm, the rest of the code I am not allowed to reveal.

Quote:

---

Originally posted here by Und3ertak3r
Noticed an increase in scans on the netbios ports, 137 in particular, as well almost matching the 135? coincidence?

Cheers

---

I've started getting hits, just like blaster on port 137 at around 8.00pm UTC last night & at the rate of every 10/15 mins.

Anyone know what this is?

<edit>

Actually the starting time may be wrong, but I'd still like to know what this is

</edit>

My ISP has decided to UN-Block Port 135..
My firewall log is full of "Block TCP packet on port 135" .. this restarted sometime yesterday (local time) and the Port 135 probes here are as bad as during the 11th and 12th.. I don't want to exagerate.. it seems at the moment to be worse.. but.. I didnt run my system 24/7 at thate time..

I have taken the steps of advising the ISP, and asking why they removed the block, also asking that it may be prudent to re-block port 135..
and just for their records I supplied a short extract from my logs (about 5k).. that should give them enough food for thought.. or atleast some emailing to the users of those systems "You are infected" warnings.. Most of the ip's are from within their domains.. ie 144.134.XXX.XXX

I wonder howmany other ISP's have decided to unblock that port.. certainly shows (from here) the infection is still rampent..

Cheers