Anyone seeing any variations to the w32.Blaster.worm? I think I was the victim last week (very similar symptoms) but the filenames (along with sizes and hash sigs) are different.
Printable View
Anyone seeing any variations to the w32.Blaster.worm? I think I was the victim last week (very similar symptoms) but the filenames (along with sizes and hash sigs) are different.
" Infected machines will begin a concerted distributed denial of service attack (DDoS) on the domain "windowsupdate.com" this coming Saturday the 16th. However, since the correct domain name used by Windows systems is "windowsupdate.microsoft.com", Microsoft will be able to dodge this bullet simply by changing the IP address for "windowsupdate.com" to "127.0.0.1". Since this IP is a non-routable alias for each system's own local network interface, the DDoS attack won't go anywhere. "
oooh.. that's interesting, I didn't know that. whoever programmed it is retarded then, if they got the most crucial part of the DDoS attack wrong, haha
Hi Guys..
As per my usual Heads up.. only Higher risk Threats are listed here.. ie Symantec's Cat 2 or higher.. This is also a member of the RPC/DCOM Family
Symantec Info Page
W32.Randex.E , W32/Spybot.worm.lz
This ones entry is due to its Distribution Capability. And relationship to MsBlaster..
Threat Assesment
Summary of ThreatQuote:
Wild:- Low
Damage:- Low (well there is some damage)
Distribution:- Medium
Payload:
Compromises security settings: Opens a hidden remote cmd.exe shell.
Distribution
Ports: TCP 113, TCP 4444, UDP 69
Target of infection: Machines with vulnerable DCOM RPC Services running
I Do recomend following through to the link from McAfee for more details..Quote:
W32.Randex.E is an Internet Relay Chat (IRC) Trojan Horse that allows its creator to control a computer by using IRC. It is also a worm that can use the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) to spread itself
Technical Details
Read each of the info pages from Symantec, McAfee and Trend Micro for a good grounding in this one..Quote:
The worm contains its own IRC client, allowing it to connect to specified IRC servers and join a channel to listen for the commands from the worm's creator.
One such command is to exploit the DCOM RPC vulnerability: The worm generates random IP addresses. Once the IP address is generated, it pings the IP addresses to find whether the computer is active. Then, it sends data on TCP port 113, which may exploit the DCOM RPC vulnerability.
This threat is listed on the other AV Sites as:-
Sophos
McAfee
Trend-Micro Rated damage as High and distribution high
Sophos
Grisoft (not much info here - but just for you AVG Fans
Cheers
It's not incorrect. Windowsupdate.com is a redirect to the real site when the worm was created. There will still be huge slowdowns as people still clamour to get the patch. If admins of networks are smart, they download the patch to a central location and distribute it from there.Quote:
Originally posted here by Plastic
oooh.. that's interesting, I didn't know that. whoever programmed it is retarded then, if they got the most crucial part of the DDoS attack wrong, haha
Plus, I'm sure that a variant is in the works that would go to both. The more they close, the more ideas will crop up. The big thing is for people to stay aware.
In fact, if you look at the fact that they give about a week from release to the target date it makes one wonder if the worm was done to a) encourage admins to patch ASAP (so we don't see repeats of Sapphire -- 6 month old hole that no one patched for SQL) b) to see how the industry/MS would react to this situation. Nothing like prodding something to see the effect.
Well this is great, windows update was down for at least two hours last night (whent to technet for the patch but had fun watching windows update) , people scrambleing for the patch did this worms jod for it. So I guess Mblaster was a sucess as it launched a sucessfull DDOS on windows update.
Well, it was bound to happen. I just got this from the Full Disclosure mailing list:
Quote:
http://www.theinquirer.net/?article=11018
KASPERSKY LABS claimed this afternoon that there's already a new version of the Blaster/Lovesan worm on the loose.
And it says that's likely to mean a repeat of the outbreak we've seen during this week. The new variety of Lovesan/Blaster exploits the same vulnerability.
Kaspersky says that the number of infected systems is around the 300,000 mark, and the new variety may double this number.
"In the worst case, the world community can face a global Internet slow down and regional disruption... to the World Wide Web," said Eugene Kaspersky, head of the labs.
The new variety uses the name TEEKIDS.EXE instead of MSBLAST.EXE, different code compression, and different signatures in the body of the worm.
Information regarding and removal instructions for the 'b' version of MSBlast
http://www.sarc.com/avcenter/venc/da...er.b.worm.html
I have been following the discussion both here, on the news sites and on the mailing lists (allthough it is not fun to read a zillion messages a day) and it seems to me like the author of msblast.exe just released his worm because he wanted to be the first one with the worm. It was bad coded, highly inefficient.
But with all the different versions of the original exploit (dcom.c) it looks like we have not seen the last of this.
So my advice to everybody is to install a firewall/anti-virus combination on EVERY computer you have access to (offcourse ask for permissions of the owner) and educate the users. If people would be properly firewalled this would not be on the news right now.
Furthermore I read that some ISP's are temporarely blocking/filtering the affected ports. Allthough I dont think ISP's should filter/block ports in this case I say 'KUDDOS'
Quote:
Originally posted here by Cerveza
Furthermore I read that some ISP's are temporarely blocking/filtering the affected ports. Allthough I dont think ISP's should filter/block ports in this case I say 'KUDDOS'
Yupe, some of ISP's over here already blocked/filtered ports 135, it means if "kiddies" have their dcom.c exploits in their box.. "they" cannot run it to scan other hosts or vice versa.
That sounds..very bad to me...maybe "they" will have bigger attack real worm coming up.
Exactly.Quote:
Yupe, some of ISP's over here already blocked/filtered ports 135, it means if "kiddies" have their dcom.c exploits in their box.. "they" cannot run it to scan other hosts or vice versa.
Allthough I normally dont agree with ISP's blockinf/filtering ports (I could be running irc on port 12345 or http on 37337) in this case I think it is a good (temporary) solution.
I don't think it is the ISP's responsibility to block certain ports because I think people should be able to run whatever they want (within law restrictions that is) even RPC UPnP or whatever on their computers.
I even know of some people that used SubSeven as a Remote Administration Tool on their own machines (/me scratches head).
But in this case it could be a good thing to prevent the worms from further spreading and eventually DoSsing windowsupdate.com (which has been down all day AFAIK BTW).
This worm is a big slap in the face of the thrusthworthy computing initiative imo, even the 'delayed because of security' Windows 2003 is vulnarable.
If you ask me (you dont but anyway) ports like this (and netbios UPnP etc) should not be open by default. People that want to use the service should start the service manually. But 'that is just my opinion. I could be wrong'.