1 / 36

MSBlaster Update

August 20, 2003 11:30. MSBlaster Update. Bob McCoy bobmccoy@microsoft.com Technical Account Manager Premier Support Microsoft Corporation. Names. W32.Blaster.Worm (Symantec) W32/Lovsan.worm (McAfee) WORM_MSBLAST.A (Trendmicro) Win32.Posa.Worm (Computer Associates). Symptoms.

etta
Download Presentation

MSBlaster Update

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. August 20, 2003 11:30 MSBlaster Update Bob McCoy bobmccoy@microsoft.com Technical Account Manager Premier Support Microsoft Corporation

  2. Names • W32.Blaster.Worm (Symantec) • W32/Lovsan.worm (McAfee) • WORM_MSBLAST.A (Trendmicro) • Win32.Posa.Worm (Computer Associates)

  3. Symptoms • Computer reboots every few minutes without user input • Computers become unresponsive

  4. Who is Vulnerable? • Microsoft Windows NT 4.0 (affected) • Microsoft Windows 2000 (infected) • Microsoft Windows XP (infected) • Microsoft Windows Server 2003 (affected)

  5. Infection Evidence • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "windows auto update" = “msblast.exe” • msblast.exe in the Windows System32 directory

  6. Vulnerability Details • The vulnerability is in the part of RPC that deals with message exchange over TCP/IP • It occurs because of incorrect handling of malformed messages • This particular vulnerability affects a Distributed Component Object Model (DCOM) interface with RPC, which listens on RPC enabled ports

  7. Vulnerability Details • An attacker who successfully exploited this vulnerability would be able to run code with Local System privileges on an affected system • To exploit this vulnerability, an attacker would need to send a specially formed request to the remote computer on specific RPC ports (port 135, 139, 445 or 593 or any other specifically configured RPC port on the remote machine)

  8. What’s the Fix? • The patch corrects the vulnerability by altering the DCOM interface to properly check the information passed to it.

  9. Anatomy of an Attack 1 of 3

  10. Anatomy of an Attack 2 of 3

  11. Anatomy of an Attack 3 of 3

  12. 4 Steps for Home Users • Install/Enable a Firewall • Update Windows • Use Antivirus Software • Remove the Worm

  13. Protect Your PC http://www.microsoft.com/security/protect/ Went live Aug 18th

  14. Firewalls • Windows XP and Windows Server 2003 include Internet Connection Firewall • Windows 2000 can use IPSec filteringhttp://support.microsoft.com/?id=309798ipseccmd -f 0+*:69:UDP *+0:69:UDP -n BLOCK -w REG -p "Block TFTP" -r "Block client/server TFTP" -x • PXE RIS and ADS use TFTP • Specific port filtering only buys you some time due to variants • Third party software firewalls • External firewalls

  15. The Internal Threat • VPN port filtering • Quarantine / Sandbox • Network scan and shut off ports • Client logon scripts • Partners and trust – filtering at the edge

  16. Group Policy • Set IPSec filter • Restrict execution of msblast.exe • Watch out for variants • Custom scripts • Only works on Windows 2000 and later • XP Home ineligible for domain policy

  17. Good Worm, Bad Worm • Latest variant looks for vulnerable computers, patches & reboots them • Names: Nachi, Blaster-D, Welchia http://www.microsoft.com/technet/security/virus/alerts/nachi.asp • Increased network traffic (ICMP) • Scanning continues until 1/1/2004 • It’s still a worm, and all the legal issues associated with unauthorized access • Exploits RPC (MS03-026) and WebDAV (MS03-007) vulnerabilities

  18. Removal Tools • Network Associateshttp://www.nai.com/us/promos/nai_lovsan.htm • Trend Microhttp://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A • Symantechttp://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html • Computer Associateshttp://www3.ca.com/virusinfo/virus.aspx?ID=36265 • Sophoshttp://www.sophos.com/support/disinfection/blastera.html#2

  19. Stop the Rebooting Windows must now restrart because the Remote Procedure Call (RPC) service terminated unexpectantly. (unrepentantly) Start | Run | Services.msc | Remote Procedure Call (RPC) | Recovery Change recovery option

  20. Stop the Timer • Start | Run (R) shutdown -a

  21. Deployment Technologies • SMS with Feature Pack • Software Update Services (uses the Automatic Update component) • Login script • Third party tools (St Bernard, Tivoli, et al) • VBScripthttp://support.microsoft.com/default.aspx?kbid=827227 • SneakerNet

  22. Software Update Services

  23. Cryptographic Error • Cryptographic Services may not be started • Database corruption in catroot2 • Windows Update 643 Error and the Catalog Databasehttp://support.microsoft.com/default.aspx?scid=kb;EN-US;817287 net stop cryptsvcren %systemroot%\system32\catroot2 oldcatroot2net start cryptsvc 

  24. Installer Convergence • Many product teams ► many installer technologies • Historically driven by architectural differences • Two standards • Windows Installer (MSI) • Update.exe • Most will migrate after MSI 3.0 is released

  25. Patch Verification • SMS • Scan with MS Baseline Security Analyzer • MS03-036 Scannerhttp://www.microsoft.com/downloads/details.aspx?familyid=c8f04c6c-b71b-4992-91f1-aaa785e709da • May give false positives on Win9x machines that have DCOM98 installed

  26. Support • NT 4.0 Server SP 6a • Workstation was not initially supported • Will not install with previous SPs • Win2000 SP 3 & 4 • Will install on Win2000 SP 2, however, it’s not supported • Hot fix support for DEC Alpha ended December 31, 2001 • Support Lifecyclehttp://support.microsoft.com/lifecycle

  27. System Confidence • “But the infection period = full access by bad guys to your PC. How can you 100% know you have caught + reversed every possible malicious action? For 100% confidence you must flatten & reinstall.” • Root compromisehttp://www.cert.org/tech_tips/root_compromise.html

  28. It Really Hurts My customer has no less than 7 separate production configurations (just for workstations), more than 1,000 applications in use (in multiple languages), and machines located in more than 135 countries, some of which have total in-country bandwidths as low as 32K total.

  29. Windowsupdate.com • DDoS target of the worm (syn flood) • Attacks scheduled to begin 8/16/03 at 00:00 local • “A” records for windowsupdate.com now point to 127.0.0.1 • It was an easy redirect to the real update site "One strategy for cushioning the blow was to extinguish the Windowsupdate.com" site, said Microsoft spokesman Sean Sundwall. "We have no plans to ever restore that to be an active site."

  30. DDoS Schedule

  31. Did we get lucky? • Hard coded URL to expendable domain • No intelligence about what client was being attacked • Worm had to drag the payload in behind it • Payload was fairly benign • Patch was available • Power failure in the NE US

  32. Resources • Main MSBlast Pagehttp://www.microsoft.com/security/incident/blast.asp • Knowledge Base Article 823980http://support.microsoft.com/default.aspx?scid=kb;en-us;823980 • PSS Security Response Team Alert http://www.microsoft.com/technet/security/virus/alerts/msblaster.asp • Microsoft Security Bulletin MS03-026http://www.microsoft.com/technet/security/bulletin/ms03-026.asp

  33. More Info • Patch Management Whitepaperhttp://www.microsoft.com/security/whitepapers/patch_management.asp • ISA Server helps block Blaster traffic http://www.microsoft.com/isaserver/techinfo/prevent/blasterworm.asp • Microsoft DCOM RPC Worm Alerthttps://tms.symantec.com/members/AnalystReports/030811-Alert-DCOMworm.pdf • Stanford report on RPC Exploitshttp://securecomputing.stanford.edu/win-rpc.html • ISP White paperhttp://www.microsoft.com/serviceproviders/security/isp_blaster.asp

  34. TechNet Webcasts • What Network Administrators Should Know About The Blaster Worm Live Event: August 21, 2003 - 11:00am to 12:30am Central Timehttp://www.microsoft.com/usa/webcasts/upcoming/2342.asp • How To Recover Your Home Computer From The Blaster Worm Live Event: August 20, 2003 - 2:30pm to 4:00pm Central Timehttp://www.microsoft.com/usa/webcasts/upcoming/2343.asp • How To Recover Your Home Computer From The Blaster WormLive Event: August 21, 2003 - 2:30pm to 4:00pmhttp://www.microsoft.com/usa/webcasts/upcoming/2344.asp

  35. © 2002 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

More Related