360 likes | 586 Views
August 20, 2003 11:30. MSBlaster Update. Bob McCoy bobmccoy@microsoft.com Technical Account Manager Premier Support Microsoft Corporation. Names. W32.Blaster.Worm (Symantec) W32/Lovsan.worm (McAfee) WORM_MSBLAST.A (Trendmicro) Win32.Posa.Worm (Computer Associates). Symptoms.
E N D
August 20, 2003 11:30 MSBlaster Update Bob McCoy bobmccoy@microsoft.com Technical Account Manager Premier Support Microsoft Corporation
Names • W32.Blaster.Worm (Symantec) • W32/Lovsan.worm (McAfee) • WORM_MSBLAST.A (Trendmicro) • Win32.Posa.Worm (Computer Associates)
Symptoms • Computer reboots every few minutes without user input • Computers become unresponsive
Who is Vulnerable? • Microsoft Windows NT 4.0 (affected) • Microsoft Windows 2000 (infected) • Microsoft Windows XP (infected) • Microsoft Windows Server 2003 (affected)
Infection Evidence • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "windows auto update" = “msblast.exe” • msblast.exe in the Windows System32 directory
Vulnerability Details • The vulnerability is in the part of RPC that deals with message exchange over TCP/IP • It occurs because of incorrect handling of malformed messages • This particular vulnerability affects a Distributed Component Object Model (DCOM) interface with RPC, which listens on RPC enabled ports
Vulnerability Details • An attacker who successfully exploited this vulnerability would be able to run code with Local System privileges on an affected system • To exploit this vulnerability, an attacker would need to send a specially formed request to the remote computer on specific RPC ports (port 135, 139, 445 or 593 or any other specifically configured RPC port on the remote machine)
What’s the Fix? • The patch corrects the vulnerability by altering the DCOM interface to properly check the information passed to it.
Anatomy of an Attack 1 of 3
Anatomy of an Attack 2 of 3
Anatomy of an Attack 3 of 3
4 Steps for Home Users • Install/Enable a Firewall • Update Windows • Use Antivirus Software • Remove the Worm
Protect Your PC http://www.microsoft.com/security/protect/ Went live Aug 18th
Firewalls • Windows XP and Windows Server 2003 include Internet Connection Firewall • Windows 2000 can use IPSec filteringhttp://support.microsoft.com/?id=309798ipseccmd -f 0+*:69:UDP *+0:69:UDP -n BLOCK -w REG -p "Block TFTP" -r "Block client/server TFTP" -x • PXE RIS and ADS use TFTP • Specific port filtering only buys you some time due to variants • Third party software firewalls • External firewalls
The Internal Threat • VPN port filtering • Quarantine / Sandbox • Network scan and shut off ports • Client logon scripts • Partners and trust – filtering at the edge
Group Policy • Set IPSec filter • Restrict execution of msblast.exe • Watch out for variants • Custom scripts • Only works on Windows 2000 and later • XP Home ineligible for domain policy
Good Worm, Bad Worm • Latest variant looks for vulnerable computers, patches & reboots them • Names: Nachi, Blaster-D, Welchia http://www.microsoft.com/technet/security/virus/alerts/nachi.asp • Increased network traffic (ICMP) • Scanning continues until 1/1/2004 • It’s still a worm, and all the legal issues associated with unauthorized access • Exploits RPC (MS03-026) and WebDAV (MS03-007) vulnerabilities
Removal Tools • Network Associateshttp://www.nai.com/us/promos/nai_lovsan.htm • Trend Microhttp://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A • Symantechttp://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html • Computer Associateshttp://www3.ca.com/virusinfo/virus.aspx?ID=36265 • Sophoshttp://www.sophos.com/support/disinfection/blastera.html#2
Stop the Rebooting Windows must now restrart because the Remote Procedure Call (RPC) service terminated unexpectantly. (unrepentantly) Start | Run | Services.msc | Remote Procedure Call (RPC) | Recovery Change recovery option
Stop the Timer • Start | Run (R) shutdown -a
Deployment Technologies • SMS with Feature Pack • Software Update Services (uses the Automatic Update component) • Login script • Third party tools (St Bernard, Tivoli, et al) • VBScripthttp://support.microsoft.com/default.aspx?kbid=827227 • SneakerNet
Cryptographic Error • Cryptographic Services may not be started • Database corruption in catroot2 • Windows Update 643 Error and the Catalog Databasehttp://support.microsoft.com/default.aspx?scid=kb;EN-US;817287 net stop cryptsvcren %systemroot%\system32\catroot2 oldcatroot2net start cryptsvc
Installer Convergence • Many product teams ► many installer technologies • Historically driven by architectural differences • Two standards • Windows Installer (MSI) • Update.exe • Most will migrate after MSI 3.0 is released
Patch Verification • SMS • Scan with MS Baseline Security Analyzer • MS03-036 Scannerhttp://www.microsoft.com/downloads/details.aspx?familyid=c8f04c6c-b71b-4992-91f1-aaa785e709da • May give false positives on Win9x machines that have DCOM98 installed
Support • NT 4.0 Server SP 6a • Workstation was not initially supported • Will not install with previous SPs • Win2000 SP 3 & 4 • Will install on Win2000 SP 2, however, it’s not supported • Hot fix support for DEC Alpha ended December 31, 2001 • Support Lifecyclehttp://support.microsoft.com/lifecycle
System Confidence • “But the infection period = full access by bad guys to your PC. How can you 100% know you have caught + reversed every possible malicious action? For 100% confidence you must flatten & reinstall.” • Root compromisehttp://www.cert.org/tech_tips/root_compromise.html
It Really Hurts My customer has no less than 7 separate production configurations (just for workstations), more than 1,000 applications in use (in multiple languages), and machines located in more than 135 countries, some of which have total in-country bandwidths as low as 32K total.
Windowsupdate.com • DDoS target of the worm (syn flood) • Attacks scheduled to begin 8/16/03 at 00:00 local • “A” records for windowsupdate.com now point to 127.0.0.1 • It was an easy redirect to the real update site "One strategy for cushioning the blow was to extinguish the Windowsupdate.com" site, said Microsoft spokesman Sean Sundwall. "We have no plans to ever restore that to be an active site."
Did we get lucky? • Hard coded URL to expendable domain • No intelligence about what client was being attacked • Worm had to drag the payload in behind it • Payload was fairly benign • Patch was available • Power failure in the NE US
Resources • Main MSBlast Pagehttp://www.microsoft.com/security/incident/blast.asp • Knowledge Base Article 823980http://support.microsoft.com/default.aspx?scid=kb;en-us;823980 • PSS Security Response Team Alert http://www.microsoft.com/technet/security/virus/alerts/msblaster.asp • Microsoft Security Bulletin MS03-026http://www.microsoft.com/technet/security/bulletin/ms03-026.asp
More Info • Patch Management Whitepaperhttp://www.microsoft.com/security/whitepapers/patch_management.asp • ISA Server helps block Blaster traffic http://www.microsoft.com/isaserver/techinfo/prevent/blasterworm.asp • Microsoft DCOM RPC Worm Alerthttps://tms.symantec.com/members/AnalystReports/030811-Alert-DCOMworm.pdf • Stanford report on RPC Exploitshttp://securecomputing.stanford.edu/win-rpc.html • ISP White paperhttp://www.microsoft.com/serviceproviders/security/isp_blaster.asp
TechNet Webcasts • What Network Administrators Should Know About The Blaster Worm Live Event: August 21, 2003 - 11:00am to 12:30am Central Timehttp://www.microsoft.com/usa/webcasts/upcoming/2342.asp • How To Recover Your Home Computer From The Blaster Worm Live Event: August 20, 2003 - 2:30pm to 4:00pm Central Timehttp://www.microsoft.com/usa/webcasts/upcoming/2343.asp • How To Recover Your Home Computer From The Blaster WormLive Event: August 21, 2003 - 2:30pm to 4:00pmhttp://www.microsoft.com/usa/webcasts/upcoming/2344.asp
© 2002 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.