RPC DCOM Worm On The Loose

GPez writes "The first of I'm sure many RPC DCOM worms affecting Windows is on its way, according to the Internet Storm Center. Patch those systems!" According to the site, "The worm uses the RPC DCOM vulnerability [affects Win2k through Server 2003] to propagate. Once it finds a vulnerable system, it will spawn a shell on port 4444 and use it to download the actual worm via tftp."

users being hit hard

[towaz]

the call centre here is off the scale with people ringing in with rpc problems...
all xp users though

Credit...

[chill]

At least Microsoft was nice enough to credit LSD in the tech note.

Security Advisory

[Blangopolis]

The security advisory can be found here.

After reading the advisory, it looks like this one is going to be a bad one. I'm no expert, but I would guess that this thing is going to be around as long as code red was (and I'm still getting code red hits in my logs!)

Effects

[Papa+Legba]

This worm is bugged it seems. From XP systems I have seen it throws an error to the screen about RPC services and reboots the system. On Windows 2000 Pro it crashes the svchost and a lot of stuff stops working. Just and FYI for those trying to diagnose systems right this minute.

Cagliostro

Re:Effects

[gclef]

So how do you fix an infected machine?

1) Delete msblast.exe (usually found at: winnt\system32\msblast.exe)
2) delete the Registry key: "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur rentVersion\Run\windows auto update" . That key should contain the "msblast.exe" process, and is what starts it up again on reboot.
3) Patch DCOM, or you'll just get this again.

UNC-Chapel Hill South Campus Hit Hard

UNC-Chapel Hill South Campus [Medicine, Pharmacy, Nursing, etc] has been slammed by this thing.

The tragic part is that Microsoft posted the patch almost a month ago:

http://www.microsoft.com/technet/treeview/default. asp?url=/technet/security/bulletin/ms03-026.asp

Increase in TCP 135 Activity

This is our number of dropped TCP 135 requests at our border since noon today, per 30 mins, seen on our 2 Class Bs:

57,003 1200 to 1230
75,317 1230
59,321 1300
52,642 1330
130,932 1400
202,996 1430
277,183 1500
247,682 1530
320,919 1600
361,504 1630 to 1700

milspec

Re:Port 4444

[venom600]

Both. It is opening a shell on port 4444 and contacting a tftp server (using the shell) to download a file which is the worm code itself.

Erkk

Got hit by this earlier today, I'm not normally a slouch with these things but this one really hit me hard, took me 4 restarts to find out what was going on. (As every time I connected to the net I was immediatly given 60 seconds before another auto restart) I can see how non-techies are gonna be totally screwed by this.

All I can say is change the properties of your RPC service repair functions. Start -> Administrative Tools -> Component Services -> Services (local). this will at least give you time to go online and download the MS patch, which we should have done weeks ago I know :)

Not quite safe:

[Telastyn]

http://www.kb.cert.org/vuls/id/326746

win2k machines are still vulnerable to a dos; even patched.

Thanks microsoft...

Re:Port 4444

Shell is on 4444. TFTP is on standard port. Random scanner? SHA-1 of packed worm is BED8E439F28A1A0D3876366CBD76A43CDCCF60FA. It'll lookup windowsupdate.com and flood on the 16th. Filename is msblast.exe, length 6176 bytes. Partial string "to say LOVE YOU SAN!!" appears even in the packed version (UPX 1.22). More detailed stuff to follow...

Where was this story 3 hours ago?

[Speed+Racer]

A friend of mine called me about 3 hours ago saying that her brand new Windows XP notebook kept rebooting with some strange message about RPC. I had her download the free version of ZoneAlarm and that blocked the worm and let her stay online long enough to download the patch. If you know somebody that's getting hammered, have them give ZoneAlarm a shot.

More diagnoses info

[Papa+Legba]

On XP you are getting two error codes.
The first is a system shutdown window tellign you that the RPC service must be restarted,. This gives you 30 seconds before reboot. Iniated by NT Authority\system. This is a succesful XP infection

The other is Windows cannot open this file:

File: TFTp784

This appears to be an unsuccesful try.

For windows 2000 it crashes svchost trying to get in it appears. Just apply the patch to stop the crashes. It does not appear to get into the system in this case

Hope this helps everyone

Cagliostro

I was *nailed* by this thing over the weekend

[drgroove]

At first, I couldn't figure out why Task Manager suddenly stopped working. Launching TaskMan.exe resulted in an error message "Task Manager has been disabled by the Administrator".

Odd, I thought. I *am* the administrator.

I realized I had been hit by a virus or worm when I rebooted and the autoexec.bat file opened up during my login. Not good.

Norton didn't pick up on this one at all; furthermore, McAfee's online virus/worm searching tool found a related virus, but not the actual baddie.

The virus that McAfee located - which probably came in after the worm opened up all those ports in my firewall - were in \WINNT\msagent\intl. Basically, anything in that directory that *isn't* a .dll file, delete them.

The worm itself is in \WINNT\system32\, and is called 'msconfig[nn].exe', where [nn] is interchangeable with two numbers. Mine was 'msconfig35.exe', I've read reports on various forums of others w/ '32' and '33' after the 'msconfig'.

Be careful here, as this app will spawn identical, hidden copies of itself with random names (like 'dwigjenjig.exe' or 'zajdfanltef.exe'). The easiest way I found to discern between real MS files and the worm was by looking at the last modified date displayed by Explorer, vs the last modified date that pops up when you mouse over the file name. All of the worm files had discrepancies between the two.

Hope that helps someone out there!

Stanford and Cal hit hard by RPC exploit!

Stanford has been hit pretty hard by this. 2,400 of their 20,000 machines compromised!

And Cal(Berkeley) is blocking their network from outside access starting today for four days. Makes me wonder how many other large networks have been compromised, but don't know it.

I'm glad I don't work at Stanford.....don't envy them having to wipe 2,400 machines and sort through files that need to be replaced.....trying to avoid trojans, etc

Quick-Fix

[Chaymus]

So i load up my /. as my homepage, take a look at the first headline, RP-What? Read up a bit, go: "Huh, that's interesting" and head off to my email site. Bam! i get pegged with this worm and my computer shuts down. For anyone else in the same boat as me, you can still download the patch using the infected computer by typing: services.msc there will be two services listed that are directly linked to this worm under the Remote Procedure Call heading, just look threw the list in the standard tab. You can by pass it by going into teh properties and changing the crash executions do "Do nothing" instead of restarting your computer. I was able to download the patch via the website and am now looking for a way to rid myself of this worm. Firewalls eh? I've heard of them, but then what else am I going to do in my spare time?

ISC Advisory

[Dynamoo]

Internet Storm Center is getting hammered, so I attach their analysis.

NOTE: the scanning is being done Code Red style, so it is concentrating on the class B pseudo-subnet, e.g. 123.123.x.x. If this gets inside your corporate firewall then you are screwed.

I count about 1 scan every 10 seconds at present.

--x8 Cut here ----

This RPC DCOM worm started spreading early afternoon EDT (evening UTC). At this point, it is spreading rapidly.

**********
NOTE: PRELIMINARY. Do not base your incidents response solely on this writeup. **********

Increase in port 135 activity: http://isc.sans.org/images/port135percent.png

The worm may launch a syn flood against windowsupdate.com on the 16th. It has the ability to infect Windows 2000 and XP.

The worm uses the RPC DCOM vulnerability to propagate. One it finds a vulnerable system, it will spawn a shell on port 4444 and use it to download the actual worm via tftp. The exploit itself is very close to 'dcom.c' and so far appears to use the "universal Win2k" offset only.

Infection sequence: 1. SOURCE sends packets to port 135 tcp with variation of dcom.c exploit to TARGET
2. this causes a remote shell on port 4444 at the TARGET
3. the SOURCE now sends the tftp get command to the TARGET, using the shell on port 4444,
4. the target will now connect to the tftp server at the SOURCE.

The name of the binary is msblast.exe. It is packed with UPX and will self extract. The size of the binary is about 11kByte unpacked, and 6kBytes packed:

MD5sum packed: 5ae700c1dffb00cef492844a4db6cd69 (6176 Bytes)

So far we found the following properties:

- Scans sequentially for machines with open port 135, starting at a presumably random IP address
- uses multiple TFTP servers to pull the binary
- adds a registry key to start itself after reboot

Name of registry key:
SOFTWARE\Microsoft\Windows\CurrentVersion\Ru n, name: 'windows auto update'

Strings of interest:

msblast.exe
I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!!
windowsupdate.com
start %s
tftp -i %s GET %s
%d.%d.%d.%d
%i.%i.%i.%i
BILLY
windows auto update
SOFTWARE\Microsoft\Windows\CurrentVersion\ Run

Existing RPC DCOM snort signatures will detect this worm. The worm is based on dcom.c

Re:This is just sick.

[red+floyd]

They *DID* put it on Windows Update. On 16 July.

Re:On the way?

[jafiwam]

While it is true that people should be patched; this worm can still damage stuff on patched servers.

If the server is not firewalled, but it is patched, the msbash.exe worm probing can crash the RPC service. Which then crashes Exchange, Some AD stuff, some windows explorer stuff, and other things (including windows update). It can still bring the DMZ servers to their knees EVEN IF THEY ARE PATCHED.

You are only fully protected if you are both patched AND the 135/445 ports are shut off from the internet. (No naked DMZ stuff.)

I personally patched all the DMZ servers with the hotfix the day it came out, then some other servers with SP4 that included the exploit fix Only the SP4 ones are unaffected.

Note, I am talking about services available, none of the boxes in question actually got infected. The infection attempt caused the problem.

Naked un-firewalled computers are going to get this thing, and get it bad.

It will be interesting to see if that August 16th date pans out to be a dDOS or what...

[Note, auto update is fine for PCs, but is fucking dangerous for production servers. Sometimes the updates do not play nice with whatever is there, if it happens when so-and-so is on vacation there could be real trouble. Do what you gotta do, but I am never going to let MS put anything on my stuff. You'll probably see when someone figures out how to spoof that and gets all 375 of your boxes rooted due to Windows Update.]

Re: To Delete msblast: 1st End Process "msblast"

[CFrankBernard]

To delete the msblast file, you may have to first open Task Manager, click the Processes tab, highlight the "msblast" process and hit the "End Process" button...then try to delete the file.