Lessons Learned From Blaster

CowboyRobot writes "It's been nearly a year since Blaster struck, causing hundreds of millions of dollars in fixes and lost revenue. Jim Morrison of Symantec goes step-by-step in looking at how the Blaster worm got out of control so quickly, and what lessons can be learned from that event, by studying how one utility company dealt with it." The story is written as a fun, technothriller narrative; here's an snippet: "The laptops, usually out in the field, were always a hit-and-miss proposition to find on the network and deliver a patch or to have the user take the machine to a field office. That meant that on the 16th they could see a flood of traffic launched against Microsoft. The second phase of Blaster, launching a DoS (denial of service) attack against windowsupdate.com, was imminent."

Re:How many times do people have to be told

[benna]

Blaster didn't spread through email. It used a DCOM exploit if I remember correctly.

Re:Sadly OSX is Next

[MBCook]

Well, I think that OS X is inherently safer than Windows for various reasons including the Unix core and not being made by Microsoft. That said, if you take the standard precautions, you'll be fine.

Don't open attachments that you weren't expecting. Get a firewall. A REAL firewall, a HARDWARE firewall. It doesn't have to be expensive, just a little Linksys box or something else designed to act as a router between your PCs and your cable/xDSL modem. Keep your systems patched. Do these things and you'll be just fine.

But, it's the lowest hanging fruit that get eaten first. As long Windows is popular and there are people running the systems unpatched and doing stupid stuff like executing the newest screensaver they got in an e-mail, Windows will be THE target for viruses. OS X and Linux won't become popular targets for viruses untill they are more common, Microsoft does a better job, and the people who use them are less technical (this applies to Linux more than OS X). This paragraph is my speculation, of course.

Re:Transactions?

[EdMcMan]

There are even ATMs that run on Windows.

DCOMbobulator

[Kris_J]

The first thing I did when Blaster started doing the rounds was put DCOMbobulator in the login script -- bought me more than enough time to get patches in place.

2nd article today, and is just M$ bashing

[warren69]

OK, so M$ has designed a bad OS. But nobody that I know who has Windows XP and knows how to use it ever got infected with a virus.
Simple rules:

1. firewall software (eg. Norton) before connecting
2. You don't use Outlook/Outlook Express and preferably not MSN
3. Preferably don't use IE
4. windowsupdates
5. update your norton firewall/antivirus

Don't get me wrong I'm a OS X, and Debian user, but come one, all I can say is if it wasn't for all the dumb people out there who don't get what I call the essentials I would be unemployed.

Oh crap, I just spilled the beans.

Warren Peace

Blasters effect on Cisco

[JRHelgeson]

Blaster was a worm, and of worms in general I would say that there is little new to be learned from them. I did learn something new with blaster though.

I was doing some security work for an ISP at the time of blaster. They have a number of Cisco 12000 series GSR routers as well as Foundry Big Iron Switches. For those who are not familiar with the Cisco 12000 series routers, let it be sufficed to say that it is Cisco's biggest, baddest router that stands up to 6 feet tall and comes from the factory with a 4 barrel carburetor, dual testosterone modules and a custom paint job with flames painted on the side (pin stripes are optional). These switches are designed to handle hundreds of gigs of traffic across their backplane and through their interfaces. If the ISP were forewarned that they would be seeing 300 mbps of traffic coming from the MS Blaster worm, they would have said "Bring it on!"

For those of us that aren't CCIE's, Cisco routers and Layer 3 switches have a function called CEF, or Cisco Express Forwarding. CEF is a technology that by its simplest definition caches routes.

If a packet from my computer is destined for yahoo.com, it will first hit the DNS server to resolve the host name to its IP address. My computer will then send packets to my ISP with the destination IP of yahoo.com (66.218.71.198). My ISP's router, presuming it's a Cisco router with CEF enabled, will look at its internet BGP tables and determine the optimal route my packet should take on the internet to arrive at that destination. Once the router has processed the route, it caches it so that all future packets coming from my home IP address, destined for yahoo.com will automatically be routed using the cached route. This takes a tremendous load off the router CPU as each packet no longer needs to be processed by the CPU, hence the term "Express Forwarding".

What the blaster worm did was send out hundreds of thousands of ICMP pings per second. This usually wouldn't be a problem for the router, except for each packet was destined for a unique IP address. What started happening is that each route was looked up, routed, and stored in its cache for future packets - only there weren't any future packets. What happened next was the memory space allocated for caching CEF routes filled up, and once full, the router simply purged its cache so that every packet had to then go to the CPU to be routed. Once this happened, all hell broke loose.

CPU utilization on the routers jumped to 100%, which should never happen under normal conditions, but this was clearly not a normal condition, and the internet came to a crawl.

There we were, with a router that should handle hundreds of gigs across the backplane without breaking a sweat being brought to its knees by 100mb of traffic... it was incredible.

Re:Blasters effect on Cisco

Yea, since many Cisco products handle ICMP
in software (instead of the hardware they
save for flow-based routing), I've seen
even a few nachi machines bring down an
entire 100MB/s link. Just 2-3 machines, and
the cisco drops layer 2. That's what you
get for building in a ddos-able component into
a high end switch.

Re:Blasters effect on Cisco

[eazy]

I work on a network where we deployed cisco 3550 layer 3 switches as routers to all our 2000+ sites. Each site only had a 2mb link, and they were all rate limited to ensure the router didn't try to go over that speed.

Part of the process for implementing each router was to configure, and test each unit before we sent shipped them to site. Bad thing about this was the way that did it left the default route out the WAN interface, and not to the next-hop IP.

Once blaster hit it took down more routers than I want to think about. We had CEF do the same thing as the parents GSRs. Also any new routers put on the network would die within 2 minutes of being connected to the network.

The only way to fix the problem was to go through all the sites, have the LAN disconnected from the router and then fix the default route to the next-hop IP and add ACLs to block all blaster related traffic.

We love CEF here, it introduces the MS fix to Cisco gear - a reboot will fix it!

Re:Auto Patching Worms

[keefey]

There was one, and it caused a mass of problems itself. It was called Welchia, and you can read The Register article here.

Why were they running kiosk systems on XP?

[Animats]

Kiosk systems should be running on something like QNX, not a desktop OS. People who insist on running kiosk systems on Microsoft software should use the Windows XP Embedded toolkit to build a minimal system.

They're lucky that Blaster was removable by remote control. A more effective virus would lock out any attempt to change system files.

Re:Contractor Laptop

[Endareth]

The point is to allow specific MAC addresses rather than deny them. So if someone who should be in the network changes his MAC, he deserves what he gets and has to go petition the sysadmin to be re-added to the network. And someone trying to get onto the network by guessing a valid MAC address is going to be at it quite some time...

Re:Sadly OSX is Next

[RollingThunder]

When people say "hardware firewall" they don't mean that the entire thing runs on custom-burned chips.

They mean a device intended to be a firewall first and foremost, where some other bit of software, like the operating system, can't end up with it's ass hanging out because it runs before/beside/around the firewall. That's all.

Suggestions for Microsoft and other OS vendors

[dinodrac]

1) On home machines, *all* network accessible services should default off. In most cases, this will mean that remote exploits aren't going to happen - kernel level remote exploits are fairly rare. This means that if I port scan a machine out of the box, I should find 65535 closed TCP ports, and 65535 closed UDP ports.
2) On buisness workstations, all network accessible services should also default off, but the administrator should be able to provide a configuration to enable services needed for remote management.
3) Unneeded use of privledged accounts should be actively discouraged. M$ - consider defaulting to popping up "don't do anything stupid" reminders to users running with administrator rights under "end-user" versions of windows. Make it easier to obtain administrator rights when needed without having to log off and log back on. Educate users about the "Run As User" facility.
4) Operating systems designed for end users should have a facility to lock down the system temporarily while doing emergency maintainance, a "No services" mode if you will, which allows the user to obtain updates without being exposed while doing so.
5) While it can be argued that automatic updates are themselves a security risk, in practice, lack of updates are a far bigger risk. Anything thats remotely exploitable should be updated frequently and automatically by default.
6) Reboots are absolutely unacceptable to many users. Microsoft needs to work harder to eliminate unneeded reboots, *including* making changes to the way file locking works so that a reboot isn't needed to replace a file that's in use, or so that the affected subsystems can be stopped and restarted without restarting the entire system.
7) While blaster didn't use ActiveX, quite a bit of spyware and other ratware does. Fully executable web pages without any kind of sandboxing is a bad idea. Please, Microsoft, *disable* ActiveX out of the box, or require controls to be manually authorized by the administator by adding them to an "Allowed controls" list in the Tools -> Internet Options dialog - NOT as a pop up "Do you want to install and run" box.
8) Expand user education campaigns. Encourage users to obtain basic computer training, and a basic understanding of computer security.
9) Provide readily accessable documentation that adresses security concerns. Warning labels get old, but perhaps a big red "STOP: Please review this security information" is appropriate.
10) Discourage software developers from enabling network-accessible services automatically. (Hopefully the "new" Windows Firewall in SP2 will go a long ways towards making users aware of what they are running, but time will tell.)

Re:Strange... [slightly OT]

[toddestan]

The power meter at my house recently got replaced with a digital one not to long ago. Instead of analog gauges, it has LCD readouts - stuff like that. While I don't know its capabilities, it wouldn't surprise me at all if the power company is now able to kill my power remotely with a few keystrokes. So I find the story believable.

What we do

[Oriumpor]

Well lets see. Basic measures are necessary for us, since people tend to not follow security policies, and our Tech:PC ratio is so damn high we have had to be pretty ... well creative I guess is the word. Since we haven't the funding, manpower, or infrastructure to deploy anything that would require client reconfiguration 100% we have resorted to the following:
1. DHCP access listing. (Indexed systems get ips, others don't)
2. Router Access lists (in non-cisco language port filtering)
3. Heavily restricted nat firewalls (ipcop+snort)
4. NAV/Deep Freeze (www.faronics.com... if you can use it, do... no spyware, no viruses, no deliberate destruction of the local system, reboot and it's all fixed.)
5. Software Update Services (Deepfreeze plays nice if you schedule it right)

So obviously we use windows... and obviously we have a relatively secure (at least from the current and past virus/worm attacks.)

About 95-99% of the systems on a campus are frozen. In the case of an outbreak we can shutdown all systems (removing the obviously infected systems from the DHCP access list) and booting the frozen systems back up. This is assuming the virus is 0 day, and it hits us before the SUS updates...

Still there are horrible gaping holes... for instance, a virus that spreads quickly, before a patch is released, and happens to still be spreading during the SUS thaw could result in a complete infection... but the odds there are pretty slim. And really, it puts us in a better position for 23 hours a day... and on par with most companies for 1 hour a day.

Re:Sadly OSX is Next

[noewun]

ipfw.

Type "man ipfw" in the Terminal, or get Brickhouse and use its wizard.

Re:Sadly OSX is Next

[timbos]

I don't know if apple has a gui config tool for any of them, but they are all very good, once you have them configured.
There is some control over ipfw in the Sharing preferences pane, but it doesn't allow much more than opening ports for specific services.
You can however download an application called Brickhouse that allows a much greater range of control, and will even show you the firewall rules that ticking a load of checkboxes generates.