MS05-039 Worm in the Wild

← Back to Stories (view on slashdot.org)

Posted by CmdrTaco on Sunday August 14, 2005 @03:16AM from the brace-for-impact dept.

An anonymous reader noted that SANS is reporting that the MS05-039 worm is in the wild. It has been named Zotob.A. Not a lot of information on this one yet except that it's trying to FTP files from a subnet.

17 of 252 comments (clear)

Min score:

Reason:

Sort:

ClamAV by slavemowgli · 2005-08-14 03:18 · Score: 5, Informative

And it's detected by ClamAV already, too.

--
quidquid latine dictum sit altum videtur.
1. Re:ClamAV by nametaken · 2005-08-14 03:30 · Score: 2, Informative
  
  And it was already mentioned in a /. article today.
Vulnerability by Tiberius_Fel · 2005-08-14 03:18 · Score: 4, Informative

From TFA:

"Windows XP SP2 and Windows 2003 can not be exploited by this worm, as the worm does not use a valid logon."

I think a lot of people were relieved to read this. :)

--
Join the Empire! http://www.empirereborn.net/
1. Re:Vulnerability by louarnkoz · 2005-08-14 03:48 · Score: 5, Informative
  
  The "valid logon" comment is misleading. On XP/SP2 and Windows 2003, the remote function can only be exploited by a logon with administrative privilege, the equivalent of root access. SP2 does not correct all bugs in Windows XP, but it includes a lot a system hardening. The guiding idea was "defense in depth", i.e. don't assume that the software is perfect, add multiple layers of protection. One of these defenses was requiring authentication for all RPC access. This "defense in depth" seems to be working, at least in this case.
2. Re:Vulnerability by grennis · 2005-08-14 05:58 · Score: 1, Informative
  
  blank passwords are not allowed for remote logins. But I'm sure you knew that right? Because you know SO much about Windows, huh... just dont let the facts get in the way of a "me too" rant
crappy summary by smoondog · 2005-08-14 03:19 · Score: 5, Informative

What a crappy summary, it doesn't even mention what operating system this effects (or how to patch for that matter). "Important facts" from the article:

- Patch MS05-039 will protect you
- Windows XP SP2 and Windows 2003 can not be exploited by this worm, as the worm does not use a valid logon.
- Blocking port 445 will protect you (but watch for internal infected systems)
- The FTP server does not run on port 21. It appears to pick a random high port.
1. Re:crappy summary by sucker_muts · 2005-08-14 04:12 · Score: 4, Informative
  
  Another usefull article from eweek with even more info:
  
  http://www.eweek.com/article2/0,1759,1847756,00.as p?kc=EWRSS03119TX1K0000594
  
  --
  Dependency hell? => /bin/there/done/that
2. Re:crappy summary by StarHeart · 2005-08-14 04:32 · Score: 2, Informative
  
  The patch fixes the vunerability that XP SP2/2003 still has. This worm depends on more than just the vunerability. It also needs a valid login, which it won't have in the case of XP SP2/2003.
  
  It wouldn't surprise me to see a second revision of this worm that fixes this limitation in some way.
  
  --
  Havoc Penington, the bane of my Linux desktop.
3. Re:crappy summary by numbski · 2005-08-14 07:15 · Score: 4, Informative
  
  Blocking port 445 will protect you (but watch for internal infected systems)
  
  Yeah, and for grins, why is it you can't use a software firewall within Windows to block 445?
  
  Hmmm...lessee here...
  [erwin:~] numbski% cat /etc/services | grep 445 microsoft-ds 445/udp # Microsoft-DS microsoft-ds 445/tcp # Microsoft-DS
  Microsoft-ds? No kids, that's not the Double Screen version, that's probably "Directory Services". LDAP. Your authentication. Block that internally and you're SOL. So if it gets into your internal LAN, you're powerless to block it off, other than to shut down the entire LAN, clean all of the systems without plugging back into the LAN, and bring the whole thing back up. w00t! :\
  
  --
  Karma: Chameleon (mostly due to the fact that you come and go).
4. Re:crappy summary by totallygeek · 2005-08-14 12:34 · Score: 3, Informative
  
  Microsoft-ds? No kids, that's not the Double Screen version, that's probably "Directory Services". LDAP. Your authentication. Block that internally and you're SOL. So if it gets into your internal LAN, you're powerless to block it off, other than to shut down the entire LAN, clean all of the systems without plugging back into the LAN, and bring the whole thing back up.
  
  Just so you know, Windows domain and directory authentication is over tcp 389. As for 445, that is for file sharing via CIFS. CIFS is the next gen past SMB (which used 137, 138 and 139).
  
  --
  Click here or here.
More Detail by Tiberius_Fel · 2005-08-14 03:21 · Score: 4, Informative

Even though it's linked to in the article, the bit by F-Secure is a bit better written (and more informative):
http://www.f-secure.com/weblog/

--
Join the Empire! http://www.empirereborn.net/
Better analasys by Barny · 2005-08-14 03:38 · Score: 4, Informative

As usual, trend have thier info strait about this exploit, and good ways to prevent it...
http://www.trendmicro.com/vinfo/secadvisories/defa ult6.asp?VNAME=(MS05-039)+Vulnerability+in+Plug+an d+Play+Could+Allow+Remote+Code+Execution+and+Eleva tion+of+Privilege+(899588)&Page=

--
...
/me sighs
You've already patched this, right? by Anonymous Coward · 2005-08-14 03:40 · Score: 2, Informative

If you haven't patched yet, the update for this vuln is at http://www.microsoft.com/technet/security/bulletin /ms05-039.mspx.
Snort by cyberkahn · 2005-08-14 03:56 · Score: 2, Informative

All note the free IDS snort detects this worm.

alert tcp any any -> any 445 (msg:"EXPLOIT SMB-DS Microsoft Windows 2000 Plug and Play Vulnerability"; flow:to_server,established; content:"|FF|SMB%"; dept h:5; offset:4; nocase; content:"|2600|"; depth:2; offset:65; content:"|67157a76|";reference:url,www.microsoft.c om/technet/security/Bulletin/MS05-039.mspx; classtype:attempted-admin; sid:1000130; rev:1;)

alert tcp any any -> any 139 (msg:"EXPLOIT NETBIOS SMB Microsoft Windows 2000 PNP Vuln"; flow:to_server,established; content:"|FF|SMB%"; depth:5;offset:4; nocase; content:"|2600|"; depth:2; offset:65; content:"|3600|"; offset:110; within:5; content:"|F6387A76|";reference:url,www.microsoft.c om/technet/security /Bulletin/MS05-039.mspx; classtype:attempted-admin; sid:1000131; rev:1;)

alert tcp any any -> any 445 (msg:"EXPLOIT NETBIOS SMB-DS Microsoft Windows 2000 PNP Vuln"; flow:to_server,established; content:"|FF|SMB%"; depth:5;offset: 4; nocase; content:"|2600|"; depth:2; offset:65; content:"|3600|"; offset:110; within:5; content:"|F6387A76|";reference:url,www.microsoft.c om/technet/secur ity/Bulletin/MS05-039.mspx; classtype:attempted-admin; sid:1000132; rev:1;)

What about all the other mega bucks IDS systems?
Re:I don't have $100 for an XP upgrade by dhasenan · 2005-08-14 04:08 · Score: 2, Informative

Stiffu.

Windows 98 still works. You can use it for Internet browsing, email, and word processing. You can run older games on it, too--there are even a fair number of recent games that will run on it--but if you have the money for the appropriate hardware, you'll upgrade Windows.

The point is, not everyone can afford $100 for a software upgrade that's not really necessary, especially if it will probably significantly decrease the speed of their computer.

The grandparent's argument was more like "My 1989 Buick gets me around, but doesn't have side airbags. I can't afford a new car, so I won't." If you had two neurons to rub together, you'd realize that.
Re:What drives people to do this... by Metasquares · 2005-08-14 04:30 · Score: 2, Informative

Nachia did this during the peak of the LovSan virus. I remember hearing that it DDoSed Windows update or something of that nature because it was trying to download patches on all machines that it infected.

Come to think of it, what it should have done was set up a BitTorrent-like environment and downloaded the patches via that :)

But as the poster who was (wrongly, IMO) modded down to -1 said, it's still illegal.
Re:Any logic in the nomenclature? by jayloden · 2005-08-14 04:49 · Score: 2, Informative

The naming sceme was designed by CARO (Computer Antivirus Researchers Organization). The naming convention is documented on the caro website:
http://www.caro.org/tiki-index.php?page=CaroNaming Scheme/

and the original conference paper for the naming scheme:
http://www.caro.org/tiki-read_article.php?articleI d=1/

and there is a new naming convention being proposed as well, see:
http://www.caro.org/tiki-read_article.php?articleI d=2/

It's actually really complicated, and pretty much none of the antivirus companies use more than one or two parts of it, but if you're really interested in digging up more info, those links should be more than adequate :)