MS05-039 Worm in the Wild

An anonymous reader noted that SANS is reporting that the MS05-039 worm is in the wild. It has been named Zotob.A. Not a lot of information on this one yet except that it's trying to FTP files from a subnet.

ClamAV

[slavemowgli]

And it's detected by ClamAV already, too.

Vulnerability

[Tiberius_Fel]

From TFA:

"Windows XP SP2 and Windows 2003 can not be exploited by this worm, as the worm does not use a valid logon."

I think a lot of people were relieved to read this. :)

Re:Vulnerability

[louarnkoz]

The "valid logon" comment is misleading. On XP/SP2 and Windows 2003, the remote function can only be exploited by a logon with administrative privilege, the equivalent of root access. SP2 does not correct all bugs in Windows XP, but it includes a lot a system hardening. The guiding idea was "defense in depth", i.e. don't assume that the software is perfect, add multiple layers of protection. One of these defenses was requiring authentication for all RPC access. This "defense in depth" seems to be working, at least in this case.

crappy summary

[smoondog]

What a crappy summary, it doesn't even mention what operating system this effects (or how to patch for that matter). "Important facts" from the article:

- Patch MS05-039 will protect you
- Windows XP SP2 and Windows 2003 can not be exploited by this worm, as the worm does not use a valid logon.
- Blocking port 445 will protect you (but watch for internal infected systems)
- The FTP server does not run on port 21. It appears to pick a random high port.

Re:crappy summary

[sucker_muts]

Another usefull article from eweek with even more info:

http://www.eweek.com/article2/0,1759,1847756,00.as p?kc=EWRSS03119TX1K0000594

Re:crappy summary

[numbski]

Blocking port 445 will protect you (but watch for internal infected systems)

Yeah, and for grins, why is it you can't use a software firewall within Windows to block 445?

Hmmm...lessee here...

[erwin:~] numbski% cat /etc/services | grep 445
microsoft-ds 445/udp # Microsoft-DS
microsoft-ds 445/tcp # Microsoft-DS

Microsoft-ds? No kids, that's not the Double Screen version, that's probably "Directory Services". LDAP. Your authentication. Block that internally and you're SOL. So if it gets into your internal LAN, you're powerless to block it off, other than to shut down the entire LAN, clean all of the systems without plugging back into the LAN, and bring the whole thing back up. w00t! :\

Re:crappy summary

[totallygeek]

Microsoft-ds? No kids, that's not the Double Screen version, that's probably "Directory Services". LDAP. Your authentication. Block that internally and you're SOL. So if it gets into your internal LAN, you're powerless to block it off, other than to shut down the entire LAN, clean all of the systems without plugging back into the LAN, and bring the whole thing back up.

Just so you know, Windows domain and directory authentication is over tcp 389. As for 445, that is for file sharing via CIFS. CIFS is the next gen past SMB (which used 137, 138 and 139).

More Detail

[Tiberius_Fel]

Even though it's linked to in the article, the bit by F-Secure is a bit better written (and more informative):
http://www.f-secure.com/weblog/

Better analasys

[Barny]

As usual, trend have thier info strait about this exploit, and good ways to prevent it...
http://www.trendmicro.com/vinfo/secadvisories/defa ult6.asp?VNAME=(MS05-039)+Vulnerability+in+Plug+an d+Play+Could+Allow+Remote+Code+Execution+and+Eleva tion+of+Privilege+(899588)&Page=