MS05-039 Worm in the Wild

An anonymous reader noted that SANS is reporting that the MS05-039 worm is in the wild. It has been named Zotob.A. Not a lot of information on this one yet except that it's trying to FTP files from a subnet.

ClamAV

[slavemowgli]

And it's detected by ClamAV already, too.

Re:ClamAV

[nametaken]

And it was already mentioned in a /. article today.

Vulnerability

[Tiberius_Fel]

From TFA:

"Windows XP SP2 and Windows 2003 can not be exploited by this worm, as the worm does not use a valid logon."

I think a lot of people were relieved to read this. :)

Re:Vulnerability

[louarnkoz]

The "valid logon" comment is misleading. On XP/SP2 and Windows 2003, the remote function can only be exploited by a logon with administrative privilege, the equivalent of root access. SP2 does not correct all bugs in Windows XP, but it includes a lot a system hardening. The guiding idea was "defense in depth", i.e. don't assume that the software is perfect, add multiple layers of protection. One of these defenses was requiring authentication for all RPC access. This "defense in depth" seems to be working, at least in this case.

Re:Vulnerability

One of these defenses was requiring authentication for all RPC access

That's... not really "defense in depth". That's the kind of basic, rudimentary security that no sane company would have ever released a product without in the first place.

crappy summary

[smoondog]

What a crappy summary, it doesn't even mention what operating system this effects (or how to patch for that matter). "Important facts" from the article:

- Patch MS05-039 will protect you
- Windows XP SP2 and Windows 2003 can not be exploited by this worm, as the worm does not use a valid logon.
- Blocking port 445 will protect you (but watch for internal infected systems)
- The FTP server does not run on port 21. It appears to pick a random high port.

Re:crappy summary

[sucker_muts]

Another usefull article from eweek with even more info:

http://www.eweek.com/article2/0,1759,1847756,00.as p?kc=EWRSS03119TX1K0000594

Re:crappy summary

[caluml]

what operating system this effects

Affects. What operating system this affects.

Re:crappy summary

[StarHeart]

The patch fixes the vunerability that XP SP2/2003 still has. This worm depends on more than just the vunerability. It also needs a valid login, which it won't have in the case of XP SP2/2003.

It wouldn't surprise me to see a second revision of this worm that fixes this limitation in some way.

Re:crappy summary

[numbski]

Blocking port 445 will protect you (but watch for internal infected systems)

Yeah, and for grins, why is it you can't use a software firewall within Windows to block 445?

Hmmm...lessee here...

[erwin:~] numbski% cat /etc/services | grep 445
microsoft-ds 445/udp # Microsoft-DS
microsoft-ds 445/tcp # Microsoft-DS

Microsoft-ds? No kids, that's not the Double Screen version, that's probably "Directory Services". LDAP. Your authentication. Block that internally and you're SOL. So if it gets into your internal LAN, you're powerless to block it off, other than to shut down the entire LAN, clean all of the systems without plugging back into the LAN, and bring the whole thing back up. w00t! :\

Re:crappy summary

[totallygeek]

Microsoft-ds? No kids, that's not the Double Screen version, that's probably "Directory Services". LDAP. Your authentication. Block that internally and you're SOL. So if it gets into your internal LAN, you're powerless to block it off, other than to shut down the entire LAN, clean all of the systems without plugging back into the LAN, and bring the whole thing back up.

Just so you know, Windows domain and directory authentication is over tcp 389. As for 445, that is for file sharing via CIFS. CIFS is the next gen past SMB (which used 137, 138 and 139).

What drives people to do this...

[cameronk]

Every time some new worm is released onto the Internet, I ask myself what drives the sick people who create such things. What can we do to provide more disincentives to keep them from being jerks?

Re:What drives people to do this...

[RAMMS+EIN]

What drives them is probably a sense of achievement. By creating a working worm they can prove something to themselves, their friends, and/or the world. And it seems to work, some people got security jobs because of the exploits they made.

As for what we can do to make writing worms less attractive...that's more difficult. There is no magic bullet here. Things that probably help:

  - give more publicity to when these guys are caught and what they are sentenced to, rather than to how much damage they did
  - make it harder to write worms in the first place. Many worm writers aren't extremely brilliant programmers, so chances are this would cause more worms to fail
  - don't give them jobs after they are caught, unless they really deserve them! Just because they can write and release a worm, doesn't mean nobody else can. Better reward the people who can but don't, right?
  - maybe apply the same punishment to minors that is applied to adults. If you're smart enough to put together a worm, you're smart enough to know you shouldn't release it.

Re:What drives people to do this...

[a_n_d_e_r_s]

Mostly money.

Worms are used to get zombies, who are used to send spam, who are used to lure suckers to spend money on junk.

Re:What drives people to do this...

[Waffle+Iron]

I ask myself what drives the sick people who create such things. What can we do to provide more disincentives to keep them from being jerks?

There are 6 billion people on this planet, and it only takes one of them to launch a worm. With a sample that large, there's no way that a worm won't get written if a vulnerability exists and generally known. There's always going to be at least one crazy who'll do it regardless of any disincentives. Peoples' energy is better directed at eliminating the vulnerabilities in the first place.

Re:What drives people to do this...

[Gorath99]

Indeed, money is a motivation, but it's not the only one. It's also an intellectual challenge.

Back when I had learned to program in my early teens, I myself was quite fascinated by virii/trojans/etc. and wondered if I could create one. I probably could have written a moderately "successful" trojan by the standards of the time. It's not that hard.

Thankfully, I was responsible enough not to, but not everybody is. All it takes is one bad apple...

Re:What drives people to do this...

[fermion]

Another issue is that it is often not that hard. The current situation is that a security risk for a given bug does not exist unless there is working code to exploit the bug. Therefore one has to supply code that exploits the bug if one expects the bug to be fixed. This leads to the zero day exploit in which some kids uses that code, combines it with other code from old exploits, and generates a new problem. It would be better if the powers that be did not require exploit code, but were able to work from the theoretical, but that is not the way it is. This situation leads to the MS nightmare of zero day exploits, which is really the issue that makes MS Windows such a headache, as all systems have security issues, but just not so easy to exploit.

Re:What drives people to do this...

[BoomerSooner]

Boredom. Plus sticking it to MS. Just think if someone could easily hack all the bsd/linux servers in the wild, they would cause much more havoc. However it is non-trivial to hack compared to reverse engineering the MS patches and comparing the old and new code.

Re:What drives people to do this...

[Metasquares]

Nachia did this during the peak of the LovSan virus. I remember hearing that it DDoSed Windows update or something of that nature because it was trying to download patches on all machines that it infected.

Come to think of it, what it should have done was set up a BitTorrent-like environment and downloaded the patches via that :)

But as the poster who was (wrongly, IMO) modded down to -1 said, it's still illegal.

Re:What drives people to do this...

[ThaFooz]

I ask myself what drives the sick people who create such things

That can be said of any (non-victimless) crime really, and just about every crime out there is committed for money and/or passion (revenge, political/religious ideals, whatever). For the past couple years in the US, times have not been good for software engineers - the fortunate ones with jobs are often underpaid and overworked and considered dispensable. In Russia, where the mob has a rather large influence, there is money to be made of creating & selling zombie networks. To top it off, the largest software maker on the planet isn't exactly well liked to say the least. Sounds like an awful lot of educated people with awful good motives.

What can we do to provide more disincentives to keep them from being jerks?

Well, I would argue that alternate approach of fixing the problems I mentioned would be more productive. But, unless I'm missing something, the only possible disincentives are:

• Appeal the the ethics of said would-be-criminals
• Tougher laws & punishments
• Improve computer literacy & demand better security from vendors

Given that the first is unlikely the second is moot when the problem frequently originates in places outside of your country's jurisdiction, it seems like there is only one thing you can do. I'd like to avoid the (very) tired Linux/Apple-vs-MS security debate here, because I think that user ignorance is by far the biggest problem (I'm well aware MS's *default* settings are inadequate - but that doesn't mean securing the box is impossible).

Unfortunately though, despite all of the worms/viruses we've seen and the amount of $ they've cost everybody, and despite how easy it is to properly secure a PC - the end user remains largely apathetic. I wonder, at what point can we hold software makers or even the end users responsible? I would argue that after a point, the ignorance could constitute negligence or even an accessory to the crime. I don't mean to blame the victim or sound like big brother here - but think about your car for a moment - you need inspection, registration, a license, and insurance just to run the damn thing. And if something on the vehicle breaks and causes an accident - a poorly maintained or defective part could hold you or the manufacturer responsible, respectivley.

Re:What drives people to do this...

[lgw]

What scares me is it's only a matter of time and technology until we have this same situation with biological viruses.

Re:What drives people to do this...

[theendlessnow]

Money? Probably not.

Intellectual challenge? Yes. Somewhat.

However, most viruses/worms and such are created merely for an emotional high. When you have a company like Microsoft that believes there is no bug or hole until it's made public... there's a natural desire to rip through their "perfect" OS (perfection depending upon whether or not there is a KNOWN exploit out there today).

It's no different from the high that some get by building explosive devices or setting fire to things. There's a high in taking down that which some feel is indestructable.

Microsoft is NOT a company that is known for giving out "pats on the back" to people outide of their own private paradise....

Many times these folks simply want a bit of attention and recognition that they are important.... maybe having a "Don't tell = no bug" and "We know it all" philosophy breeds a spirit of targeted attention getting terrorism..... just a thought.

Re:What drives people to do this...

[Eivind+Eklund]

Making it harder could work.

The rest of these are irrelevant, because they do not expect to get caught. Really. Even if the people around them are going down in flames, they don't expect to get caught.

About 15 years ago I was in the "hacker" scene (the ones breaking into computers, not the ones creating brilliant software). Getting caught never felt real, and never seemed to feel real for anybody else, either. My friends got busted left and right, yet - they'd always been careless about something, and I felt that *I* wouldn't be careless about that.

There's one other thing that could work: Break up the scene. The people need to be shown as ridicilous. And it needs to seem ridicilous to the people close to the scene.

For the tagging (grafitti) scene, it seems to have worked somewhat well here in Norway to use advertising to give them a new, ridicilous name and image.

I therefore humbly suggest we from now on call those that break into computers "Computer wankers".

Eivind.

Re:What drives people to do this...

[thrillseeker]

Personally my hobbies include martial arts and power lifting. Another good systems guy I know is an expert martial artist. I say we get five minutes locked in a small concrete room with Mr. Worm Creator and see how much fucking fun he has while he's getting an ass beating.

Having some difficulties understanding the self-control aspects of the martial arts, are you?

Re:What drives people to do this...

[ThaFooz]

Honestly, I think they are heros. Worms can do truely hideous things, the worms going around don't do anything that harmful. They are warnings that our infrastructure is unsafe

I don't buy that argument simply because the vast majority of these worms hitting MS machines come out after MS identifies or fixes the hole. They're letting MS tell them which piece of code is vunerable, and they're banking on the fact that so many windows users don't bother to patch regurlarly. I fail to see the heroism in that.

If you think that they "aren't doing anything that harmful", you're mistaken. The reason they don't trash the machine is simple - there is nothing to gain from doing so, and a dead machine can't propagate a worm. The point of infecting a home user's PC isn't to disrupt or steal from that user (its unlikely that there is anything more valuble on the machine than a low-limit CC#, if that), it's in having said PC's resources at your disposal. With a sufficently large zombie network you can go after something that actually matters.

Re:What drives people to do this...

[Gorath99]

The spreading was indeed what I found so fascinating. You write a clever bit of software, release it, and if you've been clever enough, your bit of code will take on a life of its own. In time it could be all over the world, perhaps even mutating if you write it that way, all by itself.

Unsurprisingly, I decided to get a master's degree in AI :-)

miscategorised

[hungrygrue]

Why is this under "worms" and "security" but not under "Windows" and "Microsoft".

Re:miscategorised

[rel4x]

Because it would be horribly redundant?

Re:miscategorised

[suitepotato]

It is only horribly redundant because the average malware scumbag writer is taking the easy way out and going after Windows machines, taking advantage of end-user naivete and Windows' openness to infection. If they had any guts and were truly 1337, they'd try to get into a source repository on sourceforge and slip their own modded source in to get Linux people to infect their machines or something equally hard and nasty.

Come to think of it, what do we know of the server security at any of the big name OSS-hosting sites and does anyone really peruse the source anymore? Given the difference between being C++ proficient and merely being able to administer a Linux system is like the difference between the average Windows user and a Windows programmer, I'm guessing not too many.

Re:miscategorised

[discogravy]

don't worry, the repost will be.

More Detail

[Tiberius_Fel]

Even though it's linked to in the article, the bit by F-Secure is a bit better written (and more informative):
http://www.f-secure.com/weblog/

Re:While drives software companies to do this...

[SoloFlyer2]

We could tell them to write it in java instead of C/Assembly, that way it will propagate slower as the files will be larger, the code will use more memory and there will be more processing overhead... :)

Better analasys

[Barny]

As usual, trend have thier info strait about this exploit, and good ways to prevent it...
http://www.trendmicro.com/vinfo/secadvisories/defa ult6.asp?VNAME=(MS05-039)+Vulnerability+in+Plug+an d+Play+Could+Allow+Remote+Code+Execution+and+Eleva tion+of+Privilege+(899588)&Page=

You've already patched this, right?

If you haven't patched yet, the update for this vuln is at http://www.microsoft.com/technet/security/bulletin /ms05-039.mspx.

Snort

[cyberkahn]

All note the free IDS snort detects this worm.

alert tcp any any -> any 445 (msg:"EXPLOIT SMB-DS Microsoft Windows 2000 Plug and Play Vulnerability"; flow:to_server,established; content:"|FF|SMB%"; dept h:5; offset:4; nocase; content:"|2600|"; depth:2; offset:65; content:"|67157a76|";reference:url,www.microsoft.c om/technet/security/Bulletin/MS05-039.mspx; classtype:attempted-admin; sid:1000130; rev:1;)

alert tcp any any -> any 139 (msg:"EXPLOIT NETBIOS SMB Microsoft Windows 2000 PNP Vuln"; flow:to_server,established; content:"|FF|SMB%"; depth:5;offset:4; nocase; content:"|2600|"; depth:2; offset:65; content:"|3600|"; offset:110; within:5; content:"|F6387A76|";reference:url,www.microsoft.c om/technet/security /Bulletin/MS05-039.mspx; classtype:attempted-admin; sid:1000131; rev:1;)

alert tcp any any -> any 445 (msg:"EXPLOIT NETBIOS SMB-DS Microsoft Windows 2000 PNP Vuln"; flow:to_server,established; content:"|FF|SMB%"; depth:5;offset: 4; nocase; content:"|2600|"; depth:2; offset:65; content:"|3600|"; offset:110; within:5; content:"|F6387A76|";reference:url,www.microsoft.c om/technet/secur ity/Bulletin/MS05-039.mspx; classtype:attempted-admin; sid:1000132; rev:1;)

What about all the other mega bucks IDS systems?

Re:I don't have $100 for an XP upgrade

[dhasenan]

Stiffu.

Windows 98 still works. You can use it for Internet browsing, email, and word processing. You can run older games on it, too--there are even a fair number of recent games that will run on it--but if you have the money for the appropriate hardware, you'll upgrade Windows.

The point is, not everyone can afford $100 for a software upgrade that's not really necessary, especially if it will probably significantly decrease the speed of their computer.

The grandparent's argument was more like "My 1989 Buick gets me around, but doesn't have side airbags. I can't afford a new car, so I won't." If you had two neurons to rub together, you'd realize that.

Firewalls offer limited protection only

[Dynamoo]

Remember folks - if you work for any large organisation, your external firewall will ONLY protect you as long as some freaking idiot doesn't bring an infected laptop in. From my experience a perimiter firewall will maybe buy you 1-2 days MAXIMUM in this situation if you have a large number of mobile users. In our case, we do not allow users to connect laptops to non-company networks at all.. but they still do.

What's worse is that today is Sunday, so there's a greater chance of those laptops being used on an unprotected internet connection.

Shucks, the patch for this is only four days old. There goes my Sunday afternoon!

Re:Firewalls offer limited protection only

[Alejo]

And home users getting in through a VPN. Of course they want working all Microsoft services too. And it still is your fault, not theirs.

Re:Firewalls offer limited protection only

[johu]

We have all workstations configured with local firewall rules that prohibit most outbound traffic unless IP address is from our intranet address range. If it's not only DHCP client, DNS client, AV updates and VPN to corporate network is allowed. Inbound traffic is completely blocked when plugged to foreign network. Even when within our network there's strict rules blocking everything as default and only allowing limited set of ports if traffic is coming from subnet used by helpdesk.

Visitors used to plug their laptops to our internal net, but we implemented 802.1x and it's no longer problem. Locations that couldn't be updated to it due various reasons are routed to separate firewall interface (VLAN) and can access corporate net (and internet) only thru VPN.

Printers and other devices that don't speak 802.1x are on separate VLANs that have no access to corporate net or internet.

This is all very basic stuff that any decent admin should be able to implement easily. Everything can be done in typical Active Directory + Win2000/XP/2003 environment without third-party software. Therefore implementing infrastucture like this is even cheap.

Since someone is going to ask how to limit outbound traffic with Win2k/XP built-in firewall here's answer: Use either RAS filtering (per machine VBS) or IPSEC group-policies.

Because all internet traffic is forced thru proxies doing antivirus checks at HQ those blocking rules aren't problem. Users simply access net using our main connection and their own is only used to tunnel everything via VPN. Users don't have local admin rights so they can't disable firewall to bypass security.

Biggest drawback with this kind of implementation is WLAN access. Since many WLANs require login using web browser and net access is denied unless VPN is active they're unusable. There's no easy solution to this. Only good solution would be some very restricted and secure browser that's allowed to access 80/443 ports. Preferrably running in own virtualmachine/sandbox to protect computer itself.

Re:no subject really

[JamesTRexx]

Which is why we're at this moment here at work patching all servers manually. Good thing it also means a sunday bonus. :-)

Windows 98 is still supported

[thechink]

...until June 30, 2006

http://support.microsoft.com/default.aspx?pr=LifeA n1

Re: :)

[tveidt]

> What a crappy summary

Get a browser with support for hyperlinks. Cool stuff.

Re:Any logic in the nomenclature?

[jayloden]

The naming sceme was designed by CARO (Computer Antivirus Researchers Organization). The naming convention is documented on the caro website:
http://www.caro.org/tiki-index.php?page=CaroNaming Scheme/

and the original conference paper for the naming scheme:
http://www.caro.org/tiki-read_article.php?articleI d=1/

and there is a new naming convention being proposed as well, see:
http://www.caro.org/tiki-read_article.php?articleI d=2/

It's actually really complicated, and pretty much none of the antivirus companies use more than one or two parts of it, but if you're really interested in digging up more info, those links should be more than adequate :)

Re:Must everything be handed to you?

[Bald+Wookie]

Why should you have to do a Google search? The patch/exploit is the entire basis for the article. I know the quality of journalism at /. is mediocre at best, but expecting readers to search for the most relevant piece of information is asinine.

An attack on Win2000?

[nurb432]

I bet microsoft secretly loves this, to get at all those people that wont upgrade to XP/2003.

"See, you have to upgrade to be safe, send us money"

In particular

[foreverdisillusioned]

The original poster was talking about "just for the hell of it"-worm authors. I should point out that these blackhats in particular should NEVER get caught unless they are extremely prideful and/or stupid. Worms that "call home" can obviously be traced, but proof of concept and cause-a-lot-of-chaos worms are only ever connected to their author for one brief instant--when they are uploaded. This instant can be when they are connected at a coffee shop from several blocks away during rush hour. Wash, rinse, repeat for all of the popular public hotspots in the area, over the course of a week to ensure that your worm is seeded in multiple locations. Then, after a week (or after your virus is identified in the wild) halt all distribution and watch the chaos unfold. Unless you suffer from supremely bad luck (i.e. hidden camera in the area FIVE BLOCKS AWAY from the actual hotspot manages to catch you in the act and the FBI agents actually check the camera and they actually manage to spot your woktenna through your tinted car windows) there is no way you will ever be caught. You can even be stupid brag about it on IRC to all your buddies and even if the FBI arrests you, you can just say you were being a lying little prick and as long as you've wiped your HD, they'll won't have enough evidence to indite you (what are they gonna do, arrest every script kiddie on IRC that claims they wrote the worm? heh.)

Actually, just-for-the-hell-of-it random crime in general is a lot harder to trace than motivated crime. Nothing short of Orwellian-level surveillence can reliably solve random, profit-less crime committed by smart criminals. Fortunately, these two things--random, profit-less crime and smart criminals--are very rarely connected.

Re:They were careless

[Eivind+Eklund]

It's always been the truth that any computer wanker that has been caught has been careless. It's just that almost all criminals are sometimes careless.

The question is where people gets recruited to be computer wankers. A large amount of these are from the "scene", starting out with just doing it for fun and becoming more criminal with time. By removing the false glamour of the scene, fewer kids will start out as computer wankers, and there will overall be fewer wankers.

Of course there will be some left. However, that will happen no matter what we do. The money spent on securing computer systems is an insurance policy against the costs of a security break. At each point, the question is how this money can be most effectively spent - on social engineering (propaganda, routines, company morale), on technical engineering, or on an actual insurance policies from Lloyds or similar.

Spending it all on the technical side would be wasteful.

Eivind.