Presentation is loading. Please wait.

Presentation is loading. Please wait.

The MS Blaster worm Presented by: Zhi-Wen Ouyang.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "The MS Blaster worm Presented by: Zhi-Wen Ouyang."— Presentation transcript:

1 The MS Blaster worm Presented by: Zhi-Wen Ouyang

2 Outline General Overview The DCOM RPC Vulnerability How it spreads Other attacks Flaws of MS Blaster A Variant of MS Blaster Removing Instructions Conclusion

3 General Overview Also known as Lovsan, Poza, Blaster. First detected on August 11, 2003 Exploits the most widespread Windows flaw ever A vulnerability in Distributed Component Object Model (DCOM) that handles communication using Remote Procedure Call (RPC) protocol Affects Windows 2000 and Windows XP Two messages in the code: 1. “I just want to say LOVE YOU SAN!”” 2. “billy gates why do you make this possible? Stop making money and fix your software!!” Infected more than 100,000 computers in 24 hours

4 The DCOM RPC Vulnerability Detected in mid-July 2003 RPC protocol allow a program to run code on a remote machine Incorrectly handles malformed messages on RPC port 135, 139, 445, 593 Attackers send special message to remote host Gain local privilege, run malicious code

5 How it spreads Check if computer is already infected Add registry value "windows auto update"="msblast.exe“ to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 60% of the time, generate IP address at random 40% of the time, generates IP addresses of the form A.B.C.0 Increments the last part by 1 each time Use Cmd.exe to create a hidden shell that listens on TCP port 4444

6 How it spreads (con’t) Send out data on TCP port 135. Send out two types of data 1. data that exploits Windows XP 2. data that exploits Windows 2000 Listen on UDP port 69, send out msblast.exe and execute it on infected computer

7 Other Attacks Launches DoS on windowsupdate.com 16 th through end of the month of Jan. – Aug. Current month is Sept. – Dec. Flood the website using port 80 50 HTTP packet every second Each packet is 40 bytes

8 Flaws of MS Blaster Slowed down the next day Poor programming of the worm Inefficient method to download the code file Infects machines more than once

9 A Variant of MS Blaster MS Blaster-B Exploits the same vulnerability Minor changes to escape detection A Different file name A Different registry entry More graphic messages Writer is a 18-year-old teenager, Jeffrey Lee Parson, novice code writer, made too many mistakes

10 Variants of MS Blaster (con’t) 70% unpatched machines since discovery of MS Blaster-B More variants that exploit the same vulnerability: W32.Blaster.C, W32.Blaster.D, W32.Blaster.E, W32.Blaster.F

11 Removing Instructions Removing tool available for download from Symantec Security Response Instructions 1. terminates MS Blaster worm process 2. delete worm files (“msblast.exe”, “teekids.exe”, “penis32.exe”) 3. deletes dropped files 4. deletes registry values Could manually remove the worm in the same manner

12 Conclusion Exploits a widespread windows flaw ever Software available today is vulnerable to attacks No significant damages Could have been more effective Better-engineered worms could infected millions of machines in matters of seconds Worms are a serious threat to the safety of the Internet

13 Thank you Questions?

Download ppt "The MS Blaster worm Presented by: Zhi-Wen Ouyang."

Similar presentations

Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
1 Computer and Internet Security JCCAA Presentation 03/14/2009 Yu-Min (Phillip) Hsieh Sr. System Administrator Information Technology Rice University.

1 Computer and Internet Security JCCAA Presentation 03/14/2009 Yu-Min (Phillip) Hsieh Sr. System Administrator Information Technology Rice University.
Lecture: Malicious Code CIS 3360 Ratan K. Guha. Malicious Code2 Overview and Reading Assignments Defining malicious logic Types Action by Viruses Reading.

Lecture: Malicious Code CIS 3360 Ratan K. Guha. Malicious Code2 Overview and Reading Assignments Defining malicious logic Types Action by Viruses Reading.
CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.

CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.
Vulnerabilities of Windows XP Brock Prince Dana Zottola ECE 578 Spring 2002 C.K. Koc.

Vulnerabilities of Windows XP Brock Prince Dana Zottola ECE 578 Spring 2002 C.K. Koc.
Hacker, Cracker?! Are they the same? No!!! Hacker programmers intensely interested in the arcane and recondite workings of any computer operating system.

Hacker, Cracker?! Are they the same? No!!! Hacker programmers intensely interested in the arcane and recondite workings of any computer operating system.
Exploits Dalia Solomon. Categories Trojan Horse Attacks Trojan Horse Attacks Smurf Attack Smurf Attack Port Scan Port Scan Buffer Overflow Buffer Overflow.

Exploits Dalia Solomon. Categories Trojan Horse Attacks Trojan Horse Attacks Smurf Attack Smurf Attack Port Scan Port Scan Buffer Overflow Buffer Overflow.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Software Security Threats Threats have been an issue since computers began to be used widely by the general public.

Software Security Threats Threats have been an issue since computers began to be used widely by the general public.
CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 The CERT Coordination Center is part of.

CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA The CERT Coordination Center is part of.
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Protecting Yourself Online. VIRUSES, TROJANS, & WORMS Computer viruses are the common cold of modern technology. One e-mail in every 200 containing.

Protecting Yourself Online. VIRUSES, TROJANS, & WORMS Computer viruses are the "common cold" of modern technology. One in every 200 containing.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.

Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.

2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.

DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.

Similar presentations

Ads by Google