The MS Blaster worm Presented by: Zhi-Wen Ouyang
Outline General Overview The DCOM RPC Vulnerability How it spreads Other attacks Flaws of MS Blaster A Variant of MS Blaster Removing Instructions Conclusion
General Overview Also known as Lovsan, Poza, Blaster. First detected on August 11, 2003 Exploits the most widespread Windows flaw ever A vulnerability in Distributed Component Object Model (DCOM) that handles communication using Remote Procedure Call (RPC) protocol Affects Windows 2000 and Windows XP Two messages in the code: 1. “I just want to say LOVE YOU SAN!”” 2. “billy gates why do you make this possible? Stop making money and fix your software!!” Infected more than 100,000 computers in 24 hours
The DCOM RPC Vulnerability Detected in mid-July 2003 RPC protocol allow a program to run code on a remote machine Incorrectly handles malformed messages on RPC port 135, 139, 445, 593 Attackers send special message to remote host Gain local privilege, run malicious code
How it spreads Check if computer is already infected Add registry value "windows auto update"="msblast.exe“ to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 60% of the time, generate IP address at random 40% of the time, generates IP addresses of the form A.B.C.0 Increments the last part by 1 each time Use Cmd.exe to create a hidden shell that listens on TCP port 4444
How it spreads (con’t) Send out data on TCP port 135. Send out two types of data 1. data that exploits Windows XP 2. data that exploits Windows 2000 Listen on UDP port 69, send out msblast.exe and execute it on infected computer
Other Attacks Launches DoS on windowsupdate.com 16 th through end of the month of Jan. – Aug. Current month is Sept. – Dec. Flood the website using port HTTP packet every second Each packet is 40 bytes
Flaws of MS Blaster Slowed down the next day Poor programming of the worm Inefficient method to download the code file Infects machines more than once
A Variant of MS Blaster MS Blaster-B Exploits the same vulnerability Minor changes to escape detection A Different file name A Different registry entry More graphic messages Writer is a 18-year-old teenager, Jeffrey Lee Parson, novice code writer, made too many mistakes
Variants of MS Blaster (con’t) 70% unpatched machines since discovery of MS Blaster-B More variants that exploit the same vulnerability: W32.Blaster.C, W32.Blaster.D, W32.Blaster.E, W32.Blaster.F
Removing Instructions Removing tool available for download from Symantec Security Response Instructions 1. terminates MS Blaster worm process 2. delete worm files (“msblast.exe”, “teekids.exe”, “penis32.exe”) 3. deletes dropped files 4. deletes registry values Could manually remove the worm in the same manner
Conclusion Exploits a widespread windows flaw ever Software available today is vulnerable to attacks No significant damages Could have been more effective Better-engineered worms could infected millions of machines in matters of seconds Worms are a serious threat to the safety of the Internet
Thank you Questions?