More RPC/TFTP malware, this time local

Author	All Replies
psloss Premium join:2002-02-24 Alpharetta, GA	More RPC/TFTP malware, this time local My Class B (66.75.xxx.xxx) now has yet another XFocus/Metasploit-derived RPC program...this one is different, in that it may propagate itself; it's still using TFTP, but more in the way that Nimda did. Since the "infection" is more local, there's more activity here on tcp/135 and tcp/4444; about 1 event per minute right now. I'm still looking at the binary to see what it does, but it does have these strings: "I just want to say LOVE YOU SAN!!" (this appears in the startup command -- it goes to the HKLM...Run key) "billy gates why do you make this possible ? Stop making money and fix your software!!" Philip Sloss -- Feedback? e-mail: stuff@lupwa.org
	to forum · permalink · · 2003-08-11 13:48:34 ·
psloss Premium join:2002-02-24 Alpharetta, GA	Re: possible worm This may be a worm, although I haven't seen any confirmation of it yet. At startup, it scans a random IP range on tcp/135; not sure yet whether the "local" scanning that would be necessary The file name is msblast.exe, is 6176 bytes, and is packed with UPX. Philip Sloss -- Feedback? e-mail: stuff@lupwa.org
	to forum · permalink · · 2003-08-11 14:40:54 ·
John2g Qui Tacet Consentit Premium join:2001-08-10 England	reply to psloss Re: More RPC/TFTP malware, this time local If you had written the above in Sanskrit, it would have made as much sense to me Oh to be young again and learn all these things. I'm afraid you can't teach this old dog many new tricks. -- Better to remain silent and be thought a fool, than to speak and remove all doubt.
	to forum · permalink · · 2003-08-11 14:50:25 ·
psloss Premium join:2002-02-24 Alpharetta, GA	said by John2g : Oh to be young again and learn all these things. I'm afraid you can't teach this old dog many new tricks. Sorry; it's all "shorthand" right now -- things have got a little busy. There are a lot of little subplots to the recent activity on tcp/135, too many to go through quickly and also succinctly. Make sure you have a firewall today, because if this is a worm, it may not be detected by anti-virus software -- Kaspersky's online scanner didn't identify it, and they are usually have these things pretty quickly. I'm sure there will be signatures forthcoming, but perhaps not for the next few hours. Philip Sloss -- Feedback? e-mail: stuff@lupwa.org
	to forum · permalink · · 2003-08-11 15:00:19 ·
Mark Premium join:2001-11-15 Mesa, AZ	reply to psloss Approx. 2:08 this system was infected with 'msblast', seems to propagate through an rpc exploit. File is named msblast.exe, located in C:\windows\system32. Creates a registry key 'windows auto update' in HKLM\Software\Microsoft\Windows\Run pointing to the above file. First suspected an infection when I returned home and the kids were complaining about random shutdowns, seems this worm can cause RPC crashes, it also generates a lot of outbouund traffic. When I checked netstat, it seemed to be attempting to propagate further by connecting to port 135 on sequencial ip addresses. (in my case, 45.1.1.1 .. 45.1.1.2 .. etc) Closed instance of file in task manager, deleted registry key, and quarantined file. Seemed to do the trick. Could not find any reference to it as of yet. Looks like a new and nasty worm. If anyone wants to see it, I have a copy I can provide you with. [text was edited by author 2003-08-11 15:07:42]
	to forum · permalink · · 2003-08-11 15:03:51 ·
psloss Premium join:2002-02-24 Alpharetta, GA	said by Mark : Looks like a new and nasty worm. If anyone wants to see it, I have a copy I can provide you with. It appears to be mostly concentrating on scanning/propagating...I didn't notice it changing any files on the system or doing anything with the Registry except the HKLM AutoRun key. Watch out for that file to be copied over and over unless you can block tcp/135 with a firewall...the exploit opens a backdoor on tcp/4444, although this backdoor may end up terminating quickly...some proof of concept code behaved this way and some didn't... Philip Sloss -- Feedback? e-mail: stuff@lupwa.org
	to forum · permalink · · 2003-08-11 15:13:18 ·
Mark Premium join:2001-11-15 Mesa, AZ	reply to psloss It seems we have the same file (size: 6.03 KB (6,176 bytes)) As far as I know, it only added the key and the file, and continued propagating. It did cause a lot of rpc shutdowns, but that may have been a side effect of the mass propagation it was attempting.
	to forum · permalink · · 2003-08-11 15:16:35 ·
psloss Premium join:2002-02-24 Alpharetta, GA	said by Mark : It seems we have the same file (size: 6.03 KB (6,176 bytes)) As far as I know, it only added the key and the file, and continued propagating. It did cause a lot of rpc shutdowns, but that may have been a side effect of the mass propagation it was attempting. What version of Windows and service pack are you running? Thanks, Philip Sloss -- Feedback? e-mail: stuff@lupwa.org
	to forum · permalink · · 2003-08-11 15:17:41 ·
Marilla I Am My Own Arbiter Premium join:2002-12-06 Belpre, OH	reply to psloss said by psloss : unless you can block tcp/135 with a firewall Are you saying this is something for which there is no patch?
	to forum · permalink · · 2003-08-11 15:17:52 ·
psloss Premium join:2002-02-24 Alpharetta, GA	said by Marilla : said by psloss : unless you can block tcp/135 with a firewall Are you saying this is something for which there is no patch? Good point. The patch is at least better than nothing: »www.microsoft.com/technet/securi···-026.asp However, I believe the XFocus/Metasploit code works on a separate unchecked buffer. The patch may result in a crash instead of a remote exploit. Still not good, but not as bad. Haven't had time to test here yet, but it shouldn't be too difficult... Thanks for pointing that out and sorry for not bringing it up! Philip Sloss -- Feedback? e-mail: stuff@lupwa.org
	to forum · permalink · · 2003-08-11 15:23:39 ·
Mark Premium join:2001-11-15 Mesa, AZ	reply to psloss psloss is correct in recommending a block of port 135 (at least temporarily). There is no end all patch for this rpc vuln as of now. This system is running Windows XP SP1, and your copy (psloss) is exactly the same as mine, so it seems this worm is spreading fairly quickly. [text was edited by author 2003-08-11 15:24:59]
	to forum · permalink · · 2003-08-11 15:24:29 ·
John2g Qui Tacet Consentit Premium join:2001-08-10 England	reply to psloss said by psloss : Make sure you have a firewall today, I have If only the people who write in this forum 1. I don't need a firewall because...or 2. What do I need a firewall for? would read and take action, not just for themselves, but to prevent propagation of these nasties. I know I have written it before, but it was a hard lesson to be infected with a virus, which resulted in the purchase of a new computer. -- Better to remain silent and be thought a fool, than to speak and remove all doubt.
	to forum · permalink · · 2003-08-11 15:24:56 ·
akristov join:2001-01-31 Tampa, FL clubs:	reply to Marilla Has anyone notices svchost error messages with this worm?
	to forum · permalink · · 2003-08-11 15:28:38 ·
Mark Premium join:2001-11-15 Mesa, AZ	said by akristov : Has anyone notices svchost error messages with this worm? Yes (see above posts svchost is the RPC service) [text was edited by author 2003-08-11 15:30:56]
	to forum · permalink · · 2003-08-11 15:29:59 ·
Marilla I Am My Own Arbiter Premium join:2002-12-06 Belpre, OH	reply to psloss said by psloss : Thanks for pointing that out and sorry for not bringing it up! Quite alright... as you sayid, you're just typing as you go, and things are coming out in 'shorthand'. I don't have any clue myself about what's really going on here with this, because all the systems I control are both patched and firewalled, but I thought I'd just ask that question to clear it up there some... I had thought I'd heard that all the issues here weren't resolved, but hadn't had an opportunity to ask! Thank you!
	to forum · permalink · · 2003-08-11 15:31:07 ·
Marilla I Am My Own Arbiter Premium join:2002-12-06 Belpre, OH	reply to John2g said by John2g : If only the people who write ... I don't need a firewall ... would read and take action, not just for themselves, but to prevent propagation of these nasties. Yeah... this might turn out to be a wake-up call for such people. Those of us who talk about 'layered security' might sometimes seem to be a little paranoid, but the fact of the matter is at any given time, any single layer of your security might fail you. In this case, we're talking about a vulnerability that doesn't seem to be completely patched yet... meaning only two possible ways to prevent this: Ideally, a firewall simply blocking the ports in question... and then a good, updated anti-virus. Problem is, relying on the anti-virus only would mean that your system has already been compromised - the AV simply stopped a single piece of malware from being run... but what's to prevent the worm-makers from getting lucky and using malware which aren't yet detected, or using already-trusted applications to perform otherwise malicious actions on your computer?
	to forum · permalink · · 2003-08-11 15:36:59 ·
catseyenu Ack Pfft Premium join:2001-11-17 Fix East	reply to psloss My provider has claimed to have shut down TCP 135 incoming but my logs are filling up as we speak. Quick scan of source shows the 4444 propagation has begun. :/
	to forum · permalink · · 2003-08-11 15:37:57 ·
goudaboy join:2002-07-25 Saint Charles, IL	reply to psloss Hi folks, my manager just passed along this tidbit to me regarding the rpc exploit possible worm: check out this link »isc.sans.org/diary.html?date=2003-08-11 a remote user of mine called complaining her laptop was shutting down on her, a window pops up with an RPC error and then gives 60 seconds to reboot. She runs XP pro, sp1, and currently on broadband without firewall protection. Yes yes I know, not good. I figured it might be related as it started today. I sent her a link for that patch. the event viewer error only shows event id 7031, which in itself is pretty vague. -- »www.dvd-dweeb.com
	to forum · permalink · · 2003-08-11 15:40:16 ·
psloss Premium join:2002-02-24 Alpharetta, GA	reply to Mark said by Mark : psloss is correct in recommending a block of port 135 (at least temporarily). There is no end all patch for this rpc vuln as of now. Hey Mark, Just want to be clear, since this is important: you are saying that you have installed the Microsoft patch prior to being infected? Thanks, Philip Sloss -- Feedback? e-mail: stuff@lupwa.org
	to forum · permalink · · 2003-08-11 15:40:55 ·
psloss Premium join:2002-02-24 Alpharetta, GA	reply to psloss Re: possible worm FYI, I compared the exploit packet (RPC request on the ISystemActivator interface) against packets generated in testing source code from two of the "proof of concept" programs I've seen -- the "old" XFocus/Metasploit demo and the "universal offset" demo. The packet size is the same (1704 bytes) and only 4 bytes are different -- those happen to be the return address... This malware is using a return address of 0x0018759F, which was what the copy of the "universal" code I saw used for Win2k. That code had only two offsets -- one for Win2K and one for XP. Philip Sloss -- Feedback? e-mail: stuff@lupwa.org
	to forum · permalink · · 2003-08-11 15:46:01 ·


Sunday, 22-Nov 21:16:24	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com. republican-creole page compression OFF