Security → Stop thief! (MSBlast.exe)

I have tried to ask the respected Security Forum members about MSBlast.exe source, but have not received the comprehensible answer yet, therefore send this question for discussion.

We have the firewall log files and can look what ISP is leader in pinging, as result of infection his machines and changing dllhost.exe file. I think this statistics may be used for searching MSBlast.exe source machine. Add your information, please.

I am not sure that you have similar focus in the firewall log files, but I'd like to pay your attention on the next three points:
- > 65% of all pings are from IPs 209.206.X.X. It is IP range ISP Centurytel.net
- pinging began 8/18/03 at 7:11.41 -7:00 GMT from IP 209.206.212.232
- the next ping from this IP was one time only: 8/18/03 at 10:52:00 -7:00 GMT

As there is nothing legal you can do if you find who’s machine blast came from, I think you may be asking for something this forum ain’t going to help with. If that was not your query, please recompose your question more clearly, as it is very confusing what you are saying.

First, the ICMPs are related to the Welchia/Nachi worm, not MSBlast per se:

»securityresponse.symante ··· orm.html

Second, it appears that the ICMPs are generally related to the network space that your ISP has provided you. So while you'd like to finger that particular 209.206.x.x IP address as the source, it's not likely that that IP in particular was "The Source" of the worm. Those with Comcast (old ATTBI, for example) will likely see more pings from 12.x.x.x.

Third, some of my firewall logs show the first ICMP activity hitting around 8/17/2003 22:19 PDT (8/18/2003 05:19 GMT). The ping wasn't from 209.206.x.x.

HTH,

Steve

You want to find the first machine ever infected in the world ???...or are you looking for all the machines that are infected at this point?

*************************

MSBlast installs the Trivial File Transfer Protocol (TFTP) server, and runs the program to download its program code to the compromised server. It will also add a registry key to ensure that the worm is restarted when the host computer is rebooted.

The worm attacks Windows computers via a hole in the operating system, an issue Microsoft on July 16 had warned about. Nine days after the software giant announced the flaw, hackers from the Chinese X Focus security group publicly posted a program to several security lists designed to allow an intruder to break in to Windows computers. The Windows flaw has been characterized by some security experts as the most widespread ever found in Microsoft's operating system.

The flaw is in a component of the OS that lets other computers request that the Windows system perform an action or service. The component, known as the remote procedure call (RPC) process, facilitates activities such as sharing files and allowing others to use the computer's printer. By sending too much data to the RPC process, an attacker can cause the system to grant full access to the system.

The Chinese code worked on only three variants of Windows, but other hackers have since refined it. Nine days ago, a hacker posted an attack program to a security mailing list. Many facets of the current worm seem to be similar to that program.
»zdnet.com.com/2100-1105- ··· l?tag=nl

Attack bot strikes Windows flaw

»zdnet.com.com/2100-1105- ··· l?tag=nl

Hacker code could unleash Windows worm

»zdnet.com.com/2100-1105_ ··· 759.html

Xfocus is a non-profit and free technology organization which was founded in 1998 in China. We are devoting to research and demonstration of weaknesses related to network services and communication security.

We hope that we can use new technical tools to achieve our goal, and to broaden our outlook. We also hope we can communicate and help with each other through this amazing Internet.

This site is created for publishing some documents , codes and utilities of our research work. Any suggestions are welcome , please contact us at webmaster_at_xfocus.org .

From the Internet. For the Internet. Have fun!
»www.xfocus.org/

Waiting for the worm to turn up

By Robert Lemos
CNET News.com
August 1, 2003, 4:21 PM PT
The black clothes go with the security territory at the Black Hat Security Briefings; the fatalism comes from waiting for a worm writer to take advantage of a widespread Windows vulnerability.

The vulnerability, in a component of Microsoft's operating system that allows people to remotely access certain functions on a computer--such as printing and file sharing--was made public by the software giant on July 16. Nine days later, a hacking group in China and an American security researcher released code that exploits the flaw.

»zdnet.com.com/2100-1105_ ··· 198.html

Thank you for your advice. Can you add information that I ask?

You are right about the worm name. Can you add information on three points?

Time Out is right on the ball.
There is not much you can do at this point to make these issues go away.
So many people are unaware of the infections on their machines.
I have done the following so I won't have to worry about it:
I have blocked all traffic in and out of UDP & TCP ports 135,139 & 445.
I have also blocked all ICMP requests.

This make me feel better when the wife is at the computer and the firewall asks for her approval to receive traffic.
I tried to explain but, well, you can imagine how that conversation went.

I have a feeling things are going to get even tighter on my end before it's all over with.
Most of the folks in here are far more up to speed on the current security focus but, in my humble opinion, I don't think we'll see an end to this anytime soon.

Thank you, John for links, but I'd like to look information on three points.

What specific information do you want? Are you asking that people post the IP's they first and/or mostly got msblaster scans from? (And as noted, most may likely be from within their same ISP netblock.) If so, how do you expect (from the relatively small sample you'd get here) that information would be useful?

More likely LinkLogger and MyNetWatchman would have better cumulative info but even then.....

Thank you, jabbawest. Why I start this thread? I am not sure 100% that we will catch the worm designer immediately, but we will have statistics. With statistics we can extract interesting data...

Who (ISP) is ping leader?
What was "start" IP and time of pinging.
Did "start" IP repeat pinging and when?

First one we saw came from Asia...if that helps...but I am not going to post IP or logs.

If you want to do some research on North American start up with the problem since...

"Some system administrators posting to a mailing list run by the North American Network Operators' Group, a popular forum for engineers who maintain large networks, believe that as much as 10 percent of the data coming into their networks has been created by the worm."

Go to this link.

»www.merit.edu/mail.archi ··· ex3.html

Again, if most people are seeing scans primarily from their own ISP netblock as I was, that's not terribly helpful info to have.

At any rate, I rather doubt that info posted here from a handful of people will crack the case. I suspect national and international authorities, both public and private, who also can work with the ISP's and backbone providers probably would be able to get (and perhaps already have) a better handle on it. It was a massive international event evidently infecting millions of PC's. The search for "subject 0" is probably not going to be solved by people posting IP's in this thread.

As Name Game noted, Asia is the suspected place of origin for msblaster.

Sorry, that we discuss other subjects.

said by sig:

---

As Name Game noted, Asia is the suspected place of origin for msblaster.

---

I agree with John and you about the suspected place, but I am not sure in this.

said by sig:

---

national and international authorities, both public and private, who also can work with the ISP's and backbone providers probably would be able to get (and perhaps already have) a better handle on it.

---

Who is backbone provider for IP 209.206.X.X?

Who is backbone provider for IP 209.206.X.X?

use this then look them up..

»www.voodoomaniax.com/ipi ··· 206.html

John, abnormal pinging started 8/18/03
»isc.incidents.org/port_d ··· l?port=0
»isc.incidents.org/port_r ··· 03-08-18
[text was edited by author 2003-08-22 01:44:43]

the pinging i recorded first started between 7:42 and 7:45, 8/18/03, PDST, on my subnet, part of adelphia.net, southern california, los angeles area. sorry, i don't have a record of where the ping came from.

-jig

Thank you, jig, good! Can you inform what ISP is the ping leader and what is %?

no, sorry, i don't have my packet dropping log system setup to log what address the ping came from. i would be changing this, but as of last night adelphia is dropping almost all icmp traffic so i can't test any changes to that part of my firewall...

-jig