Win32 Blaster Worm is on the Rise 1251
EvilNight writes "You know you've got it when a 60 second shutdown timer pops up on your screen. The virus uses the RPC vulnerability. It looks like it's reaching critical mass today. Luckily, it's an easy one to stop: Download this security update. Once you've installed that patch, go here and
download the removal tool." Update: 08/12 19:19 GMT by M : Security bulletin URL corrected.
shutdown /a (Score:5, Informative)
shutdown
That should abort the shutdown and give you enough time to install patches. This also works well when you install a piece of software that trys to force you to reboot. (Why he hadn't fixed it already is a mystery, especially since slashdot.org is his homepage.)
it hit me this morning! (Score:2, Informative)
Nasty little bugger (Score:5, Informative)
Something else you might want to try is booting into safe mode (F8 right when Windows splashscreen pops). Deleting the registry entries, and the virus runprogram (msblast.exe). Also please... PLEASE patch your computer.
When you're done, run some AV on your system. Some ppl had a 2nd virus sneaking around that they didnt even know about (Spybot.worm).
-Tim
Cancelling this problem (Score:5, Informative)
C:\WINDOWS>shutdown -a now
Granted, this does leave your system in an unstable state, but if you have something urgent you absolutely need to get done, this gives you a few minutes to do it before you reboot.
A BBC link (Score:3, Informative)
It is not easy, one stop! (Score:5, Informative)
Read more on SecurityFocus' mailing list [securityfocus.com].
RPC? (Score:4, Informative)
After doing a bit of research I discovered that at some point, microsoft decided that ACPI needs to behave differently, and forced all BIOS's to be upgraded to work with XP. After getting a new version of my BIOS, the problem disappeared... but the symptoms were identical to what is described with this bug... Bad timing I guess... But if you have this problem, check the event log, it may be your now non-compliant BIOS, rather than an infection/attack.
In addition... (Score:4, Informative)
also (Score:5, Informative)
Microsoft Bulletin [microsoft.com]
Note this is marked "Critical" now...
Nice touch. (Score:3, Informative)
If the current month is after August, or if the current date is after the 15th, the worm will perform a DoS on "windowsupdate.com."
With the current logic, the worm will activate the DoS attack on the 16th of this month, and continue until the end of the year.
Maybe this will motivate Microsoft to actually deal with the gaping festering security holes in their OS? How many systems do you think will still be infected after the 15th?
Nahh....
A little something they left out... (Score:5, Informative)
Windows Update slashdotted? (Score:2, Informative)
Chip H.
Re:shutdown /a (Score:5, Informative)
I was hit by this last night, and couldn't download/install the update in the 60 seconds allowed.
Echoes (Score:4, Informative)
Will it halt the Internet? (Score:4, Informative)
Worm (Score:2, Informative)
Re:A little something they left out... (Score:5, Informative)
Right click on my computer, go to manage, in the services & apps tab, go to services, right click Remote Procedure Call (RPC), properties. In the recovery tab, change all the things that say "restart the computer" to "take no action"
Re:Fscking Windows. (Score:3, Informative)
Yeah... nothing like that.
Other of course than the multitude of root kits out there, sendmail holes, bind holes, apache holes, anything else holes.
And yeah. Linux 7.2 - guess you havn't been around long enough to remember.
You got the wrong security bulletin (Score:5, Informative)
CERT advisory notice.... (Score:3, Informative)
to disable the forced shutdowns...(XP) (Score:5, Informative)
Re:Cancelling this problem (Score:2, Informative)
screenshots on msblast (Score:5, Informative)
no crash? still not safe. (Score:2, Informative)
Sad really (Score:3, Informative)
TechNet [microsoft.com]
TechNet HotFixes [microsoft.com]
And
WindowsUpdate [microsoft.com]
It's really that simple. Check daily for patches on your software, patch it, reboot, get back to work.
Linux people: Rejoice! (Score:5, Informative)
To make this smile even bigger: Compile this and execute it as root (all ports below 1024 are restricted and needs root permission to be listened to)
Now you can actually *see* when the worm tries it's futile attack on your superior OS.
Removal bad! Reformat good! (Score:2, Informative)
Seriously, best current practices dictate that before a compromised machine is reconnected to the 'net you:
Getting the patches without a 'net connection is left as an exercise to the reader.
THIS IS A SUREFIRE WAY TO STOP SHUTDOWNS (Score:5, Informative)
Regards/
JP
Re:Nasty little bugger (Score:2, Informative)
However, there are alot of nasty little payloads that spybot brings in. I'd recommend googling for msconfig35.exe for removal instructions for the spybot payload.
Proper removal instructions (Score:3, Informative)
Luckily, it's an easy one to stop: Download this security update. Once you've installed that patch, go here and download the removal tool."
Not really... there have been several reports that the thing has flogged machines so badly that it might not be even posible to connect to windowsupdate/any other internet site. For proper removal instructions, take a look at CERT's advisory [cert.org] or Trendmicro's KB [trendmicro.com]
Re:Honest question (Score:2, Informative)
Re:shutdown /a (Score:3, Informative)
A common distribution, like Red Hat Linux 8/9, has a firewall on by default.
Re:Honest question (Score:2, Informative)
2. Because apt-get upgrade runs daily on my other systems and I'm just not used to _manually_ installing security updates.
3. Because the exploit existed for at least 7 years
4. Because I'm within a corporate intranet with f..scking expensive cisco switches that could easily stop the worm on the medium.
I could give you hundreds more,
but it all boils down to:
This shouldn't bother me - the user - not at all.
RPC, NetBios etc are a menace (Score:4, Informative)
Please block TCP/UDP Netbios ports 135-139, as well as SMB over TCP(port 445), RPC over HTTP (port 593), the MS-SQL port the Slammer worm used (port 1434).
And I am sure there are many, many more.
Windows 2000 Service Pack 4 has fix (Score:2, Informative)
Re:shutdown /a (Score:5, Informative)
Actually, I had quite a scramble this morning making sure all my mobile users were properly patched. That's my single biggest point-of-entry problem for worms and viruses; people take their notebooks home or on the road and come back infected and reconnect inside the firewall. It's much harder to properly enforce policies on mobile users. Fortunatly all our laptops were either patched or left at work yesterday and patched this morning.
The other possible point of entry is VPN's which are also notorius for letting in computers that were infected via a different net connection.
Auto Update? (Score:3, Informative)
Anti SCO T-Shirt [anti-tshirts.com]. $1 donated to Open Source Now Fund on each shirt.
Re:Laptops (Score:5, Informative)
Careful with Windows Update; it is notorius for falsely reporting that patches are installed properly.. See this discussion [ntbugtraq.com] about this very patch (MS03-026).
Re:Admins are not lazy (Score:2, Informative)
Re:Admins are not lazy (Score:3, Informative)
T.
Re:Precisely (Score:3, Informative)
MS have released broken patches [esj.com] in the past you moron. Hence big businesses doesn't usually let admins apply patches to production machines without regression testing, hence my question. That's one reason why it takes so long for patches to get applied.
Also, I wasn't comparing any OS with any other, so leave out the 'Linux is just as bad' rant. How old are you?!
J.
Nessus did this attack months ago (Score:4, Informative)
Re:Nice touch. (Score:1, Informative)
Nahh....
They did deal with this, almost a month ago. But there isn't much they can do if users don't apply the patch.
Wrong (Score:3, Informative)
writeup is bollocks (Score:3, Informative)
The only, uhm, 'interesting' aspect of this worm is that on Friday it's going to nuke WindowsUpdate. The worm will probably never go away competely so W.U. could well be unusable for months to come. Totally predictable, of course, it's just a surprise that it lasted this long.
Re:Sad really (Score:3, Informative)
Actually, the most common cause of a 'forced reboot' on any of my Windows systems nowadays isn't an MS patch (neither of the last couple of RPC vulnerability patches required a reboot on WinXP or 2003) - it's Norton Antivirus. NAV uite often seems to download something that requires a full reboot of the machine. Quite why it's possible to patch the OS without a reboot, but an application can't restart itself cleanly without a full restart I have no idea...
Re:shutdown /a (Score:3, Informative)
Re:Laptops (Score:2, Informative)
Re:Sad really (Score:3, Informative)
Actually, I think you're over-simplifying the process somewhat:
Re:shutdown /a (Score:1, Informative)
I believe he meant "just block the port to the WAN (internet) as opposed to the LAN", then suggested that if your LAN was large (e.g. a college campus), there would still be a risk.
Re:shutdown /a (Score:5, Informative)
Um, no they didn't. Every patch Microsoft releases can be downloaded as a standalone installer. Windows Update is intended for home users, but Microsoft knows an admin isn't going to run Windows Update on every computer he maintains. The hotfixes as they are called can even be slipstreamed onto an install CD, so they're applied automatically at setup. I've done with every copy of Windows I've owned since Windows 2000.
Re:shutdown /a (Score:3, Informative)
The patch, as stated elsewhere, does not work on all machines.
I turned on the firewall hoping that will fix
Re:Just seen an ATM affected... (Score:3, Informative)
Good memory!
His name was John Munden and it was October 1992.
Some articles are here [poptel.org.uk] and here [elistx.com] about it.
Re:shutdown /a (Score:2, Informative)
In WinXP (works for Home or Pro), run "Dcomcnfg", double click on component services, d-click on computer, r-click on My computer and select properties. Select the Default Properties Tab and uncheck "Enabled Distributed COM on this computer".
This'll shut down that subsystem which is vulnerable to the attack in the first place, and give you time to update patches etc. Works even if the virus is currently in place (you'll still need to remove it later).
A friend of mine got nailed with this last night, she's a mother of 3 knows jack about computers (mind you, I know jack about raising a family so we're even). No firewall, and didn't even know there was a "Windows Update" option to upgrade her OS. As much as I don't like a "Big Brother" type interferance from Microsoft (especially them), its situations like this which make me think that having them forcing updates remotely to PC's may not be a bad thing - some people just don't know, and don't want to have to worry about stuff like that.
New version of Blaster is starting to appear (Score:4, Informative)
RPCsdbot.A Information [trendmicro.com]
Ok, (Score:2, Informative)
i got the reboot,
i scaned with the program..
no virus..
Is it posible the 'error' and timer
can be from just a random problem??
or have i got some undetecable varent?
Re:Laptops (Score:3, Informative)
Outside consultants are harder to deal with realy this is why you us an IDS to see whats happening inside your firewall(s) and reset and shun nastyness. It also helps to stop those programming team security audits (watch a programmer when his port gets turned off for 30 minutes as he tries portscan a box they turn so red it's funny) allways get this in corprate documentation perferably with a set off the IDS and it's a terminatable offence.
Re:Remote Procedure Call (Score:5, Informative)
The only real solution in this case is a good firewall and keeping up with the endless stream of security patches; unfortunately, Microsoft in their infinite wisdom have decided that users can't turn off RPC's network functionality. While turning off services you don't need is good security practice, there are some exploitable services that the system needs and you can't just turn off. RPC falls into this category, and you can't do much besides firewall and patch it.
Holes in what? (Score:3, Informative)
Windows: all-your-base-ar[Rebooting in 60 seconds]
Now go and average that out over a year. Bear in mind that MS-Windows exploits are being reported on a small software set (OS, email client, database, web server, web browser, email client) and Linux exploits are being reported on any of 4000 (Mandrake) - 8000 (Debian) packages, most of which will not be installed on your typical desktop or server. Estimate a percentage installed on each and discount appropriately.
Now assign a severity rating, maybe base=25% remote=50% privesc/root/admin/ring0=25% to each incident and see how they compare.
And so on. No sense comparing an overdecorated Niva with a Land Cruiser and complaining about the mileage, either.
Re:Sad really (Score:3, Informative)
I know that you are a troll, but I can't help it...
Gee. I seem to remember that about a year ago, Microsoft withdrew a patch because it was buggy. This means that even though I formed it as a joke, IT HAS HAPPENED . If it had NOT happened, then you could feel free to tear into me.
It has also been revealed that Micro$ sells their $190 operating system [buy.com], but could sell it for under $50 and still make a profit. They sell it for more because the CAN. The average person has no choice. Microsoft has them by the short hairs. It is called a MONOPOLY (no, not the board game). Look it up. Your best buddy, Billy G. was found the be the head of a convicted monopolist corporation. It just completely sucks that the government let them off easy (at least there is still hope for Europe).
Of course there is also the fact that the cost of Word has skyrocketed since the demise of WordPerfect.
Now, about that Kernel release which corrupts filesystems -- was that an even or an odd release? You do know that the odd ones are to be considered alpha or beta quality, don't you? (hint: this means that the software is NOT guaranteed to be stable).
Also, the number of holes last month for Linux probably includes all of the associated stuff that goes with it: various servers and applications and such. Take the Microsoft number and add in the holes for the web browser, web server, database server, office, and so on. Then, let's talk numbers.
In short, grow a clue or turn your 'puter off.
Re:shutdown /a (Score:5, Informative)
I've Never trusted windows based firewalls due to the fact that firewall vendors rely on the hooks that MS provides - if the hooks are not in the right place, the damage can be done before the firewall software sees it at all. In linux / bsd, the hooks are right there in the kernel, and you can be SURE that they are in the right place, and that there is no path around them (since you can view the source.)
I always recommend that Windows users use an external (non-windows based) firewall. There are Lots of cheap ones out now. I think you can get a soho model for under a hundred dollars. Many soho "routers" have firewalls built in. Even one of my old DSL modems from 4 years ago had one (although it was really primitive.) Zone Alarm is a great second level of defense, as it helps deal with rogue software like some spyware, but I would not rely on it alone to protect you.
Correct method to circumvent the virus (Score:4, Informative)
1. Unplug internet connection
2. Enable Win XP firewall on all valid connections
3. Connect internet connection
4. Download and install the patch from MS
5. Update anti-virus or download and run the removal tool
Good Luck!
Internet 2 Ops letter regarding Blaster traffic (Score:4, Informative)
Abilene Connectors and Participants,
As you're all probably painfully aware by now, a worm exploit of the Microsoft
DCOM RPC vulnerability, W32/Blaster, was unleased on Monday August 11. Details
regarding the vulnerability and exploit can be found at the references provided
below.
Worm traffic on Abilene is very high, peaking at 7%+ of all packets on the
network. We're performing an analysis of Abilene netflow data, and early this
afternoon will provide a private communication to sites that are sourcing a
large amount of worm traffic.
Recommendations for network border filtering are included the CERT W32/Blaster
advisory, http://www.cert.org/advisories/CA-2003-20.html. Filters should be
defined as input and output - to protect yourselves and to protect from
infecting others.
Abilene Connectors, please pass this communication on to your Participants.
References:
Microsoft DCOM RPC:
http://www.cert.org/advisories/CA-2003-16.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN
W32/Blaster:
http://www.cert.org/advisories/CA-2003-20.html
Regards,
XXXX XXXXXXX
Director, REN-ISAC
msblast.exe available... (Score:5, Informative)
Also some cool screenshots of the beast in action here [baxter2.com], and here [baxter2.com]
Actual Removal Instructions: (Score:4, Informative)
1: Enable Internet Connection Firewall (for once, it actually has a use!)
2: Download and install MS03-026
3: Remove the following registry key:
HKey_Local_Machine\SOFTWARE\Microsoft\Windo
4: search for and remove all files beginning with msblast.exe
Turns out aside from DDOS'ing Microsoft, this worm is pretty harmless.
Maryland MVA (Score:2, Informative)
Re:Good timing... (Score:2, Informative)
Re:Auto Update? (Score:3, Informative)
When my machines applied that patch, the very next day they slowed to a crawl. Unusable crawl. Clicking start & Run would take literaly 5 minutes. It turns out that there was an incompatibility between that patch and our antivirus software. It took them a couple of days to figure that out, even though I told them that was the case as soon as we got it.
Anyway, don't automaticaly install updates. Stay up on the patches, sure. Deploy them in some other way (I use the domain log on scripts) when you're sure they won't screw anything up. Do your testing as quickly as possible.
Re:RPC Exploit, not virus ? (Score:3, Informative)
Win95, 98, 98SE, and ME are all based off of the same codebase. All are unaffected.
WinNT, Win2k, WinXP, and Win2k3 are all based off of the same codebase. All unpatched machines are targets.
Re:Actual Removal Instructions: (Score:4, Informative)
Actually to be technically accurate, it is the RPC overflow that reboots your computer. The worm worm on your computer is actually rebooting *other peoples' computers* every minute
another way... (Score:2, Informative)
Cmd line tool to scan network for vuln. computers (Score:2, Informative)
http://www.iss.net/support/product_utilities/ms03
Re:shutdown /a (Score:2, Informative)
Then even though I had followed all the steps to clean it off, Including verifying that the registry key was cleared and that the msblast.exe was deleted, I was still getting the shutdowns. I'd also like to note that I was able to be online for a while without a crash if I avoided using any MS internet software. using Opera and Mozilla I was able to stay on long enough to dl the updates and cleaner tools
Re:Honest question (Score:1, Informative)
Of course, I don't use any Micro-shaft garbage like Outlook or useless and dangerous OS services that may open port 135 (or any other Micro-shaft ports). Of course, leaving this security hole open by default is just another example of the total incompetence of Mickeysoft.
Anyway, I just noticed that the COX network has just blocked port 135.
Re:Prophylactic? (Score:3, Informative)
However, it won't stop the worm from affecting your system. This morning I found copy & paste not working right in Mozilla, and Start->Settings->Network and Dial-up Connections just brought up an empty window. But there was no msblast.exe. Apparently I had been hit by the worm, but it wasn't able to use TFTP to copy over and run the code. (FWIW, I had installed the patch but not yet restarted the machine.)
So while that cheesy mkdir will probably prevent the worm from spreading (not a bad goal in itself), it apparently won't prevent the exploit from making your system flaky.
And Zed2K really needs to calm down and stop acting like such a know-it-all.
Re:Wow (Score:3, Informative)
Re:Remote Procedure Call (Score:3, Informative)
IPC is more a problem with multiple solutions than an implementation; RCP, shared memory, BSD sockets, pipe links, and other IPC implementations are used based on what is best for the specific application.