Win32 Blaster Worm is on the Rise

EvilNight writes "You know you've got it when a 60 second shutdown timer pops up on your screen. The virus uses the RPC vulnerability. It looks like it's reaching critical mass today. Luckily, it's an easy one to stop: Download this security update. Once you've installed that patch, go here and download the removal tool." Update: 08/12 19:19 GMT by M : Security bulletin URL corrected.

Good timing...

[tbase]

Someone in my office just gave me a screen shot of a shutdown timer on their computer at home. Anyone used the removal tool yet and had any luck with it?

Re:Good timing...

[brejc8]

The removal tool takes several minutes to run.
Just apply the exact patch and remove the msblast.exe from your windows/system32 directory.
Then run the tool afterwards to ensure it has
gone.
The exact patch needed is here
http://www.microsoft.com/technet/treeview/de fault. asp?url=/technet/security/bulletin/MS03-026.asp

Re:Honest question

[CaptainBaz]

Because our proxy blocks .exe downloads. Yes, even from windowsupdate. No, really...

Re:shutdown /a

[TedCheshireAcad]

How creepy. I was setting up a relative's DSL modem yesterday, when I saw that the RPC service was shutting down the machine. Thought it was just Windows XP being retarded, but I guess it's time for a new visit.

The box hadn't been on the internet for more than 15 minutes.

Re:Honest question

[Overly Critical Guy]

Because Windows bugs you to turn on Automatic Updates. You specifically have to tell it that you don't want it on. Had it been turned on, those ignorant people would still have been patched. Every action has a consequence, and this is one.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Another quick fix

[x.Draino.x]

Another quick fix if you don't have enough time to apply the patch before shutdown. Go into Administrative tools, Services, find the RPC service. It gives you options of what to do if it unexpectedly dies. By default, it is set to shutdown after 60 seconds. You can change this to "Do nothing". Make sure you set it for the 1st, 2nd, and 3rd warning. So basicly now it will die, but it will go un-noticed.

Calling it what it is: A "Windows" virus

[FunWithHeadlines]

I heard about this latest virus scare on the radio, and I noticed it was called a "Windows virus" this time, and not the usual "computer virus." It seems even non-techies are finally catching on that these are Windows problems being exploited, and if you run non-Windows machines you are unaffected.

Yes, yes, I know, this is /. and we all know this. My point is that the mainstream press is starting to make the distinction now.

Re:shutdown /a

[Jugalator]

Home users, maybe but businesses????

The largest ISP in Sweden, Telia, had 40 servers collapse from this virus and in effect prevented 16,000 users from logging on to their ADSL service. That gives you a great deal of confidence in an ISP, right? ;-)

Nice side effect - no spam!

[Krafty Koder]

thanks to this worm, i've noticed a dramatic decrease in the amount of spam i'm getting - roughly 150 to 200 per day is trapped by my spamassassin install. Today, only around 10 spams.

Or maybe just add a few lines to netfilter

[Anonymous Coward]

Won't print the payload, but its an RPC call so what is the point ?

--
iptables -I inetin 3 -i ppp0 -p tcp --dport 135 -j DROP
iptables -I inetin 4 -i ppp0 -p tcp --dport 139 -j DROP
iptables -I inetin 5 -i ppp0 -p tcp --dport 445 -j DROP
--

where inetin is your incoming rule chain, 3 is the position to insert it, ppp0 is your Internet facing interface.

Then zero your chain counters

--
iptables -Z inetin
--

And then watch them go up using

--
iptables -L inetin -v
--

ps. its not really a good idea to cut and paste, then compile and execute as root, code from a slashdot post, unless you understand exactly what it is doing.

Re:shutdown /a

[MSG]

You can also turn on the firewall in Windows XP and download the patches. That's what I did on my girlfriend's PC.

Funny thing is I had her computer about a month ago, and I applied all of the available patches, followed the HOWTO's I could find on shutting off services to secure XP, and turned on the personal firewall on her dialup connection, and she *still* got hit. I guess RPC isn't in the list of services that you should disable... What freaks me out is that something turned off that firewall, though. I have no idea what. Does anyone know of any common Windows software that turns off XP's firewall?

Excuses not to be patched

[unfortunateson]

Yeah, it's stupid, but there's a lot of machines that won't get patched:

• Dialup -- those patches are big
  
• FUD about Windows Update watching your machine for bootleg licenses
  
• but most of all, warnings from folks such as Brian Livingston [briansbuzz.com] and Woody Leonhard about flawed patches prompt folks like me to delay installation of just about any patch for at least a week, to see if they'll patch the patches.
  

Now, I didn't get hit -- between the firewall, ZoneAlarm and the patches, I think I'm Ok.

Honest answer

[djembe2k]

OK, maybe I'm not really who you are aiming this question at, but probably those folks aren't going to answer, or give the serious and honest answer you're looking for, so I'm what you are going to get.

I patched my home machines probably within 24 hours of the patch being available. I've got a couple of machines, and nobody is depending on their uptime to make a living or maintain a professional corporate image. If only the real world were that easy.

My company lives in the real world. We were hit by this, but pretty lightly, a couple of machines and we were lucky enough to pull the plug on them and cut it off before it spread, mostly because I was monitoring slashdot, and I knew the symptoms of the infection the first time it came up internally.

Our firewall wasn't breached so much as apparently circumvented by a laptop belonging to a user that never accepted the patch -- he got the virus at home, then came to work and plugged in. I assume that just about any company with a firewall at all isn't allowing incoming TCP 135, so I'm guessing that hard-hit companies generally got it this way.

We had identified this patch as critical, even relative to all the other less-critical critical patches. That still meant we had to test it outside of production, which took some time, and we also had to keep an ear to the ground to find out if any of the (many) folks out there who apply patches without testing first had been burned by this one.

When we were satisfied at that point, we had made it available internally to all workstations via SUS -- worst case scenario here if the patch is bad is a lot of re-imaging, but no loss of data, no loss of critical network services, etc. We don't have workstations set to auto-install the patches, so that requires the user to click an install button to complete the process. In many cases, the users had done that. In some, they hadn't.

At that point we started pushing it out to machines via SMS, workstations first, and then starting to patch the servers. (I wish I could give you a timeline for each step here.) Again, we proceeded conservatively, not getting every box at once, and not letting SMS force our servers to reboot after the patch installation, but instead asking various sysadmins to schedule reboots for servers at an acceptable time as soon as possible after the patch was applied.

So, some servers were patched by yesterday. Probably half were not, especially if you count those that were patched but not yet rebooted, which you have to count as not patched, I guess. To my knowledge at this point, we cut this off before any servers were infected, which was really just luck once it was inside the firewall. It could have been worse, but at the same time, many of our boxes were safe by the time yesterday came.

Now, of course, we are frantically patching and rebooting. And if we had been a little more frantic beforehand, we could have easily had it done before yesterday. But little else is getting done today. We've got over 100 Windows servers to deal with here, production, development, testing, IIS, SQL, SMS, DCs, Citrix, physical machines, virtual machines, you name it. It is not trivial to get this job done. And doing it in a hurry is dangerous as well.

And we're lucky. All our boxes are at one location. I'm looking back at how we handled this, and I think that a little more focus and emphasis and we could have patched everything by now, but the attack could just as easily have come a week sooner, and we'd still be having this conversation.

The difficult truth is that, in many cases, it is possible to develop an exploit for a vulnerability more quickly than it is possible to adequate test and deploy a patch in a large and complicated corporate environment. You patch as quickly as you safely can while still getting everything else done, and you also take all the other steps you can to mitigate the damage if you get hit. That's the real world.

the best part....

[rokzy]

BBC: Hidden inside the worm are two messages. One taunts Microsoft chairman Bill Gates and reads: "billy gates why do you make this possible? Stop making money and fix your software!"

why is this message "hidden"?
why not have the worm install a desktop wallpaper saying this? and a picture humiliating him in some way?

Re:Windows Update slashdotted?

[cybercuzco]

Actually symmantec says that the virus will also ddos the windows update server if its august OR after the 15th of the month. So since its august, its probably much more intense than a usual slashdotting considering the amount of people with this virus

Automatic updates

[RonnyJ]

One of the first things I disable in Windows is 'automatic updates', and a lot of people think it's intrusive and won't use this feature. However, the patch for this exploit has been out for a month, and yet thousands of users are getting affected by this, me included. If people did allow Windows to automatically update, or even took the time to update it themselves, this problem wouldn't have been nearly as bad. Having said that, who here trusts Microsoft?

Re:The problem with that is

[WNight]

That's the legacy of MS policies like "DOS ain't done till Lotus don't run!"

You just know you'll let auto-update run and one day it'll "disable" your MP3s because WMV offer so much more security, or something similar.

anti-virus virus

[dtfinch]

Perhaps this is one of those extremely rare occasions where an anti-virus virus should be released. Windows users all agree to an EULA that says Microsoft has the right to install updates on their computer. If anyone has the legal right to create and release one, it's Microsoft. As that guy mentioned, it may be hard for many people to download the patches on their own because of reboots.

There are some legal issues associated with portscanning though.

Re:Just seen an ATM affected...

[pubjames]

There was a trial about ten years ago. A retired policeman went on holiday and whilst he was away his money was taken from his Halifax account via an ATM. Halifax took him to court because they said that their security was infallible and the man must have given his ATM card to someone to extract money whilst he was on holiday to defraud the Halifax. The man lost.

I actually met the person who was an expert witness on the trial for the defence. He was a specialist in IT security for banks and a good man, but he said it was impossible to get the jury to understand the complexities involved in ATM security. He was as you can imagine very sad that the man he was defending had lost.

I can't find anything on Google about it. It must have been 1992 or '93 I guess.

No patch for NT4 --- Thanks M$ !

[menscher]

Micro$haft says: [microsoft.com]

Microsoft tested Windows NT 4.0 and Windows NT 4.0 Terminal Server Edition. These platforms are vulnerable to the denial of service attack however due to architectural limitations it is infeasible to rebuild the software for Windows NT 4.0 to eliminate the vulnerability.

Well, we patched what we could, and moved most critical services to Linux, but there's still one or two machines running NT. And it's only a matter of time before some luser slips a copy of this worm past our firewall....

Considering the amount if infrastructure that depends on NT4, doesn't this intentionally put the US at greater-than-necessary risk? I'd be fun to see M$ tried under the new anti-terrorism laws.....

Prophylactic?

[b1t r0t]

Does anyone know if a simple:

mkdir \winnt\system32\msblast.exe

would prevent the worm from copying itself to your system?

Re:Precisely

[zoombat]

I can't think of any reason why someone shouldn't be doing the same to their Windows network

Your point is certainly valid, but what makes this particular problem frustrating is not that it was a widely publicized hole, but that Microsoft's tools (e.g. Windows Update) for checking patch status are wholly inadiquate. There has been a fair amount of discussion [ntbugtraq.com] on NTBugTraq on this point leading up to the worm discovery.

Also, 30 days to test an impliment a patch on mission-critical production systems is sometimes more difficult than it seems like it should be.

Re:Honest question

[jafuser]

I honestly begin to wonder if security is deliberately kept as a minimal concern with Windows so that people who own versions of the operating system that have fallen out of support are *forced* to upgrade.

What recourse does a person running an older version of windows have if their "obsolete" operating system becomes completely unusable due to prominent exploits?

This could be especially problematic if you are depending on some really complicated applications which will not run on the newer operating systems.

Over 100 calls in one hour...

[The Raven]

yesterday, regarding the worm. I was amazed how fast this virus spread... no other virus has created such a quick increase in call volume for us.

Of course, I work at an ISP... so when their Internet flakes out, we're the first thing they call. This is one of the first viruses I've seen that seems to deliberately crash your Internet connection, so rather than calling days or weeks later with some minor odd behavior, they called right away because their net was down.

I'm curious what will happen in a day when the timed DDOS goes off.

Re:shutdown /a

[bigberk]

Uh... why didn't he just unplug the net cable and install the patches?

Bravo!! I was waiting for this to come up in an interesting context, and this worm illustrates the problem perfectly.

The reason you can no longer unplug the network cable and install patches for Microsoft products is because Microsoft (and other companies) want you to be constantly connected to the Internet. This way your computer can constantly exchange digital rights and other background data. And since everyone is running those pretty little web based installers, you have little knowledge of what's really being transferred to and from your computer.

I run UNIX servers; when I need to install patches, I simply download them from another computer and burn them to a CD. My computers can run without network connections, thank you. You might have noticed that Microsoft phased out standalone patches a couple years ago.

Just wait for the chaos that will happen when we go back to centralized computing; you won't even be able to use your word processor without a network connection. And then when networks fail, nobody will be able to do any work.

Wait a couple years and then laugh ;)

Re:Echoes

[AbbyNormal]

Isn't this a little like your Electric Company asking reminding you to not make toast while taking a bath?

It ain't their job...its just common sense.

ISP's should offer additional service ?

[bushboy]

ISP's should by default install firewall services for all thier clients, whether it be a software firewall or a hardware one.

It should form part of the monthly cost and be mandatory.

That will sort out most of the home/soho users.

Big business should know better and already have a firewall solution in place.

Re:Honest question

[Anonymous Coward]

Anonymous for obvious reasons.

Until the end of last week, every machine at my work except my own, and those of two others in my group, was vulnerable (tested using the eEye scanner - nice tool BTW.) Everything else, including the crappy Exchange server, our sales lead database, the NOC helpdesk database and several other useless Windows servers, and of course all the desktops and road warriors' laptops were vulnerable. I kicked up shit over it, but the tech. dept (I'm a security consultant... the employer is a managed services security corporation...) didn't seem to grasp any idea of the urgency of the problem.

Eventually I got into trouble. My boss asked me what I was working on - I told him & added "oh, and the other non-chargeable stuff of course." "_what_ non-chargeable stuff?" "Well, for starters I'm trying to make sure we get patched against the gaping DCOM hole." (blank look, brief explanation of the problem.) "That's someone else's problem, you're not paid to worry about things like that!" I gave him a printout of the eEye tool's report, showing "VULNERABLE -VULNERABLE -VULNERABLE" all down the list. I pulled up a command prompt on teh mail server. He got it. The next morning I got a call from tech asking for help with fix, what was the problem, best fix for it, etc etc. The boss had passed the list on to tech.

Now, I have a sudden unexpected "review meeting" scheduled with the BIG boss. Guess what's going to happen? I'm going to get a strip torn off me for (a)noticing, (b) caring and (c) doing something about this enormous problem which could conceivably have wiped out the company. Bitter? However did you get _that_ idea?

I fuckin' HATE corporate politics. But most people just seem to go along with it as a necessary evil, and politics dictates that if you see the tech department screwing up, you LET THEM, so that your boss and their boss can score points off them in the grand willy-waving competition that passes for normal life in such places.

This is a security company - and I've done something wrong.
*sigh* sometimes I despair for humanity.

Microsoft DoSed

[ravenlock]

Seems to have done something though. I'm on a 512/512 dsl line and it took microsoft.com a full minute and then some to respond. The actual page load was fast enough though, so I'm guessing it's the connection limit. Only guessing though. It's hard to tell if it's the worm or the people desperately trying to get the patch, but the end result is pretty much the same.

... Isn't it funny that users don't patch when there's a threat that could wipe hard drives clean, but when something interrupts their daily pr0n wank with a reboot they rush at Mach 3 speed to get the fix?

Re:There are several reasons...

[p00ya]

How many of those Linux holes where in the core operating system (IE, kernel + GNU tools)? I'm willing to bet zero.

I seem to be doing quite well with all the boxes I can still root using the ptrace kernel exploit. That's one ;)

Wouldn't it be embarrassing

[eggarsuit]

to be "SAN"? I can't think of a worse way to tell someone that you love them. Whatever happened to sending flowers?

Which makes me wonder if this was the only way for the writer to contact SAN. Perhaps she had moved to another country or disconnected her phone and the only thing Jackass McWormerson could think of was communicating through a computer virus.

Excel and Dial Up Related Also

[kenp2002]

I have about 1000+ locations that are having trouble opening Excel documents and can no longer disconnect fromt the internet. Also in Inotes and Outlook they cannot OPEN individual emails (This is intermittent). Could these also be related to Blaster or are we looking at a different virus.

Comcast appears to be filtering ports 135 and 445

[Brian Stretch]

as of late last night, which is when the large number of port 135 hits to my Linux server abruptly stopped. Good for Comcast!

Re:shutdown /a

[CMECC]

According to what I read, there was a preparatory worm a few weeks ago which went basically undetected, since its payload did no drastic harm except opening ports. Those newly opened ports allowed otherwise patched PC to be affected by msblast.exe.

Easy way it can get into a corporate network

[Nintendork]

We can't make sure that all our home users with VPN access have a firewall. They get infected, VPN in, and infect the intranet.

-Lucas

Re:Laptops

[raju1kabir]

He connects it to his docking station in the office effectively bringing the problem behind the firewall.

That's one reason why desktop computers inside the office should be segmented into groups as small as practical. Put them in little subnets and don't route between them. Printers and servers should be on separate subnets that do get routed. This way people can only contaminate their own little workgroup; everything else moves through centralized servers where you do aggressive virus scanning. There's no reason in an office environment for one desktop to talk directly with another.

This wouldn't stop a worm that messed with the subnet mask but I'm not aware of any that do.

The 50MB update problem

[metamatic]

I think Microsoft should be required to put a notice on the box, saying "Using Windows XP for Internet access requires a broadband connection". If you've got dialup, there's just no way you're going to be downloading those 50MB service packs, and if you're not downloading them, you're a menace to the rest of the net.

(Or at least, the rest of the net that's dumb enough to run Windows.)

Re:Laptops

[surprise_audit]

This wouldn't stop a worm that messed with the subnet mask but I'm not aware of any that do.

You know, I often wonder how many hackers, virus writers, terrorists, etc read forums like this looking for ideas... It's kinda like a company issuing V1.0 of a piece of software, then using customer feedback to design the new features for V2.0.

Mainstream news is REALLY on the ball.

[NeuroManson]

I found out about the worm on Monday, approximately 2PM PST. Did not hear any news regarding this on any of the big TV networks UNTIL 6AM (PST) the following morning.

Rather than simply just users being clueless, there's a large number of users being kept clueless by the news media. Assuming that 100,000 users would catch an early (eg; 2-3 hours after worm insertion) report on CNN, for example, then you would have at least 75,000-90,000 who could have patched their systems.

But instead, the worm was given close to 20 hours to spread amongst that 100,000 users, who, not being average readers of Slashdot or what have you, never patched their systems, even up til now.

Hell, according to a friend who works within the bowels of IBM, their R&D departments and related servers caught the worm, and everyone's scrambling like mad to fix it.

So who, other than Microsoft (who did put a patch for just such an exploit) is to blame?

(1) The author of the worm, naturally.

(2) The news media, for failing to bring this to the public's attention (yeah, covering Arnold Schwartzenegger's political relevance is SO much more important than keeping people in the other 49 states informed)

(3) Windows users, who, despite the patch being available for a month, and the security warnings for longer, still refused to install the nessesary patches.

(4) The usual braying "Hurh hurh, Windoze users are dummies!" linux zealots. Preferring to bask in their self proscribed superiority, rather than work to change the philosophy (*) that led to the worm's creation (it takes a philosophy to justify any sociopathic behavior).

*To use the tired car analogy, if one doesn't like Ford vehicles, does that give them the right to run around slashing the tires of, or cutting the brake lines of every Ford they see on the street (in hopes that Ford will be driven out of business for faulty brake lines)? And yet, that is what the worm and virus authors want to do. It ain't about improving Windows or changing the laws, it's about trying to topple Microsoft and ruining as many of their user's computers as possible.