Worm Exploits RPC Flaw in Windows

 
 
By Dennis Fisher  |  Posted 2003-08-11
 
 
 
A worm that exploits the recently discovered RPC DCOM vulnerability in Windows began spreading rapidly on the Internet Monday afternoon. The worm is targeting TCP port 135 and is causing some large spikes in traffic, but has yet to cause any real latency or network outages, experts said.

The name of the binary containing the worm is "msblast.exe," and it is packed with the UPX compression utility. It is self-extracting and is 11KB once it is unpacked, according to information posted on the Dshield.org site run by the SANS Institute. Once the worm locates a vulnerable machine, it spawns a shell on TCP port 4444 and uses that to download the worm itself through TFTP.

SANS preliminary analysis of the worm, including a list of some of the TFTP servers the worm downloads from, is available here.

Once the worm is resident on a machine, it immediately begins scanning the Internet for other vulnerable targets. One post on a security mailing list said the worm begins scanning at IP address 192.168.0.1. It also dumps a key in the registry to start itself after a reboot.

A text string in the worms code reads: "I just want to say LOVE YOU SAN!! Billy gates why do you make this possible? Stop making money and fix your software!!"

Experts who have seen copies of the worm say it works on some versions Windows 2000 and XP and that they are trying to confirm its effectiveness on other versions.

"Weve gotten a bunch of different confirmations of this worm, and weve talked to network operators who say theyve seen customer machines going up and down," said Dan Ingevaldson, engineering manager for the X-Force research team at Internet Security Systems Inc. in Atlanta. "This looks like the first attempt at automatically exploiting the DCOM problem."

Ingevaldson added that ISS has seen a 10-fold increase this afternoon in the number of scans of port 135 on the machines the company monitors for its managed security clients.

ISS officials also said that the new worm is programmed to launch a denial-of-service attack against the Windows Update Web site on the 16th of each month. Windows Update is an automated service through which Microsoft customers can automatically retrueve security patches and other software updates. A successful DoS attack against the site would not prevent users from accessing patches, however, as those files can still be downloaded manually from other Microsoft sites. Each instance of the MS Blast worm, as its being called, attacks either Windows 2000 or Windows XP machines, not both. Twenty percent of the instances will attack Windows 2000 and 80 percent will look for Windows XP boxes, ISS said.

The flaw that the worm exploits is found in a portion of the Remote Procedure Call (RPC) protocol that handles message exchanges over TCP/IP. The vulnerability, which arises because of incorrect handling of error messages, affects a particular Distributed Component Object Model interface with RPC and is found in every current version of Windows.

The best way to avoid the worm is to patch Windows. Microsoft Corp., of Redmond, Wash., issued in July a patch for the vulnerability, which exists in NT 4.0, 2000, XP and Windows Server 2003.

Rocket Fuel