How is Blaster caught?

[ParrotRob]

The only way to prevent the shutdown from happening (apart from
stopping the countdown manually) is to apply the patch so that the RPC
service doesn't crash.

That's not true at all. You can easily configure the RPC service so that a
failure simply restarts the service instead of rebooting the system. This
will not keep the RPC service from crashing as the patch will, but it will
certainly keep your machine from issuing a shutdown command when the service
DOES crash.

 

[Eds]

It exploits the RPC DCOM process.. and as stated, it catches you!

To be more precise, it works like this:

1) The attacking machine sends a packet to port 135/TCP on the victims'
PC that crashes RPC through a buffer overflow[0] that leads to a
special piece of code being executed on the victim's machine.

2) Said code will open a command shell accessible via port 4444/TCP

3) The attacking PC will send a sequence of commands to the victim:
3.1) Download msblast.exe from $attacker with TFTP and save it in
%systemdir%
3.2) Launch msblast.exe

4) msblast.exe will launch a TFTP server on the victim machine and
start sending exploit packets to random targets.

After that, everything starts over, until the built-in payload
activates itself to flood the MS server.


[0] 80% of the time this packet is designed to take out XP, 20% of the
time Win2k, according to Symantec.

So there is no concern for windows 98 (SE)?

I saw one reference to w95/98/ME on a symantec page about blaster, but I
think this must have been a typo: only NT based versions of Windows
(NT/2000/XP) have services, so there would be no RPC to expoit.

 

[anna keynow]

This explains what's happened to me, I think. I kept getting the shutdown
window, though Outpost Firewall was running. I had disabled it briefly that
day, so I thought maybe that's when I got infected, but now i think each
time I was attacked it blocked installation of the worm, but failed to
prevent the RPC crash. I haven't been able to find any sign of the worm on
my computer in any of its known variants. The MS patch has prevented the
crash reoccurring. I was worried I had an unknown variant on my PC, but
maybe Outpost did part of its job?

Not completely convinced by this, but it's a bit out of my area...

Eds

I'm not neccesarily saying that this happened in your case but, there
is a sleazy advertising pop-up that is doing a pretty good job of
mimicing the current 60 sec. warning.

A couple of days ago, I had a couple of pop-ups that initially started
as a small (approx 3cmX3cm) window. Popped out of the room for a
moment and came back to a full-screen, with a warning to save
everything and I had sixty seconds to do so. It looked pretty much
like Xp graphics. I'm not running XP so it aroused my suspicion.
Used the three-fingers to close it down. No problems. Check my
firewall log which confirmed it was a sleazy pop-up, designed to give
people a heart attack.
http://ad1.zendmedia.com/ad-rpc.php?id=ad50 . This was it but, since
then, it has been replaced with an ad' warning of the risk of the
latest worm infection. It flashes the original ad, on the top right.
-+Anna+-

 

[FromTheRafters]

It exploits the RPC DCOM process.. and as stated, it catches you!

To be more precise, it works like this:

1) The attacking machine sends a packet to port 135/TCP on the victims'
PC that crashes RPC through a buffer overflow[0] that leads to a
special piece of code being executed on the victim's machine.

2) Said code will open a command shell accessible via port 4444/TCP

3) The attacking PC will send a sequence of commands to the victim:
3.1) Download msblast.exe from $attacker with TFTP and save it in
%systemdir%
3.2) Launch msblast.exe

4) msblast.exe will launch a TFTP server on the victim machine and
start sending exploit packets to random targets.

After that, everything starts over, until the built-in payload
activates itself to flood the MS server.


[0] 80% of the time this packet is designed to take out XP, 20% of the
time Win2k, according to Symantec.

So there is no concern for windows 98 (SE)?

I saw one reference to w95/98/ME on a symantec page about blaster, but I
think this must have been a typo: only NT based versions of Windows
(NT/2000/XP) have services, so there would be no RPC to expoit.

So does this mean that those OS versions are immune to the exploit
even if the services were added on as an aftermarket enhancement?

 

[Eds]

"Juergen Nieveler" <[email protected]> schreef in bericht

It exploits the RPC DCOM process.. and as stated, it catches you!

To be more precise, it works like this:

1) The attacking machine sends a packet to port 135/TCP on the victims'
PC that crashes RPC through a buffer overflow[0] that leads to a
special piece of code being executed on the victim's machine.

2) Said code will open a command shell accessible via port 4444/TCP

3) The attacking PC will send a sequence of commands to the victim:
3.1) Download msblast.exe from $attacker with TFTP and save it in
%systemdir%
3.2) Launch msblast.exe

4) msblast.exe will launch a TFTP server on the victim machine and
start sending exploit packets to random targets.

After that, everything starts over, until the built-in payload
activates itself to flood the MS server.


[0] 80% of the time this packet is designed to take out XP, 20% of the
time Win2k, according to Symantec.

So there is no concern for windows 98 (SE)?

I saw one reference to w95/98/ME on a symantec page about blaster, but I
think this must have been a typo: only NT based versions of Windows
(NT/2000/XP) have services, so there would be no RPC to expoit.

So does this mean that those OS versions are immune to the exploit
even if the services were added on as an aftermarket enhancement?

I'm not clear on the details, but it's no enhancement: rather an integral
part of how the OS works. NT is Unix based rather than DOS based, and I
think services are a key part of this. It's how NT manages to survive a
crash: everything is separated into independent modules. Services are
modules that control different aspects of the OS. Though they're
interdependent, they can to a certain extent be turned on and off
independently. If the worm-writer had wanted to affect the DOS based
versions of Windows (s)he would have had to find a comparable component to
exploit - presumably the malformed connection string msblaster uses has no
effect on those OS versions. Anyone know for sure?

Eds

 

[=?ISO-8859-1?Q?Alain_D=E9nomm=E9e?=]

close this window using ALT+F4

this is the work of zendmedia for their customer DiscountBOB selling
some AV software

you can use this link to Ddiscount Bob and tell them you just join the
hate club they started with this sleazy advertising they took with
ZendMEDIA.

http://www.discountbob.com/contact.php

and spread the word

 

[FromTheRafters]

"Juergen Nieveler" <[email protected]> schreef in bericht

It exploits the RPC DCOM process.. and as stated, it catches you!

To be more precise, it works like this:

1) The attacking machine sends a packet to port 135/TCP on the victims'
PC that crashes RPC through a buffer overflow[0] that leads to a
special piece of code being executed on the victim's machine.

2) Said code will open a command shell accessible via port 4444/TCP

3) The attacking PC will send a sequence of commands to the victim:
3.1) Download msblast.exe from $attacker with TFTP and save it in
%systemdir%
3.2) Launch msblast.exe

4) msblast.exe will launch a TFTP server on the victim machine and
start sending exploit packets to random targets.

After that, everything starts over, until the built-in payload
activates itself to flood the MS server.


[0] 80% of the time this packet is designed to take out XP, 20% of the
time Win2k, according to Symantec.

So there is no concern for windows 98 (SE)?

I saw one reference to w95/98/ME on a symantec page about blaster, but I
think this must have been a typo: only NT based versions of Windows
(NT/2000/XP) have services, so there would be no RPC to expoit.

So does this mean that those OS versions are immune to the exploit
even if the services were added on as an aftermarket enhancement?

I'm not clear on the details, but it's no enhancement: rather an integral
part of how the OS works. NT is Unix based rather than DOS based, and I
think services are a key part of this. It's how NT manages to survive a
crash: everything is separated into independent modules. Services are
modules that control different aspects of the OS. Though they're
interdependent, they can to a certain extent be turned on and off
independently. If the worm-writer had wanted to affect the DOS based
versions of Windows (s)he would have had to find a comparable component to
exploit - presumably the malformed connection string msblaster uses has no
effect on those OS versions. Anyone know for sure?

Blaster uses CMD.EXE and TFTP so the *worm* won't
work on those OSes that don't have those files. What I'm
not sure about is whether or not the *vulnerability* is able
to be installed on those OSes. There are knowledge base
articles on how to install DCOM RPC services on those
OSes. Most of the "doesn't affect 98 ME" blurbs may be
referring to *default* installations of those OSes and may
be neglecting to further advise.

MS's site says "systems not affected ~ ME" but doesn't
happen to mention why ME is not affected. It would be
just like them to make such a blanket assertion without
looking into the matter.

 

[Pops]

I'm not clear on the details, but it's no enhancement: rather an integral

part of how the OS works. NT is Unix based rather than DOS based,

oh? I thought NT was based on Intels RMX operating system, the first pmode
OS made by makers of the pmode memory segment hardware itself. Unix is
based on the Motorola framework - more linear memory model.

 

[cquirke]

I wasn't aware of that bolt-on, but then I'm not entirely clear what RPC
*does* anyway <g> If they made the buffer overrun mistake back in NT 4 or
whenever,it seems unlikely they happened to fix it when they made the win98
bolt-on, n'est ce pas?

As has been pointed out, the bolt-on files for Win98xx (and presumably
WinME) are versioned as per NT (4.0?), suggesting the same hole is
likely. If the RPC add-on was pushed via Windows Update, it may be an
ironic case of patching yourself *into* trouble.

Precidents exist, where MS has seriously underestimated the scope of a
hole because they forgot how they pushed and dribbled functionality
outside of the obvious version lines. Remember the SQL server hole
that turned out to be relevant to many Win9x, thanks to a "lite"
version being bundled with Office's Access post-Jet database engine?

--------------- ----- ---- --- -- - - -

Error Messages Are Your Friends

 

[null]

As has been pointed out, the bolt-on files for Win98xx (and presumably
WinME) are versioned as per NT (4.0?), suggesting the same hole is
likely. If the RPC add-on was pushed via Windows Update, it may be an
ironic case of patching yourself *into* trouble.

Precidents exist, where MS has seriously underestimated the scope of a
hole because they forgot how they pushed and dribbled functionality
outside of the obvious version lines. Remember the SQL server hole
that turned out to be relevant to many Win9x, thanks to a "lite"
version being bundled with Office's Access post-Jet database engine?

1. Does the patch install on Win 98/ME ?
2. Since Win 98 is no longer supported will there ever be a patch?
3. Have there been any confirmed cases of Win 98/ME infections by the
current worm and its variants?


Art
http://www.epix.net/~artnpeg

 

[FromTheRafters]

1. Does the patch install on Win 98/ME ?

Since the patches are made available according to which affected
OS you are wanting it for, how is one to determine if a patch is
installable. I am assuming that Microsoft knows what object module
as affected, and which DCOM RPC/OS pair will install that module.
So, I assmume Win9x/ME are not vulnerable, but I don't like the idea
of assuming too much where Microsoft software is concerned.

2. Since Win 98 is no longer supported will there ever be a patch?

I don't think so ~ but it would ne nice to know if they are vulnerable
anyway.

3. Have there been any confirmed cases of Win 98/ME infections by the
current worm and its variants?

None that I have heard of, but the worm isn't the issue, the vulnerability is.
I wouldn't expect the worm to find cmd.exe on my Win98 machine.

 

[FromTheRafters]

"Juergen Nieveler" <[email protected]> schreef in
bericht

It exploits the RPC DCOM process.. and as stated, it catches you!

To be more precise, it works like this:

1) The attacking machine sends a packet to port 135/TCP on the
victims'
PC that crashes RPC through a buffer overflow[0] that leads to a
special piece of code being executed on the victim's machine.

2) Said code will open a command shell accessible via port 4444/TCP

3) The attacking PC will send a sequence of commands to the victim:
3.1) Download msblast.exe from $attacker with TFTP and save it in
%systemdir%
3.2) Launch msblast.exe

4) msblast.exe will launch a TFTP server on the victim machine and
start sending exploit packets to random targets.

After that, everything starts over, until the built-in payload
activates itself to flood the MS server.


[0] 80% of the time this packet is designed to take out XP, 20% of
the
time Win2k, according to Symantec.

So there is no concern for windows 98 (SE)?

I saw one reference to w95/98/ME on a symantec page about blaster, but I
think this must have been a typo: only NT based versions of Windows
(NT/2000/XP) have services, so there would be no RPC to expoit.

So does this mean that those OS versions are immune to the exploit
even if the services were added on as an aftermarket enhancement?

I'm not clear on the details, but it's no enhancement: rather an integral
part of how the OS works. NT is Unix based rather than DOS based, and I
think services are a key part of this. It's how NT manages to survive a
crash: everything is separated into independent modules. Services are
modules that control different aspects of the OS. Though they're
interdependent, they can to a certain extent be turned on and off
independently. If the worm-writer had wanted to affect the DOS based
versions of Windows (s)he would have had to find a comparable component to
exploit - presumably the malformed connection string msblaster uses has no
effect on those OS versions. Anyone know for sure?

Blaster uses CMD.EXE and TFTP so the *worm* won't
work on those OSes that don't have those files. What I'm
not sure about is whether or not the *vulnerability* is able
to be installed on those OSes. There are knowledge base
articles on how to install DCOM RPC services on those
OSes. Most of the "doesn't affect 98 ME" blurbs may be
referring to *default* installations of those OSes and may
be neglecting to further advise.

MS's site says "systems not affected ~ ME" but doesn't
happen to mention why ME is not affected. It would be
just like them to make such a blanket assertion without
looking into the matter.

I wasn't aware of that bolt-on, but then I'm not entirely clear what RPC
*does* anyway <g>

It seems to me that DCOM RPC takes the idea that was behind
the use of dynamically linked libraries (multiple programs making
use of the same code in memory so that multiple copies of that
same code need not populate that memory) and extends it into
the network environment.

If they made the buffer overrun mistake back in NT 4 or
whenever,it seems unlikely they happened to fix it when they made the win98
bolt-on, n'est ce pas?

http://www.microsoft.com/com/dcom/dcom98/relnotes.asp#diff

Who knows, it may have been a separate team working on the
Win98 DCOM project ~ one that knows how to avoid writing
buffer overrun vulnerabilities into their code. ~ Naaa!

 

[Jeffrey B. DiPaolo]

For once, i wish someone would make a MSBLASTER worm that snoops port 135
for the MSBLAST.exe worm causing it to shut down and safe removal of it.
Just an Idea for you white knights out there. I'm just a tech and wish I
could write programs, thats the first program I would write. ciao

 

[Hector Santos]

For once, i wish someone would make a MSBLASTER worm that snoops port 135
for the MSBLAST.exe worm causing it to shut down and safe removal of it.
Just an Idea for you white knights out there. I'm just a tech and wish I
could write programs, thats the first program I would write. ciao

Its been done. The media is calling it the "Good Worm"

Ironically, it is still illegal to go into your computer even for "GOOD"
intentions.

No, I don't agree with it. You don't want to open up the flood gates for
every Bill, Bob and Carol out there going into your computer/home in the
name of being a good samaritan:

"Oh, I have this new registry cleaner and I thought I would test it on
your machine"

"Oh, I thought you needed help with backup, so I went did it for you!!"

"Oh, don't be pissy! I was just trying to making sure I can watch you
not screw up anything"

"Hey, I heard you were an ARAB. Just want to make sure you got no AL
KAEDA stuff"

"Hey, Just in case you press the OPEN attachment key, I installed an ARE
YOU SURE? popup"
I hope you don't mind"

Unfortunatelly, Microsoft now wants to also GO into computers to fix it up
automatically. Once they are allow to do this, all hell is going to break
loose. You think its bad now? HA!

I have a great idea. Read this because I think I am going to get a PATENT
on that astonishing idea!

If Billy Gates gives me 1 billion dollars, hell, just 200 millions will do
it, I could a team together to do what?

Fix Windows! <g>

Isn't that revolutionary idea?

 

[null]

I have a great idea. Read this because I think I am going to get a PATENT
on that astonishing idea!

If Billy Gates gives me 1 billion dollars, hell, just 200 millions will do
it, I could a team together to do what?

Fix Windows! <g>

Isn't that revolutionary idea?

No. But you're naive if you believe Billy will ever do anything but
keep on making matters worse with each new OS release. What's needed
is "neutralizing" software unique to each version of Windows from '95
on up:

1. Network settings would be neutralized suitably for users of single
PCs. Bindings of network adaptors would be to TCP/IP only. No NetBios.
Windows log-on would be set. All ports would wind up closed and all
network services would be disabled. If people want risky services they
should be forced to work at it and enable them themselves. M$ has it
all backwords.

2. Both IE and OE would be eradicated and replaced with sane third
party apps.

However, I doubt there would be much of a market. Customers are just
as insane as M$


Art
http://www.epix.net/~artnpeg

 

[chris]

Unfortunatelly, Microsoft now wants to also GO into computers to fix it up
automatically. Once they are allow to do this, all hell is going to break
loose. You think its bad now? HA!

The difference is that MS can slip this into the EULA (user license)
and you have no say in the matter. You'd be surprised at some of the
things you agree to when you install that OS. Also note that Service
Packs have EULAs too that can add things. Checkout the part about
digital meda in the W2K SP4 EULA.

-Chris

 

[Hector Santos]

1. Network settings would be neutralized suitably for users of single

PCs. Bindings of network adaptors would be to TCP/IP only. No NetBios.

Not even that. For example, blaster which hit DCOM (which sits on RPC) is
due to RPC binding on the TCP/IP layer. Microsoft just could redesign RPC
DCOM to make it optional so that it doesn't use the TCP/IP RPC protocol
(ncacn_ip_tcp) for local end-user machines. It can use the LOCAL RPC
protocol (ncalrpc).

Also, the backbone and ISPs can do wonders for us. Just turn off these
ports just like they do for SMTP, POP3, etc when they try to stop end-users
from being servers unless they pay extra $$$.