What’s this W32.Blaster.Worm all about?

Posted by on August 17, 2003 2 comments

On Monday August 11th 2003 sometime before noon Mountain Daylight Time the first signs of a new worm propagating through the Internet was detected by various threat monitoring systems (such as Symantec’s Threat Management System). The worm came to be called W32.Blaster and it was propagating via a known vulnerability in various versions of Microsoft Windows. In this entry I will try to explain how this worm works and the effect it had on vulnerable systems and the Internet at large. I will also provide some anecdotal evidence of just how fast and hard this worm hit vulnerable systems. But first I’ll start with some background and basic information. I should also say that I work for Symantec’s in the Security Response division but nothing contained in this entry is secret or proprietary and everything can be readily found in the public domain.

Background

The vulnerability was originally found by The Last Stage of Delirium Research Group. I won’t go into much technical detail about the vulnerability except to say that it exists in the RPC (Remote Procedure Call) interface of the Windows DCOM (Distributed Component Object Model) facility. he effected systems are:

  • Microsoft Windows NT? 4.0
  • Microsoft Windows NT 4.0
  • Terminal Services Edition
  • Microsoft Windows 2000
  • Microsoft Windows XP
  • Microsoft Windows Server? 2003

If you’re running Windows 95/98/Me then you’re safe, well except for the fact that you’re still running a very inferior operating system. But that’s a topic for another entry.

The key point here is that this vulnerability was reported and patched on July 16th, 2003. The first worm to exploit this vulnerability was unleashed on August 11th, 2003. The point I’m making is that consumers had almost a month to heed the warnings of security professionals who pleaded with them to patch their systems. It was a matter of if there would be a worm but when we would see it. And all indications are that the W32.Blaster worm was fairly impotent and not particularly malicious however there is a real threat we could see a more virulent variant of this worm or even a brand new one which won’t let us off the hook so easily. I’ll get off my soap now but I ask that everyone please patch their systems and make security an every day thought in your daily computing routines.

The Worm: How it can infect you

What makes this vulnerability particularly nasty is the fact any Windows system is not patched can have the vulnerability and is at risk by default. That is to say you don’t have to be running some special software, such a web server to be infected. Contrary to other vulnerabilities which require the user to open a malicious email, this vulnerability can be exploited remotely over an Internet connection. So if you’re wondering how you can get infected if you have anti virus software installed and you’re vigilant about never opening emails which contain a suspicious attachment from unknown sources, well the answer is that you don’t need to take any action at all. Simply by connecting to the Internet and not protecting yourself with a firewall or taking steps to patch your system, you are at risk of being infected. And when a worm is propagating in the wild then most likely your system will be infected.

The exploit begins with an infected computer. That is the computer has been comprised by the worm because it was not protected or patched. We’ll call this computer the attacking host. The worm will go through some routine to determine which computer it will attack next and then launch an attack against the victim computer or victim host.

Once Blaster has determined which computer it will attack next the specific exploit is sent to the next potential victim machine in the hopes it can be compromised. If the attack fails because the system is patched or protected then it simple moves to next potential victim. The worm has no way of actively seeking potential victims. It simply uses an algorithm to create a list of IP numbers to to attack. IP numbers are the unique number which identifies your computer on the Internet. So Blaster will generate this list of IP numbers based on a few criteria then start attacking them in the hopes of infecting another system and starting all over again to spread itself. This is what makes it a worm.

If the attack succeeds then Blaster will execute some simple commands (called shellcode) to set itself up to start all over again. I won’t get into the technical details which can be found in this great document (link to be added) put together by the Symantec threat analyst team.

A few days after the outbreak I took a look at my firewall logs to see what the propagation looked like to my system. My findings were pretty interesting and summarized in the charts below.

The first chart (figure 1) shows hourly statistics for blocked port 135 TCP (remember the worm required access to port 135 to infect a system) traffic. In previous days one could see a few events which can be dismissed as background noise. This background noise is likely caused by the odd rogue packet which is of no concerns since the firewall blocked it anyway. Then before noon on August 11th you can see the dramatic rise of blocked events in my firewall logs. This is when the tidal wave known as Blaster hit my system. Then for the next 24 hours you can see a gradual drop off in blocked events until it seems to go back to background noise. One important point here is that after 24 hours or so my ISP decided to shut off port 135 access at their perimeter which is basically the equivalent of what my firewall did for me but they’re doing it for thousands of other computers.

hourly.png
Figure 1: Blocked port 135 TCP events by the hour from 1am 10/08 to 12:59am 13/08

Figure 2 shows a minute by minute account of 11:00 to noon on August 11th.

minute.png
Figure 2: Blocked port 135 TCP events during the hour (11am 11/08)

The Worm: I think I have it, now what?

Microsoft has assembled a nice page full of information and resources regarding Blaster: http://www.microsoft.com/security/incident/blast.asp. On that page you can find explicit steps on how to remove Blaster from your system and make sure you’re not vulnerable to Blaster or any other similar exploits yet to be released. I’ll summarize here the step you need to take to clean or secure your system:

  1. Whether you think you’re system is infected or not (I discussed some signs of an infected system in the previous section) the first thing you need to do is mitigate the threat to make sure once you clean up the mess you won’t get infected again. There are several steps to take in this regard:
  • Enable a Firewall to block all incoming TCP port 135 traffic to your computer. If you don’t know what I’m taking about then refer to the Microsoft page I linked above or Firewall software help file. But in most cases if you’re infected then you’re not running a firewall so there is nothing for you to configure and you might as well go to step two.
  • If you don’t have a firewall then go to step but don’t try to update via Windows Update. You’re better of trying to download the patch directly to you computer and as soon as the download is finished disconnect from the Internet completely and apply the patch. But I’m getting ahead of myself.
  1. Forget about the fact that the worm is sitting happily on your system and trying to infect other computers. You need to patch your system so you can’t get infected again. What’s the point of cleaning Blaster from your computer if you’ll just be infected again within minutes of cleaning it if haven’t don’t patch your system.
  • If you have configured a firewall as in step 1 to block access to the vulnerability on your system then you can just run Windows Update and apply all the security patches available. You should be doing this once a week anyway so get in the habit.
  • If you don’t have a firewall then you need to download the patch directly to your computer and run it from there. For Windows 2000 get the patch here and for Windows XP get it here. Once you’ve downloaded the patch then disconnect from the Internet. You can just unplug your Ethernet cable from the back of the computer if you have a high speed connection.
  1. Now you’re patched either from Windows Update or by downloading the patch and applying it manually. Now it’s time to get rid of the worm if you’re system is infected. Again you can either do this manually or by using your existing anti virus software.
  • To remove the worm automatically then update your anti virus software with the latest virus definitions and do a full scan of your system. That should take care of it.
  • To remove the worm semi-manually (my preferred method) then visit the Symantec website and get the W32.Blaster removal tool which will scan your system and remove the worm for you.
  • To remove it totally manually you’ll have dig through your file system and muck around in your registry. If you prefer this method then you’re more hard core than me! ;)
  1. Now your system is patched and the worm has been removed if you were indeed infected. Life is good again but only until the next time a worm hits and you’ve left yourself unprotected.

Back on the Soap Box

The bottom line is that this worm didn’t need to spread at all. Theoretically if everyone had applied the patch when it was released then this would all be academic. The reality is that many people don’t consider security an important issue in their day to day computing and in my opinion that needs to change. Love them or not I believe Microsoft has done everything they can to make it easy for the average user to be a security conscience user as well. It simply doesn’t get any easier than just running Windows Update once a week. Now some will say that patches have known to cause problems of their own but I’ve never known a Windows security patch which caused anything near the grief caused by a virus or worm. Better than running Windows Update once per week you should configure Windows Automatic Update which is explained quite nicely on this website.

I hope you found this article useful or at least slightly educational if you’re new to computer security issues. Feel free to leave a comment!

Spectacular Picture of Mt. Damavand

Posted by on August 17, 2003 No comments

I’m not sure if this picture is real or if its just a really good Photoshop touch-up job. Regardless it looks cool.

View image

Mount Damavand is a towering volcano just 45 miles northeast of Teheran, near the Southern coast of the Caspian Sea. It is surrounded by the smaller and comparatively rugged peaks of the Elburz range, but its great height and classic volcanic shape, unique to the region, grant it dominance and isolation.

Damavand has not erupted in historical times, though occasional steam and sulfur gases exude from the top. The view from the summit is an amazing panorama of Irans vast expanse of mountains, valleys, and deserts.

Before and After Blackout Images from Space

Posted by on August 17, 2003 No comments

NOAA News Online has posted images form Space which show the recent blackouts in dramatic before and after pictures.

Life in the Fast Lane

Posted by on April 27, 2003 No comments

Life in the Fast Lane

A few months ago I reviewed the second book written by former Benetton F1 mechanic Steve Matchett. Life in the Fast Lane is his first book and the better of the two.

This book chronicles the 1994 F1 season. Matchett starts with January and presents each month chronologically, presenting each twist and turn of the tumultuous F1 season in a down to earth and sometimes humorous way. For F1 fans, and the sport itself, 1994 was a difficult year. Two drivers were killed at the San Marino Grand Prix and another was left in a coma following an accident at Monaco. Matchett does a great job of putting the readers right in the middle of those difficult events with a passionate account of the emotions experienced on the scene.

1994 was also a season bereft with controversy. The eventual champion and Benetton driver, Michael Schumacher, was disqualified for two races following questionable scrutineering and the account in the book conveys the disappointment felt by the entire team as they fought for the constructors championship. Both books by Matchett do a great job of dispelling any misconceptions that the world of F1 is all glitz and glamour. At least its not for the mechanics who put in more hours than there are in a day and always manage to pull off the impossible with no time left on the clock.

I highly recommend this book to even the casual motorsport fan.

Let it snow!

Posted by on April 26, 2003 1 comment

40+ centimetres of snow on April 26th, 2003.

Calgary had its annual crazy snow storm just when we all thought it was Spring. The snow is heavy, wet and great for snowball fights but thats about it. My car wasnt going anywhere and walking on the sidewalks was a real chore. I ventured out for a short walk just to take some pictures but the light was pretty flat and I was getting sick of being splashed by passing cars so this is all I got.

IMG_1022.JPG

IMG_1023.JPG

IMG_1023.JPG

IMG_1023.JPG

Page 6 of 10« First...45678...Last »