The MS Blaster worm

1
The MS Blaster worm

• Presented by Zhi-Wen Ouyang

2
Outline

• General Overview
• The DCOM RPC Vulnerability
• How it spreads
• Other attacks
• Flaws of MS Blaster
• A Variant of MS Blaster
• Removing Instructions
• Conclusion

3
General Overview

• Also known as Lovsan, Poza, Blaster.
• First detected on August 11, 2003
• Exploits the most widespread Windows flaw ever
• A vulnerability in Distributed Component Object
  Model (DCOM) that handles communication using
  Remote Procedure Call (RPC) protocol
• Affects Windows 2000 and Windows XP
• Two messages in the code
• 1. I just want to say LOVE YOU SAN!
• 2. billy gates why do you make this
  possible? Stop making money and fix your
  software!!
• Infected more than 100,000 computers in 24 hours

4
The DCOM RPC Vulnerability

• Detected in mid-July 2003
• RPC protocol allow a program to run code on a
  remote machine
• Incorrectly handles malformed messages on RPC
  port 135, 139, 445, 593
• Attackers send special message to remote host
• Gain local privilege, run malicious code

5
How it spreads

• Check if computer is already infected
• Add registry value
• "windows auto update""msblast.exe to
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr
  entVersion\Run
• 60 of the time, generate IP address at random
• 40 of the time, generates IP addresses of the
  form A.B.C.0
• Increments the last part by 1 each time
• Use Cmd.exe to create a hidden shell that listens
  on TCP port 4444

6
How it spreads (cont)

• Send out data on TCP port 135.
• Send out two types of data
• 1. data that exploits Windows XP
• 2. data that exploits Windows 2000
• Listen on UDP port 69, send out msblast.exe and
  execute it on infected computer

7
Other Attacks

• Launches DoS on windowsupdate.com
• 16th through end of the month of Jan. Aug.
• Current month is Sept. Dec.
• Flood the website using port 80
• 50 HTTP packet every second
• Each packet is 40 bytes

8
Flaws of MS Blaster

• Slowed down the next day
• Poor programming of the worm
• Inefficient method to download the code file
• Infects machines more than once

9
A Variant of MS Blaster

• MS Blaster-B
• Exploits the same vulnerability
• Minor changes to escape detection
• A Different file name
• A Different registry entry
• More graphic messages
• Writer is a 18-year-old teenager, Jeffrey Lee
  Parson, novice code writer, made too many mistakes

10
Variants of MS Blaster (cont)

• 70 unpatched machines since discovery of MS
  Blaster-B
• More variants that exploit the same
  vulnerability W32.Blaster.C , W32.Blaster.D,
  W32.Blaster.E, W32.Blaster.F

11
Removing Instructions

• Removing tool available for download from
  Symantec Security Response
• Instructions
• 1. terminates MS Blaster worm process
• 2. delete worm files (msblast.exe,
  teekids.exe, penis32.exe)
• 3. deletes dropped files
• 4. deletes registry values
• Could manually remove the worm in the same manner

12
Conclusion

• Exploits a widespread windows flaw ever
• Software available today is vulnerable to attacks
• No significant damages
• Could have been more effective
• Better-engineered worms could infected millions
  of machines in matters of seconds
• Worms are a serious threat to the safety of the
  Internet

13
Thank you

• Questions?