In-Depth

Worm Continues Blast Across Internet

Worm exploits RPC/DOM vulnerability; denial-of-service attacks still likely

• By Mathew Schwartz
• 08/20/2003

First the Microsoft vulnerability. Then the innumerable warnings. Then the inevitable worm, signaled by a user’s machine rebooting unexpectedly in Windows XP or Windows Server 2003, or sudden instability in Windows NT 4.0 or Windows 2000.

For the past week, users have been saying hello to Blaster (also known as LovSan and W32.Blaster.Worm). Experts say over 500,000 PCs have been affected across North America, Europe and Asia. Last week, a major bank in Finland suspended most services on account of the worm, which continues to spread.

Two additional variants of the worm will add to the chaos. “In other words all computers infected by the original ‘Lovesan’ will soon be attacked by its revamped version,” notes Eugene Kaspersky, head of anti-virus research for Kaspersky Labs. Worse, multiple versions can co-exist on the same computer, potentially tripling the worm’s efficacy.

The new versions modify Blaster only slightly, changing the name of the main worm-carrying file from msblast.exe to teekids.exe, and using a different method of code compression.

Worst case, says Kaspersky, is akin to what happened with the Slammer worm in January 2003: a global Internet slowdown, plus regional outages.

Default installations of Windows 2000, Windows XP, and Windows Server 2003 are especially at risk, since the DCOM interface to RPC is available via TCP port 135. On Windows NT 4.0, DCOM is accessible via UDP port 135.

Here’s how the worm works: after gaining access to a PC via a specially crafted RPC packet sent to port 135, the worm attempts to exploit the known Microsoft DCOM/RPC vulnerability to download the msblast.exe file and execute it.

Infected PCs also launch probes against port 135, using a semi-random list of IP addresses.

The worm also tries to swamp Windows Update via a denial-of-service attack, likely in order to prevent users patching the DCOM/RPC vulnerability.

The denial of service attack the worm was set to trigger on August 16 also failed to materialize since Microsoft deactivated the worm’s target, windowsupdate.com. Updates were still available at windowsupdate.microsoft.com, though getting there could be a challenge for users, who have to enable their PC’s firewall in order to stop the machine from rebooting every time they access the Internet.

Users’ first sign they’ve been infected may be an incessant rebooting of their computer. To help them cope, Microsoft released “What You Should Know About the Blaster Worm and Its Variants” (http://www.microsoft.com/security/incident/blast.asp). Microsoft recommends users activate the Internet Connection Firewall in Windows XP and Windows Server 2003, or install a third-party firewall for other affected systems, then update their PC, then use anti-virus software to scan the PC and verify it’s not infected.

How quickly does the worm act? Last week, F-Secure decided to test by putting an unprotected PC on the network. Early in the day, it took under six minutes for the machine to be discovered, and infected. Later that day, it took only 27 seconds.

To mitigate the effects of unpatched machines inside the corporate perimeter, Symantec outlined a number of steps IT administrators can take, including rerouting IP addresses to Windows Update, and implementing router anti-spoofing rules to help prevent inappropriate packets from leaving the network. Symantec reports that a new worm, W32.Welchia.Worm, is also making the rounds, albeit ostensibly for good. The worm looks for the Msblast.exe. If found, the worm then deletes the file and patches the system against the RPC/DCOM vulnerability.

Various vendors, including Internet Security Systems, Symantec, and Configuresoft have also updated their scanning and vulnerability remediation products to find and remove the program on an enterprise-wide level. Companies released instructions on removing the worm from individual PCs. Most involve downloading a patch utility, rebooting the computer in safe mode, then applying the patch, which will delete MSBlast.exe from the computer.

Various companies mobilized to fight the worm in advance. Dell Inc. gave help-desk callers instructions for removing the worm. Likewise, cable and broadband provider RCN Corp. sent an e-mail to customers detailing how to de-worm their systems.

The worm was set to trigger a denial of service attack on August 16. Denial-of-service attacks could continue through the week as employees return to work, especially if large swaths of the Midwest and Northeast fall into blackouts again.

The worm is now only spreading at 15 percent of its peak rate, says Symantec.

Don’t expect the worm or its variants to disappear anytime soon, however, says Steven Sundermeier, vice president of products and services at Central Command Inc. “The original author of Worm/Lovsan was successful at infecting hundreds of thousands of computers worldwide. Unfortunately, history has proven that this type of success usually generates a litter of copycat creations.”

Related Links:

ISS Alert: http://xforce.iss.net/xforce/alerts/id/147

Symantec advice for IT administrators: http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html

F-Secure “eight minute method” for eliminating Blaster: http://www.f-secure.com/v-descs/msblast.shtml

Microsoft Security Bulletin outlining the RPC/DCOM vulnerability: http://info.101com.com/default.asp?id=2550