Re: Blasting Blaster.Worm (aka LovSan Virus)

From: iDaemon Security (securityat_private)
Date: Tue Aug 12 2003 - 19:30:52 PDT

Next message: Charles Hamby: "RE: MSBLASTER Infecting despite 03-026 patch?"

Previous message: James C. Slora, Jr.: "RE: MSBLASTER Infecting despite 03-026 patch?"
In reply to: Alavan: "Blasting Blaster.Worm (aka LovSan Virus)"
Next in thread: Alan B. Clegg: "Re: Blasting Blaster.Worm (aka LovSan Virus)"
Next in thread: Lloyd Taylor: "Re: Blasting Blaster.Worm (aka LovSan Virus)"
Reply: Alan B. Clegg: "Re: Blasting Blaster.Worm (aka LovSan Virus)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

It is very well described in the Symantec Alerts we get.

Here is a brief description of how it infects:

1. worm finds host vulnerable to DCOM RPC exploit, attacks on 135/TCP
(and UDP... it is safe to assume that traffic will use TCP and/or UDP,
so please assume UDP is implied for the rest of my comments)
2. worm causes buffer overflow, yielding a shell on 4444/TCP which
intiates outbound tftp to the host it was infected from,downloading
msblaster.exe and dropping it on the newly infected host which is
rebooted so that msblaster.exe is run on startup
3. msblaster.exe propagates outbound and listens on 69/TCP (which is
tftp in case you don't have an /etc/services handy), infecting more
hosts and serving out msblaster.exe via tftp

Log/sniff/block 135/TCP, 4444/TCP (which is the port used by krb524, a
Kerberos migration service), and 69/TCP.

Regards,

Chris

On Tue, 2003-08-12 at 13:40, Alavan wrote:
> All,
> 
> We're a small ISP providing T-1 access to residents of apartment 
> communities. Several of our communities have been hit hard by this recent 
> worm. Trying to identify who's infected is difficult. We've tried logging 
> UDP, TCP and IP in general, but there's nothing telling getting logged. 
> Reports indicate that the Virus will try a DDOS on Microsoft's Windows 
> Update site on 8/16/03, but we saw 1500 small packets per second leaving a 
> site and couldn't log them via the Cisco router using the above method. I 
> assumed they were destined for MS. After the flood stopped (some unknown 
> reason), we traced the flood to a customer using usage stats on our 
> switches throughout the property.
> 
> Turns out that the customer was infected with Blaster.Worm (lovsan). So, it 
> sure seems that it's doing more than initially indicated.
> 
> Does anyone know exactly what protocol is being used by this 
> "msblaster.exe" or this other shell program created? Any easy way to sniff 
> and log via our Cisco router?
> 
> Any advice would help. We've currently got another property with 1352 
> packets/second leaving a T-1 serial interface that only at 128/255, or 
> half-used. We never see that kind of pps.
> 
> Thanks in advance.
> 
> Alavan
> 
> 
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------
-- 
iDaemon Security <securityat_private>
Securedaemon.net

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Charles Hamby: "RE: MSBLASTER Infecting despite 03-026 patch?"
Previous message: James C. Slora, Jr.: "RE: MSBLASTER Infecting despite 03-026 patch?"
In reply to: Alavan: "Blasting Blaster.Worm (aka LovSan Virus)"
Next in thread: Alan B. Clegg: "Re: Blasting Blaster.Worm (aka LovSan Virus)"
Next in thread: Lloyd Taylor: "Re: Blasting Blaster.Worm (aka LovSan Virus)"
Reply: Alan B. Clegg: "Re: Blasting Blaster.Worm (aka LovSan Virus)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Aug 12 2003 - 22:55:14 PDT