1 / 13

The MS Blaster worm

The MS Blaster worm. Presented by: Zhi-Wen Ouyang. Outline. General Overview The DCOM RPC Vulnerability How it spreads Other attacks Flaws of MS Blaster A Variant of MS Blaster Removing Instructions Conclusion. General Overview. Also known as Lovsan, Poza, Blaster.

alessa
Télécharger la présentation

The MS Blaster worm

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The MS Blaster worm Presented by: Zhi-Wen Ouyang

  2. Outline • General Overview • The DCOM RPC Vulnerability • How it spreads • Other attacks • Flaws of MS Blaster • A Variant of MS Blaster • Removing Instructions • Conclusion

  3. General Overview • Also known as Lovsan, Poza, Blaster. • First detected on August 11, 2003 • Exploits the most widespread Windows flaw ever • A vulnerability in Distributed Component Object Model (DCOM) that handles communication using Remote Procedure Call (RPC) protocol • Affects Windows 2000 and Windows XP • Two messages in the code: 1. “I just want to say LOVE YOU SAN!”” 2. “billy gates why do you make this possible? Stop making money and fix your software!!” • Infected more than 100,000 computers in 24 hours

  4. The DCOM RPC Vulnerability • Detected in mid-July 2003 • RPC protocol allow a program to run code on a remote machine • Incorrectly handles malformed messages on RPC port 135, 139, 445, 593 • Attackers send special message to remote host • Gain local privilege, run malicious code

  5. How it spreads • Check if computer is already infected • Add registry value "windows auto update"="msblast.exe“ to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run • 60% of the time, generate IP address at random • 40% of the time, generates IP addresses of the form A.B.C.0 • Increments the last part by 1 each time • Use Cmd.exe to create a hidden shell that listens on TCP port 4444

  6. How it spreads (con’t) • Send out data on TCP port 135. • Send out two types of data 1. data that exploits Windows XP 2. data that exploits Windows 2000 • Listen on UDP port 69, send out msblast.exe and execute it on infected computer

  7. Other Attacks • Launches DoS on windowsupdate.com • 16th through end of the month of Jan. – Aug. • Current month is Sept. – Dec. • Flood the website using port 80 • 50 HTTP packet every second • Each packet is 40 bytes

  8. Flaws of MS Blaster • Slowed down the next day • Poor programming of the worm • Inefficient method to download the code file • Infects machines more than once

  9. A Variant of MS Blaster • MS Blaster-B • Exploits the same vulnerability • Minor changes to escape detection • A Different file name • A Different registry entry • More graphic messages • Writer is a 18-year-old teenager, Jeffrey Lee Parson, novice code writer, made too many mistakes

  10. Variants of MS Blaster (con’t) • 70% unpatched machines since discovery of MS Blaster-B • More variants that exploit the same vulnerability: W32.Blaster.C , W32.Blaster.D, W32.Blaster.E, W32.Blaster.F

  11. Removing Instructions • Removing tool available for download from Symantec Security Response • Instructions 1. terminates MS Blaster worm process 2. delete worm files (“msblast.exe”, “teekids.exe”, “penis32.exe”) 3. deletes dropped files 4. deletes registry values • Could manually remove the worm in the same manner

  12. Conclusion • Exploits a widespread windows flaw ever • Software available today is vulnerable to attacks • No significant damages • Could have been more effective • Better-engineered worms could infected millions of machines in matters of seconds • Worms are a serious threat to the safety of the Internet

  13. Thank you Questions?

More Related