Discussion:
How is Blaster caught?
(too old to reply)
Martin C.E.
2003-08-14 17:14:22 UTC
Permalink
How is the Blaster worm caught?

I looked at http://vil.nai.com/vil/content/v_100547.htm
but I was no wiser.

A worm to me is something which propagates by email. But some tech
support guy I spoke to said that Blaster propagated just by the user
visiting a web page.

Can anyone advise me on the true way Blaster is caught.
Tetsuo
2003-08-14 17:15:11 UTC
Permalink
Post by Martin C.E.
How is the Blaster worm caught?
I looked at http://vil.nai.com/vil/content/v_100547.htm
but I was no wiser.
A worm to me is something which propagates by email. But some tech
support guy I spoke to said that Blaster propagated just by the user
visiting a web page.
Can anyone advise me on the true way Blaster is caught.
It catches you, AFAIK..

--
Tetsuo
Ian.H [dS]
2003-08-14 17:22:55 UTC
Permalink
On Thu, 14 Aug 2003 18:14:22 +0100 in
Post by Martin C.E.
How is the Blaster worm caught?
I looked at http://vil.nai.com/vil/content/v_100547.htm
but I was no wiser.
A worm to me is something which propagates by email.
Someone has seriously misinformed you =)
Post by Martin C.E.
But some tech
support guy I spoke to said that Blaster propagated just by the user
visiting a web page.
Your tech support guy needs shooting too!
Post by Martin C.E.
Can anyone advise me on the true way Blaster is caught.
Why does this post scream "I still haven't patched my box"? =\

It exploits the RPC DCOM process.. and as stated, it catches you!



Regards,

Ian
--
Ian.H [Design & Development]
digiServ Network - Web solutions
www.digiserv.net | irc.digiserv.net | forum.digiserv.net
Programming, Web design, development & hosting.
Eds
2003-08-15 18:06:29 UTC
Permalink
Post by Ian.H [dS]
It exploits the RPC DCOM process.. and as stated, it catches you!
1) The attacking machine sends a packet to port 135/TCP on the victims'
PC that crashes RPC through a buffer overflow[0] that leads to a
special piece of code being executed on the victim's machine.
2) Said code will open a command shell accessible via port 4444/TCP
3.1) Download msblast.exe from $attacker with TFTP and save it in
%systemdir%
3.2) Launch msblast.exe
4) msblast.exe will launch a TFTP server on the victim machine and
start sending exploit packets to random targets.
After that, everything starts over, until the built-in payload
activates itself to flood the MS server.
[0] 80% of the time this packet is designed to take out XP, 20% of the
time Win2k, according to Symantec.
Does this mean you could experience the 60 sec shutdown window, even if the
worm failed to infect your computer?
Juergen Nieveler
2003-08-15 18:37:49 UTC
Permalink
Post by Eds
Does this mean you could experience the 60 sec shutdown window, even
if the worm failed to infect your computer?
Yes, the shutdown is caused by the RPC service on XP crashing after
receiving the malformed packet. MS apparently implemented this as a
feature to make sure that machines don't suffer a DoS through malformed
RPC requests.... after all, Rebooting always solves all problems on
Windows ;-)

The only way to prevent the shutdown from happening (apart from
stopping the countdown manually) is to apply the patch so that the RPC
service doesn't crash.

BTW, I've heard that a couple of "Personal Firewalls" didn't protect
against this attack - has anybody heard more about this?
--
Juergen Nieveler / ***@web.de / PGP supported!
A sadist is someone who's kind to a masochist
Eds
2003-08-15 19:43:10 UTC
Permalink
This explains what's happened to me, I think. I kept getting the shutdown
window, though Outpost Firewall was running. I had disabled it briefly that
day, so I thought maybe that's when I got infected, but now i think each
time I was attacked it blocked installation of the worm, but failed to
prevent the RPC crash. I haven't been able to find any sign of the worm on
my computer in any of its known variants. The MS patch has prevented the
crash reoccurring. I was worried I had an unknown variant on my PC, but
maybe Outpost did part of its job?

Not completely convinced by this, but it's a bit out of my area...

Eds
Post by Juergen Nieveler
Post by Eds
Does this mean you could experience the 60 sec shutdown window, even
if the worm failed to infect your computer?
Yes, the shutdown is caused by the RPC service on XP crashing after
receiving the malformed packet. MS apparently implemented this as a
feature to make sure that machines don't suffer a DoS through malformed
RPC requests.... after all, Rebooting always solves all problems on
Windows ;-)
The only way to prevent the shutdown from happening (apart from
stopping the countdown manually) is to apply the patch so that the RPC
service doesn't crash.
BTW, I've heard that a couple of "Personal Firewalls" didn't protect
against this attack - has anybody heard more about this?
--
A sadist is someone who's kind to a masochist
anna keynow
2003-08-16 11:06:28 UTC
Permalink
On Fri, 15 Aug 2003 19:43:10 +0000 (UTC), "Eds"
Post by Eds
This explains what's happened to me, I think. I kept getting the shutdown
window, though Outpost Firewall was running. I had disabled it briefly that
day, so I thought maybe that's when I got infected, but now i think each
time I was attacked it blocked installation of the worm, but failed to
prevent the RPC crash. I haven't been able to find any sign of the worm on
my computer in any of its known variants. The MS patch has prevented the
crash reoccurring. I was worried I had an unknown variant on my PC, but
maybe Outpost did part of its job?
Not completely convinced by this, but it's a bit out of my area...
Eds
I'm not neccesarily saying that this happened in your case but, there
is a sleazy advertising pop-up that is doing a pretty good job of
mimicing the current 60 sec. warning.

A couple of days ago, I had a couple of pop-ups that initially started
as a small (approx 3cmX3cm) window. Popped out of the room for a
moment and came back to a full-screen, with a warning to save
everything and I had sixty seconds to do so. It looked pretty much
like Xp graphics. I'm not running XP so it aroused my suspicion.
Used the three-fingers to close it down. No problems. Check my
firewall log which confirmed it was a sleazy pop-up, designed to give
people a heart attack.
http://ad1.zendmedia.com/ad-rpc.php?id=ad50 . This was it but, since
then, it has been replaced with an ad' warning of the risk of the
latest worm infection. It flashes the original ad, on the top right.
-+Anna+-
Heather
2003-08-15 21:48:49 UTC
Permalink
Post by Juergen Nieveler
Post by Eds
Does this mean you could experience the 60 sec shutdown window, even
if the worm failed to infect your computer?
Yes, the shutdown is caused by the RPC service on XP crashing after
receiving the malformed packet. MS apparently implemented this as a
feature to make sure that machines don't suffer a DoS through
malformed
Post by Juergen Nieveler
RPC requests.... after all, Rebooting always solves all problems on
Windows ;-)
The only way to prevent the shutdown from happening (apart from
stopping the countdown manually) is to apply the patch so that the RPC
service doesn't crash.
BTW, I've heard that a couple of "Personal Firewalls" didn't protect
against this attack - has anybody heard more about this?
Hi Guys.......just some confirmation from you please. My neighbour just
informed me he has Blaster........this is the same guy that sells the
huge commercial computers (grin).......he has XP and I asked him where
in hell his firewall was. He hasn't downloaded Zone Alarm or any
other......so why didn't the infamous XP firewall stop
it.......rhetorical questions I guess.

Anyway......he is crashing in about 60 seconds.......so I told him I
would download the patch and the fix to get rid of it.

Question......should I download the MS patch first and put that on?
According to Symantec, it is sometimes necessary. And as I have never
done this sort of thing on someone else's computer, I want to make sure
that I do it properly. As in......where do I direct it to go from the
floppie. Same question for the patch to get rid of Blaster. I am
woefully inadequate in the basics (G).

Plus I will no doubt be thinking "60 seconds......aarrgghh".....grin.
Shoot, I spend my time making sure I DON'T get these nasties......not
taking them off someone else's computer!!

Thanks in advance......Heather
Bit Twister
2003-08-15 21:57:38 UTC
Permalink
Post by Heather
Plus I will no doubt be thinking "60 seconds......aarrgghh".....grin.
Shoot, I spend my time making sure I DON'T get these nasties......not
taking them off someone else's computer!!
I would put him in the driver's seat, pull up a chair and make him drive.
Goto www.microsoft.com and look under the top right link.
Bit Twister
2003-08-15 22:05:18 UTC
Permalink
Post by Bit Twister
Post by Heather
Plus I will no doubt be thinking "60 seconds......aarrgghh".....grin.
Shoot, I spend my time making sure I DON'T get these nasties......not
taking them off someone else's computer!!
I would put him in the driver's seat, pull up a chair and make him drive.
Goto www.microsoft.com and look under the top right link.
Frap, forgot to add
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

Now there appears to be a B verion.
Gabriele Neukam
2003-08-15 23:01:42 UTC
Permalink
Post by Heather
Hi Guys
Hi Heather. How's the power over there?
Post by Heather
Question......should I download the MS patch first and put that on?
According to Nick, you can do it that way, provided there is a reboot in
between the Patch and installing the Service Pack.
Post by Heather
According to Symantec, it is sometimes necessary. And as I have never
done this sort of thing on someone else's computer, I want to make sure
that I do it properly.
I am no XP savvy, but fixed my sister's system (well, she wasn't
infected, but needed a prophylaxe) without problems.
Post by Heather
As in......where do I direct it to go from the
floppie. Same question for the patch to get rid of Blaster. I am
woefully inadequate in the basics (G).
I copied the file from floppy to the harddisk, ran it, it checked the
system, extracted some files, copied them, initiated a reboot, and that
was it.

After that, i went into the management of services and set the RPC
service to "restart service when crashed" instead of "shutdown entire
machine when crashed"
Post by Heather
Plus I will no doubt be thinking "60 seconds......aarrgghh".....grin.
Shoot, I spend my time making sure I DON'T get these nasties......not
taking them off someone else's computer!!
You can stop the shutdown in two ways:

- Open a command line window (running cmd.exe) and enter the command
shutdown -a (at least we Germans need the parameter -a) to stop it in
its tracks.

- Go to the clock in the systray, open it and set the time back a couple
of hours. The moment for shutdown isn't calculated by time passing, as
the message seems to imply, but by the absolute time Windows has decided
to be the shutdown date.

Method 1 is courtesy to Heise Verlag (www.heise.de), the other to Robin
Socha (a notorious defendant of "good computing must be done with
Linux", close to the verge of a troll sometimes, but a LOT more
intelligent)


HTH


Gabriele Neukam

***@t-online.de
--
Ah, Information. A good, too valuable theses days, to give it away, just
so, at no cost.
ParrotRob
2003-08-16 06:23:14 UTC
Permalink
Post by Juergen Nieveler
The only way to prevent the shutdown from happening (apart from
stopping the countdown manually) is to apply the patch so that the RPC
service doesn't crash.
That's not true at all. You can easily configure the RPC service so that a
failure simply restarts the service instead of rebooting the system. This
will not keep the RPC service from crashing as the patch will, but it will
certainly keep your machine from issuing a shutdown command when the service
DOES crash.
Alain Dénommée
2003-08-16 22:45:43 UTC
Permalink
close this window using ALT+F4

this is the work of zendmedia for their customer DiscountBOB selling
some AV software

you can use this link to Ddiscount Bob and tell them you just join the
hate club they started with this sleazy advertising they took with
ZendMEDIA.

http://www.discountbob.com/contact.php

and spread the word
Alex
2003-08-16 01:43:52 UTC
Permalink
Post by Ian.H [dS]
It exploits the RPC DCOM process.. and as stated, it catches you!
1) The attacking machine sends a packet to port 135/TCP on the victims'
PC that crashes RPC through a buffer overflow[0] that leads to a
special piece of code being executed on the victim's machine.
2) Said code will open a command shell accessible via port 4444/TCP
3.1) Download msblast.exe from $attacker with TFTP and save it in
%systemdir%
3.2) Launch msblast.exe
4) msblast.exe will launch a TFTP server on the victim machine and
start sending exploit packets to random targets.
After that, everything starts over, until the built-in payload
activates itself to flood the MS server.
[0] 80% of the time this packet is designed to take out XP, 20% of the
time Win2k, according to Symantec.
So there is no concern for windows 98 (SE)?

Alex
Eds
2003-08-16 09:02:47 UTC
Permalink
Post by Alex
Post by Ian.H [dS]
It exploits the RPC DCOM process.. and as stated, it catches you!
1) The attacking machine sends a packet to port 135/TCP on the victims'
PC that crashes RPC through a buffer overflow[0] that leads to a
special piece of code being executed on the victim's machine.
2) Said code will open a command shell accessible via port 4444/TCP
3.1) Download msblast.exe from $attacker with TFTP and save it in
%systemdir%
3.2) Launch msblast.exe
4) msblast.exe will launch a TFTP server on the victim machine and
start sending exploit packets to random targets.
After that, everything starts over, until the built-in payload
activates itself to flood the MS server.
[0] 80% of the time this packet is designed to take out XP, 20% of the
time Win2k, according to Symantec.
So there is no concern for windows 98 (SE)?
I saw one reference to w95/98/ME on a symantec page about blaster, but I
think this must have been a typo: only NT based versions of Windows
(NT/2000/XP) have services, so there would be no RPC to expoit.
FromTheRafters
2003-08-16 22:06:42 UTC
Permalink
Post by Eds
Post by Alex
Post by Ian.H [dS]
It exploits the RPC DCOM process.. and as stated, it catches you!
1) The attacking machine sends a packet to port 135/TCP on the victims'
PC that crashes RPC through a buffer overflow[0] that leads to a
special piece of code being executed on the victim's machine.
2) Said code will open a command shell accessible via port 4444/TCP
3.1) Download msblast.exe from $attacker with TFTP and save it in
%systemdir%
3.2) Launch msblast.exe
4) msblast.exe will launch a TFTP server on the victim machine and
start sending exploit packets to random targets.
After that, everything starts over, until the built-in payload
activates itself to flood the MS server.
[0] 80% of the time this packet is designed to take out XP, 20% of the
time Win2k, according to Symantec.
So there is no concern for windows 98 (SE)?
I saw one reference to w95/98/ME on a symantec page about blaster, but I
think this must have been a typo: only NT based versions of Windows
(NT/2000/XP) have services, so there would be no RPC to expoit.
So does this mean that those OS versions are immune to the exploit
even if the services were added on as an aftermarket enhancement?
Eds
2003-08-16 22:43:54 UTC
Permalink
Post by FromTheRafters
Post by Eds
Post by Alex
Post by Ian.H [dS]
It exploits the RPC DCOM process.. and as stated, it catches you!
1) The attacking machine sends a packet to port 135/TCP on the victims'
PC that crashes RPC through a buffer overflow[0] that leads to a
special piece of code being executed on the victim's machine.
2) Said code will open a command shell accessible via port 4444/TCP
3.1) Download msblast.exe from $attacker with TFTP and save it in
%systemdir%
3.2) Launch msblast.exe
4) msblast.exe will launch a TFTP server on the victim machine and
start sending exploit packets to random targets.
After that, everything starts over, until the built-in payload
activates itself to flood the MS server.
[0] 80% of the time this packet is designed to take out XP, 20% of the
time Win2k, according to Symantec.
So there is no concern for windows 98 (SE)?
I saw one reference to w95/98/ME on a symantec page about blaster, but I
think this must have been a typo: only NT based versions of Windows
(NT/2000/XP) have services, so there would be no RPC to expoit.
So does this mean that those OS versions are immune to the exploit
even if the services were added on as an aftermarket enhancement?
I'm not clear on the details, but it's no enhancement: rather an integral
part of how the OS works. NT is Unix based rather than DOS based, and I
think services are a key part of this. It's how NT manages to survive a
crash: everything is separated into independent modules. Services are
modules that control different aspects of the OS. Though they're
interdependent, they can to a certain extent be turned on and off
independently. If the worm-writer had wanted to affect the DOS based
versions of Windows (s)he would have had to find a comparable component to
exploit - presumably the malformed connection string msblaster uses has no
effect on those OS versions. Anyone know for sure?

Eds
FromTheRafters
2003-08-16 23:35:27 UTC
Permalink
Post by FromTheRafters
Post by Eds
Post by Alex
Post by Ian.H [dS]
It exploits the RPC DCOM process.. and as stated, it catches you!
1) The attacking machine sends a packet to port 135/TCP on the
victims'
Post by FromTheRafters
Post by Eds
Post by Alex
PC that crashes RPC through a buffer overflow[0] that leads to a
special piece of code being executed on the victim's machine.
2) Said code will open a command shell accessible via port 4444/TCP
3.1) Download msblast.exe from $attacker with TFTP and save it in
%systemdir%
3.2) Launch msblast.exe
4) msblast.exe will launch a TFTP server on the victim machine and
start sending exploit packets to random targets.
After that, everything starts over, until the built-in payload
activates itself to flood the MS server.
[0] 80% of the time this packet is designed to take out XP, 20% of
the
Post by FromTheRafters
Post by Eds
Post by Alex
time Win2k, according to Symantec.
So there is no concern for windows 98 (SE)?
I saw one reference to w95/98/ME on a symantec page about blaster, but I
think this must have been a typo: only NT based versions of Windows
(NT/2000/XP) have services, so there would be no RPC to expoit.
So does this mean that those OS versions are immune to the exploit
even if the services were added on as an aftermarket enhancement?
I'm not clear on the details, but it's no enhancement: rather an integral
part of how the OS works. NT is Unix based rather than DOS based, and I
think services are a key part of this. It's how NT manages to survive a
crash: everything is separated into independent modules. Services are
modules that control different aspects of the OS. Though they're
interdependent, they can to a certain extent be turned on and off
independently. If the worm-writer had wanted to affect the DOS based
versions of Windows (s)he would have had to find a comparable component to
exploit - presumably the malformed connection string msblaster uses has no
effect on those OS versions. Anyone know for sure?
Blaster uses CMD.EXE and TFTP so the *worm* won't
work on those OSes that don't have those files. What I'm
not sure about is whether or not the *vulnerability* is able
to be installed on those OSes. There are knowledge base
articles on how to install DCOM RPC services on those
OSes. Most of the "doesn't affect 98 ME" blurbs may be
referring to *default* installations of those OSes and may
be neglecting to further advise.

MS's site says "systems not affected ~ ME" but doesn't
happen to mention why ME is not affected. It would be
just like them to make such a blanket assertion without
looking into the matter.
cquirke
2003-08-17 15:32:00 UTC
Permalink
On Sun, 17 Aug 2003 10:43:44 +0000 (UTC), "Eds"
Post by FromTheRafters
Blaster uses CMD.EXE and TFTP so the *worm* won't
work on those OSes that don't have those files. What I'm
not sure about is whether or not the *vulnerability* is able
to be installed on those OSes. There are knowledge base
articles on how to install DCOM RPC services on those
OSes. Most of the "doesn't affect 98 ME" blurbs may be
referring to *default* installations of those OSes and may
be neglecting to further advise.
I wasn't aware of that bolt-on, but then I'm not entirely clear what RPC
*does* anyway <g> If they made the buffer overrun mistake back in NT 4 or
whenever,it seems unlikely they happened to fix it when they made the win98
bolt-on, n'est ce pas?
As has been pointed out, the bolt-on files for Win98xx (and presumably
WinME) are versioned as per NT (4.0?), suggesting the same hole is
likely. If the RPC add-on was pushed via Windows Update, it may be an
ironic case of patching yourself *into* trouble.

Precidents exist, where MS has seriously underestimated the scope of a
hole because they forgot how they pushed and dribbled functionality
outside of the obvious version lines. Remember the SQL server hole
that turned out to be relevant to many Win9x, thanks to a "lite"
version being bundled with Office's Access post-Jet database engine?
--------------- ----- ---- --- -- - - -
Error Messages Are Your Friends
--------------- ----- ---- --- -- - - -
n***@zilch.com
2003-08-17 15:45:25 UTC
Permalink
Post by cquirke
I wasn't aware of that bolt-on, but then I'm not entirely clear what RPC
*does* anyway <g> If they made the buffer overrun mistake back in NT 4 or
whenever,it seems unlikely they happened to fix it when they made the win98
bolt-on, n'est ce pas?
As has been pointed out, the bolt-on files for Win98xx (and presumably
WinME) are versioned as per NT (4.0?), suggesting the same hole is
likely. If the RPC add-on was pushed via Windows Update, it may be an
ironic case of patching yourself *into* trouble.
Precidents exist, where MS has seriously underestimated the scope of a
hole because they forgot how they pushed and dribbled functionality
outside of the obvious version lines. Remember the SQL server hole
that turned out to be relevant to many Win9x, thanks to a "lite"
version being bundled with Office's Access post-Jet database engine?
1. Does the patch install on Win 98/ME ?
2. Since Win 98 is no longer supported will there ever be a patch?
3. Have there been any confirmed cases of Win 98/ME infections by the
current worm and its variants?


Art
http://www.epix.net/~artnpeg
FromTheRafters
2003-08-17 20:12:09 UTC
Permalink
Post by n***@zilch.com
Post by cquirke
I wasn't aware of that bolt-on, but then I'm not entirely clear what RPC
*does* anyway <g> If they made the buffer overrun mistake back in NT 4 or
whenever,it seems unlikely they happened to fix it when they made the win98
bolt-on, n'est ce pas?
As has been pointed out, the bolt-on files for Win98xx (and presumably
WinME) are versioned as per NT (4.0?), suggesting the same hole is
likely. If the RPC add-on was pushed via Windows Update, it may be an
ironic case of patching yourself *into* trouble.
Precidents exist, where MS has seriously underestimated the scope of a
hole because they forgot how they pushed and dribbled functionality
outside of the obvious version lines. Remember the SQL server hole
that turned out to be relevant to many Win9x, thanks to a "lite"
version being bundled with Office's Access post-Jet database engine?
1. Does the patch install on Win 98/ME ?
Since the patches are made available according to which affected
OS you are wanting it for, how is one to determine if a patch is
installable. I am assuming that Microsoft knows what object module
as affected, and which DCOM RPC/OS pair will install that module.
So, I assmume Win9x/ME are not vulnerable, but I don't like the idea
of assuming too much where Microsoft software is concerned.
Post by n***@zilch.com
2. Since Win 98 is no longer supported will there ever be a patch?
I don't think so ~ but it would ne nice to know if they are vulnerable
anyway.
Post by n***@zilch.com
3. Have there been any confirmed cases of Win 98/ME infections by the
current worm and its variants?
None that I have heard of, but the worm isn't the issue, the vulnerability is.
I wouldn't expect the worm to find cmd.exe on my Win98 machine.
FromTheRafters
2003-08-18 00:03:26 UTC
Permalink
Post by FromTheRafters
Post by FromTheRafters
Post by Eds
Post by Alex
Post by Ian.H [dS]
It exploits the RPC DCOM process.. and as stated, it catches
you!
Post by FromTheRafters
Post by FromTheRafters
Post by Eds
Post by Alex
1) The attacking machine sends a packet to port 135/TCP on the
victims'
Post by FromTheRafters
Post by Eds
Post by Alex
PC that crashes RPC through a buffer overflow[0] that leads to a
special piece of code being executed on the victim's machine.
2) Said code will open a command shell accessible via port
4444/TCP
Post by FromTheRafters
Post by FromTheRafters
Post by Eds
Post by Alex
3) The attacking PC will send a sequence of commands to the
3.1) Download msblast.exe from $attacker with TFTP and save it
in
Post by FromTheRafters
Post by FromTheRafters
Post by Eds
Post by Alex
%systemdir%
3.2) Launch msblast.exe
4) msblast.exe will launch a TFTP server on the victim machine
and
Post by FromTheRafters
Post by FromTheRafters
Post by Eds
Post by Alex
start sending exploit packets to random targets.
After that, everything starts over, until the built-in payload
activates itself to flood the MS server.
[0] 80% of the time this packet is designed to take out XP, 20%
of
Post by FromTheRafters
the
Post by FromTheRafters
Post by Eds
Post by Alex
time Win2k, according to Symantec.
So there is no concern for windows 98 (SE)?
I saw one reference to w95/98/ME on a symantec page about blaster,
but I
Post by FromTheRafters
Post by FromTheRafters
Post by Eds
think this must have been a typo: only NT based versions of Windows
(NT/2000/XP) have services, so there would be no RPC to expoit.
So does this mean that those OS versions are immune to the exploit
even if the services were added on as an aftermarket enhancement?
I'm not clear on the details, but it's no enhancement: rather an
integral
Post by FromTheRafters
part of how the OS works. NT is Unix based rather than DOS based, and I
think services are a key part of this. It's how NT manages to survive a
crash: everything is separated into independent modules. Services are
modules that control different aspects of the OS. Though they're
interdependent, they can to a certain extent be turned on and off
independently. If the worm-writer had wanted to affect the DOS based
versions of Windows (s)he would have had to find a comparable component
to
Post by FromTheRafters
exploit - presumably the malformed connection string msblaster uses has
no
Post by FromTheRafters
effect on those OS versions. Anyone know for sure?
Blaster uses CMD.EXE and TFTP so the *worm* won't
work on those OSes that don't have those files. What I'm
not sure about is whether or not the *vulnerability* is able
to be installed on those OSes. There are knowledge base
articles on how to install DCOM RPC services on those
OSes. Most of the "doesn't affect 98 ME" blurbs may be
referring to *default* installations of those OSes and may
be neglecting to further advise.
MS's site says "systems not affected ~ ME" but doesn't
happen to mention why ME is not affected. It would be
just like them to make such a blanket assertion without
looking into the matter.
I wasn't aware of that bolt-on, but then I'm not entirely clear what RPC
*does* anyway <g>
It seems to me that DCOM RPC takes the idea that was behind
the use of dynamically linked libraries (multiple programs making
use of the same code in memory so that multiple copies of that
same code need not populate that memory) and extends it into
the network environment.
If they made the buffer overrun mistake back in NT 4 or
whenever,it seems unlikely they happened to fix it when they made the win98
bolt-on, n'est ce pas?
http://www.microsoft.com/com/dcom/dcom98/relnotes.asp#diff

Who knows, it may have been a separate team working on the
Win98 DCOM project ~ one that knows how to avoid writing
buffer overrun vulnerabilities into their code. ~ Naaa!
Pops
2003-08-17 15:19:58 UTC
Permalink
Post by Eds
I'm not clear on the details, but it's no enhancement: rather an integral
part of how the OS works. NT is Unix based rather than DOS based,
oh? I thought NT was based on Intels RMX operating system, the first pmode
OS made by makers of the pmode memory segment hardware itself. Unix is
based on the Motorola framework - more linear memory model.
Jeffrey B. DiPaolo
2003-08-20 14:56:19 UTC
Permalink
For once, i wish someone would make a MSBLASTER worm that snoops port 135
for the MSBLAST.exe worm causing it to shut down and safe removal of it.
Just an Idea for you white knights out there. I'm just a tech and wish I
could write programs, thats the first program I would write. ciao
Post by Pops
Post by Eds
I'm not clear on the details, but it's no enhancement: rather an integral
part of how the OS works. NT is Unix based rather than DOS based,
oh? I thought NT was based on Intels RMX operating system, the first pmode
OS made by makers of the pmode memory segment hardware itself. Unix is
based on the Motorola framework - more linear memory model.
Hector Santos
2003-08-21 07:32:17 UTC
Permalink
Post by Jeffrey B. DiPaolo
For once, i wish someone would make a MSBLASTER worm that snoops port 135
for the MSBLAST.exe worm causing it to shut down and safe removal of it.
Just an Idea for you white knights out there. I'm just a tech and wish I
could write programs, thats the first program I would write. ciao
Its been done. The media is calling it the "Good Worm"

Ironically, it is still illegal to go into your computer even for "GOOD"
intentions.

No, I don't agree with it. You don't want to open up the flood gates for
every Bill, Bob and Carol out there going into your computer/home in the
name of being a good samaritan:

"Oh, I have this new registry cleaner and I thought I would test it on
your machine"

"Oh, I thought you needed help with backup, so I went did it for you!!"

"Oh, don't be pissy! I was just trying to making sure I can watch you
not screw up anything"

"Hey, I heard you were an ARAB. Just want to make sure you got no AL
KAEDA stuff"

"Hey, Just in case you press the OPEN attachment key, I installed an ARE
YOU SURE? popup"
I hope you don't mind"

Unfortunatelly, Microsoft now wants to also GO into computers to fix it up
automatically. Once they are allow to do this, all hell is going to break
loose. You think its bad now? HA!

I have a great idea. Read this because I think I am going to get a PATENT
on that astonishing idea!

If Billy Gates gives me 1 billion dollars, hell, just 200 millions will do
it, I could a team together to do what?

Fix Windows! <g>

Isn't that revolutionary idea?
n***@zilch.com
2003-08-21 12:01:44 UTC
Permalink
On Thu, 21 Aug 2003 03:32:17 -0400, "Hector Santos"
Post by Hector Santos
I have a great idea. Read this because I think I am going to get a PATENT
on that astonishing idea!
If Billy Gates gives me 1 billion dollars, hell, just 200 millions will do
it, I could a team together to do what?
Fix Windows! <g>
Isn't that revolutionary idea?
No. But you're naive if you believe Billy will ever do anything but
keep on making matters worse with each new OS release. What's needed
is "neutralizing" software unique to each version of Windows from '95
on up:

1. Network settings would be neutralized suitably for users of single
PCs. Bindings of network adaptors would be to TCP/IP only. No NetBios.
Windows log-on would be set. All ports would wind up closed and all
network services would be disabled. If people want risky services they
should be forced to work at it and enable them themselves. M$ has it
all backwords.

2. Both IE and OE would be eradicated and replaced with sane third
party apps.

However, I doubt there would be much of a market. Customers are just
as insane as M$ :)


Art
http://www.epix.net/~artnpeg
Hector Santos
2003-08-22 11:04:26 UTC
Permalink
Post by n***@zilch.com
1. Network settings would be neutralized suitably for users of single
PCs. Bindings of network adaptors would be to TCP/IP only. No NetBios.
Not even that. For example, blaster which hit DCOM (which sits on RPC) is
due to RPC binding on the TCP/IP layer. Microsoft just could redesign RPC
DCOM to make it optional so that it doesn't use the TCP/IP RPC protocol
(ncacn_ip_tcp) for local end-user machines. It can use the LOCAL RPC
protocol (ncalrpc).

Also, the backbone and ISPs can do wonders for us. Just turn off these
ports just like they do for SMTP, POP3, etc when they try to stop end-users
from being servers unless they pay extra $$$.
--
Hector Santos
WINSERVER "Wildcat! Interactive Net Server"
support: http://www.winserver.com
sales: http://www.santronics.com
c***@nospam.com
2003-08-21 19:45:31 UTC
Permalink
Post by Hector Santos
Unfortunatelly, Microsoft now wants to also GO into computers to fix it up
automatically. Once they are allow to do this, all hell is going to break
loose. You think its bad now? HA!
The difference is that MS can slip this into the EULA (user license)
and you have no say in the matter. You'd be surprised at some of the
things you agree to when you install that OS. Also note that Service
Packs have EULAs too that can add things. Checkout the part about
digital meda in the W2K SP4 EULA.

-Chris
Tim H.
2003-08-14 17:23:15 UTC
Permalink
Post by Martin C.E.
How is the Blaster worm caught?
I looked at http://vil.nai.com/vil/content/v_100547.htm
but I was no wiser.
A worm to me is something which propagates by email. But some tech
support guy I spoke to said that Blaster propagated just by the user
visiting a web page.
I hope he wasn't Tech. Support for a major anti-virus company!

As someone else said, it catches you. If your system is unpatched, another
PC on the network infected with the virus will scan random IP addresses
looking for its next victim. If your system happens to be unpatched and
response to DCOM RPC requests, it'll send its packet to effictively change
the operation of DCOM RPC to server another function: listen for remote
connections.

When this remote connection comes in, it essentially commands your PC to
download and run a file. From there it continues (scanning, infecting,
executing).

-TIm
Post by Martin C.E.
Can anyone advise me on the true way Blaster is caught.
Sheldon
2003-08-14 23:52:31 UTC
Permalink
Post by Tim H.
As someone else said, it catches you. If your system is unpatched, another
PC on the network infected with the virus will scan random IP addresses
looking for its next victim...
So, if the PC is scanning for IP addresses, and if your broadband connection
is running through a router, the virus will only see the router and your
computer won't be affected? (That's a question.)

Thanks.

Sheldon
***@sopris.net
Robert R Kircher, Jr.
2003-08-14 23:56:24 UTC
Permalink
Post by Sheldon
Post by Tim H.
As someone else said, it catches you. If your system is unpatched, another
PC on the network infected with the virus will scan random IP addresses
looking for its next victim...
So, if the PC is scanning for IP addresses, and if your broadband connection
is running through a router, the virus will only see the router and your
computer won't be affected? (That's a question.)
This is correct unless your router is configured to forward the offending
ports to a PC within your network.

It is best to go ahead and patch your PCs.
--
Rob
Sheldon
2003-08-15 00:08:41 UTC
Permalink
As I said in a previous post, none of my clients with a router called me,
but I am patching computers as I go. Also, the only time I open access is
when an IT person I'm working with needs to get through, and then we always
close it when finished.

BTW, you might want to check out my FYI post. First official word from
Microsoft to its partners.

Thanks for the info.

Sheldon
says...
Post by Sheldon
Post by Tim H.
As someone else said, it catches you. If your system is unpatched, another
PC on the network infected with the virus will scan random IP addresses
looking for its next victim...
So, if the PC is scanning for IP addresses, and if your broadband connection
is running through a router, the virus will only see the router and your
computer won't be affected? (That's a question.)
If the router is blocking direct access to your computers behind it,
then you can't get it through direct connection to the internet. Routers
block unsolicited INBOUND, so you should be safe.
--
--
(Remove 999 to reply to me)
Sheldon
2003-08-15 00:09:34 UTC
Permalink
As I said in a previous post, none of my clients with a router called me,
but I am patching computers as I go. Also, the only time I open access is
when an IT person I'm working with needs to get through, and then we always
close it when finished.

BTW, you might want to check out my FYI post. First official word from
Microsoft to its partners.

Thanks for the info.

Sheldon
says...
Post by Sheldon
Post by Tim H.
As someone else said, it catches you. If your system is unpatched, another
PC on the network infected with the virus will scan random IP addresses
looking for its next victim...
So, if the PC is scanning for IP addresses, and if your broadband connection
is running through a router, the virus will only see the router and your
computer won't be affected? (That's a question.)
If the router is blocking direct access to your computers behind it,
then you can't get it through direct connection to the internet. Routers
block unsolicited INBOUND, so you should be safe.
--
--
(Remove 999 to reply to me)
n***@zilch.com
2003-08-14 17:23:24 UTC
Permalink
On Thu, 14 Aug 2003 18:14:22 +0100, "Martin C.E."
Post by Martin C.E.
How is the Blaster worm caught?
I looked at http://vil.nai.com/vil/content/v_100547.htm
but I was no wiser.
That description has your answer.
Post by Martin C.E.
A worm to me is something which propagates by email.
No. Not just email.
Post by Martin C.E.
But some tech
support guy I spoke to said that Blaster propagated just by the user
visiting a web page.
The support guy is wrong.
Post by Martin C.E.
Can anyone advise me on the true way Blaster is caught.
You have the answer in your post. You need more descriptions? Google
them up.

Art
http://www.epix.net/~artnpeg
kurt wismer
2003-08-14 17:48:43 UTC
Permalink
Post by Martin C.E.
How is the Blaster worm caught?
computer A executes the worm... the worm sends specially crafted
traffic to computer B to exploit a buffer overrun vulnerability in the
DCOM RPC interface on computer B in order to execute a command shell (a
dos window) to launch an ftp utility to download the worm and then
execute the worm on computer B... at this point you can think of
computer B as being computer A...
Post by Martin C.E.
I looked at http://vil.nai.com/vil/content/v_100547.htm
but I was no wiser.
well it looks like all the info is there...
Post by Martin C.E.
A worm to me is something which propagates by email. But some tech
support guy I spoke to said that Blaster propagated just by the user
visiting a web page.
i would suggest you don't listen to virus information from this person
again...

--
"hungry people don't stay hungry for long
they get hope from fire and smoke as the weak grow strong
hungry people don't stay hungry for long
they get hope from fire and smoke as they reach for the dawn"
elio
2003-08-14 20:55:49 UTC
Permalink
Post by Martin C.E.
Can anyone advise me on the true way Blaster is caught.
Look at this url
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A&VSect=T
(one of the best description, IMHO)
The author of blaster worm says the truth:
"billy gates why do you make this possible ?
Stop making money and fix your software!!"
FromTheRafters
2003-08-15 00:19:10 UTC
Permalink
Post by Martin C.E.
How is the Blaster worm caught?
I looked at http://vil.nai.com/vil/content/v_100547.htm
but I was no wiser.
It makes more sense if you have some background information
on how things work normally, like networks, computers, you
know ~ that sort of thing.
Post by Martin C.E.
A worm to me is something which propagates by email.
Some do, some don't. Some use other communications channels.
Post by Martin C.E.
But some tech
support guy I spoke to said that Blaster propagated just by the user
visiting a web page.
That's pretty sad ~ I'm glad he's not *my* tech support guy. :O)
...and he should be glad I'm not one of his customers too.
Post by Martin C.E.
Can anyone advise me on the true way Blaster is caught.
Blaster is "caught" by a computer continuing to have a vulnerability
(written by Microsoft) exposed to the network, despite the fact
that a patch for that vulnerability (also written by Microsoft) was
made available some weeks ago, and soon after the vulnerability
was first brought to their attention.

In addition to the vulnerability, some other things must be in
place (or *not* in place) for the worm to be successful in
any particular instance.
Continue reading on narkive:
Loading...