CERT Advisory CA-2003-20 W32/Blaster worm

[Dave Farber <dave () farber net>]

> Reply-To: "monty solomon" <monty () roscom com>
> From: "monty solomon" <monty () roscom com>
> To: "list" <list () roscom com>
> Subject: CERT Advisory CA-2003-20 W32/Blaster worm
> Date: Tue, 12 Aug 2003 15:05:56 -0400
> X-Mailer: Microsoft Outlook Express 5.50.4922.1500
> X-MIME-Autoconverted: from quoted-printable to 8bit by linc.cis.upenn.edu 
> id h7CJBIpQ022038
>
> CERT® Advisory CA-2003-20 W32/Blaster worm
>
> Original issue date: August 11, 2003
> Last revised: August 12, 2003
> Source: CERT/CC
>
> A complete revision history is at the end of this file.
>
> Systems Affected
> * Microsoft Windows NT 4.0
> * Microsoft Windows 2000
> * Microsoft Windows XP
> * Microsoft Windows Server 2003
>
> Overview
>
> The CERT/CC is receiving reports of widespread activity related to a new
> piece of malicious code known as W32/Blaster.  This worm appears to
> exploit known vulnerabilities in the Microsoft Remote Procedure Call
> (RPC) Interface.
>
>
> I. Description
>
> The W32/Blaster worm exploits a vulnerability in Microsoft's DCOM RPC
> interface as described in VU#568148 and CA-2003-16.  Upon successful
> execution, the worm attempts to retrieve a copy of the file msblast.exe
> from the compromising host.  Once this file is retrieved, the
> compromised system then runs it and begins scanning for other vulnerable
> systems to compromise in the same manner.  In the course of propagation,
> a TCP session to port 135 is used to execute the attack.  However,
> access to TCP ports 139 and 445 may also provide attack vectors and
> should be considered when applying mitigation strategies.  Microsoft has
> published information about this vulnerability in Microsoft Security
> Bulletin MS03-026.
>
> Lab testing has confirmed that the worm includes the ability to launch a
> TCP SYN flood denial-of-service attack against windowsupdate.com.  We
> are investigating the conditions under which this attack might manifest
> itself.  Unusual or unexpected traffic to windowsupdate.com may indicate
> an infection on your network, so you may wish to monitor network
> traffic.
>
> Sites that do not use windowsupdate.com to manage patches may wish to
> block outbound traffic to windowsupdate.com.  In practice, this may be
> difficult to achieve, since windowsupdate.com may not resolve to the
> same address every time.  Correctly blocking traffic to
> windowsupdate.com will require detailed understanding of your network
> routing architecture, system management needs, and name resolution
> environment.  You should not block traffic to windowsupdate.com without
> a thorough understanding of your operational needs.
>
> We have been in contact with Microsoft regarding this possibility of
> this denial-of-service attack.
>
> ...
>
> http://www.cert.org/advisories/CA-2003-20.html

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/