Interesting People mailing list archives
CERT Advisory CA-2003-20 W32/Blaster worm
From: Dave Farber <dave () farber net>
Date: Tue, 12 Aug 2003 17:00:10 -0400
Reply-To: "monty solomon" <monty () roscom com> From: "monty solomon" <monty () roscom com> To: "list" <list () roscom com> Subject: CERT Advisory CA-2003-20 W32/Blaster worm Date: Tue, 12 Aug 2003 15:05:56 -0400 X-Mailer: Microsoft Outlook Express 5.50.4922.1500X-MIME-Autoconverted: from quoted-printable to 8bit by linc.cis.upenn.edu id h7CJBIpQ022038CERT® Advisory CA-2003-20 W32/Blaster worm Original issue date: August 11, 2003 Last revised: August 12, 2003 Source: CERT/CC A complete revision history is at the end of this file. Systems Affected * Microsoft Windows NT 4.0 * Microsoft Windows 2000 * Microsoft Windows XP * Microsoft Windows Server 2003 Overview The CERT/CC is receiving reports of widespread activity related to a new piece of malicious code known as W32/Blaster. This worm appears to exploit known vulnerabilities in the Microsoft Remote Procedure Call (RPC) Interface. I. Description The W32/Blaster worm exploits a vulnerability in Microsoft's DCOM RPC interface as described in VU#568148 and CA-2003-16. Upon successful execution, the worm attempts to retrieve a copy of the file msblast.exe from the compromising host. Once this file is retrieved, the compromised system then runs it and begins scanning for other vulnerable systems to compromise in the same manner. In the course of propagation, a TCP session to port 135 is used to execute the attack. However, access to TCP ports 139 and 445 may also provide attack vectors and should be considered when applying mitigation strategies. Microsoft has published information about this vulnerability in Microsoft Security Bulletin MS03-026. Lab testing has confirmed that the worm includes the ability to launch a TCP SYN flood denial-of-service attack against windowsupdate.com. We are investigating the conditions under which this attack might manifest itself. Unusual or unexpected traffic to windowsupdate.com may indicate an infection on your network, so you may wish to monitor network traffic. Sites that do not use windowsupdate.com to manage patches may wish to block outbound traffic to windowsupdate.com. In practice, this may be difficult to achieve, since windowsupdate.com may not resolve to the same address every time. Correctly blocking traffic to windowsupdate.com will require detailed understanding of your network routing architecture, system management needs, and name resolution environment. You should not block traffic to windowsupdate.com without a thorough understanding of your operational needs. We have been in contact with Microsoft regarding this possibility of this denial-of-service attack. ... http://www.cert.org/advisories/CA-2003-20.html
------------------------------------- You are subscribed as interesting-people () lists elistx com To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- CERT Advisory CA-2003-20 W32/Blaster worm Dave Farber (Aug 12)