Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

[REN-ISAC] MS06-040 status

From: Doug Pearson <dodpears () INDIANA EDU>
Date: Mon, 14 Aug 2006 11:41:34 -0400
Apologies if you're receiving duplicates... this message was originally posted to the private REN-ISAC mailing list, 
but because all the information is public (including the botnet c&c names) we thought to share to this list also.

Regards,

Doug Pearson
Research and Education Networking ISAC
24x7 Watch Desk: +1(317)278-6630, ren-isac () ren-isac net
web: http://www.ren-isac.net
membership: http://www.ren-isac.net/membership.html

-----

On August 12 UTC a botnet began assembling utilizing the MS06-040 Server service vulnerability as a means of 
propagation. When the malware infects a system it downloads a botnet program, connects to botnet command and control 
hosts (c&c) utilizing IRC on port 18067, and scans for and infects additional vulnerable systems via TCP port 445.

Microsoft Security Bulletin MS06-040
Vulnerability in Server Service Could Allow Remote Code Execution (921883)
http://www.microsoft.com/technet/security/Bulletin/MS06-040.mspx

The Microsoft Server service available at TCP/445 is responsible for file and printer sharing, remote access via Remote 
Procedure Calls (RPC), and access to computers via named pipes. An unauthenticated attacker can send a specially 
crafted message to the Server service, execute code, and take complete control of the vulnerable system.

If you've been affected, please let REN-ISAC know, as well as other steps that you may normally take.

A view to the dramatic increase of TCP/445 activity on the Internet2 Abilene network is at:
http://www.ren-isac.net/monitoring/port-costa.cgi?tcp_dst_445_packets

The c&c DNS names used by the botnet are:

  bniu.househot.com
  bbjj.househot.com   CNAME=ypgw.wallloan.com
  ypgw.wallloan.com     

Currently, those names resolve to:

  bniu.househot.com  58.81.137.157
  bniu.househot.com  202.121.199.200
  bniu.househot.com  61.163.231.115
  bniu.househot.com  210.75.211.111
  bniu.househot.com  211.154.135.30
  bniu.househot.com  61.189.243.240
  bniu.househot.com  218.61.146.86

  ypgw.wallloan.com  58.81.137.157
  ypgw.wallloan.com  211.154.135.30
  ypgw.wallloan.com  61.189.243.240
  ypgw.wallloan.com  202.121.199.200
  ypgw.wallloan.com  61.163.231.115
  ypgw.wallloan.com  218.61.146.86

Network and security admins should monitor connection attempts to those hosts from within their network in order to 
identify local compromised hosts.

Two variants of the malware have been identified:

File name: wgareg.exe
MD5:  9928a1e6601cf00d0b7826d13fb556f0
SHA1: 352a276346eabde7bfce9efee732a973e0d26baa

File name: wgavm.exe
MD5:  2bf2a4f0bdac42f4d6f8a062a7206797
SHA1: 339717f8b50580ab1af41c15436e10651382952

The malware can only spread to Windows 2000 systems. We've seen conflicting reports regarding the ability to infect XP 
SP1, but most reports say W2k-only. Note that even a failed exploit attempt against an XP system could result in a 
system crash.

Microsoft calls this:
Win32/Graweg.A and Win32/Graweg.B

Others names are:

Symantec: W32.Wargbot
http://www.symantec.com/enterprise/security_response/print_writeup.jsp?docid=2006-081312-3302-99

Trend Micro: WORM_IRCBOT.JK and JL
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FIRCBOT%2EJK
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FIRCBOT%2EJL

McAfee: IRC-Mocbot!MS06-040
http://vil.nai.com/vil/Content/v_140394.htm

F-Secure: IRCBot.st
http://www.f-secure.com/v-descs/ircbot_st.shtml

Apparently the bot code is based on year-2005 Mocbot that used the MS05-039 PNP vulnerability. LUHRQ reports that 
little appears to have changed between the previous Mocbot variants and the new one, except the replacement of the 
MS05-039 exploit with that of MS06-040.

The scanning behavior is such that an infected machine starts scanning 445/TCP within it's own Class B network and will 
move through it's Class A network, making rare jumps (perhaps at the behest of the botherd) beyond those boundaries.

Bleeding Snort rules are available, SIDs 2003081, 2003082:
http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/sigs/EXPLOIT/EXPLOIT_MS06-040

eEye Digital Security has created a standalone vulnerability scanner to help identify systems vulnerable to the 
MS06-040 flaw. The scanner will identify the vulnerability on all systems with the exception of Windows NT.
http://www.eeye.com/html/resources/downloads/audits/NetApi.html

Safe networking practice calls for blocking when possible UDP ports 135, 137, 138, 445, and TCP ports 135, 139, and 445 
- at the institutional network borders and with desktop firewalls. In particular, for MS06-040, blocking TCP/139 and 
TCP/445 is a recommended mitigation.

REN-ISAC has observed 533 hosts at 28 US .edus either scanning 445 or talking to the botnet c&c's. Those hosts have 
been reported to the respective institution's incident contacts. In addition we've seen similar traffic from 400 non-US 
edu sites. That information has been shared to appropriate mitigation contacts.

It's surprising, given the history of problems centered on the Microsoft RPC and Netbios ports, that we're still seeing 
a good amount of scanning from .edu space on TCP/445. More often than not, that port should be blocked inbound AND 
outbound at an institution's border. If you're not currently filtering at the borders, and need assistance in 
considering that, please contact us at REN-ISAC.

Microsoft reports one issue involving the MS06-040 update: Programs that request lots of contiguous memory, such as one 
gigabyte or more, may fail after you install security update 921883 (MS06-040) on a 32-bit Windows Server 2003 
SP1-based computer.
http://support.microsoft.com/kb/924054/

References and additional reading:

SANS ISC: Information to Help Track Down Infections From WGAREG.EXE
http://isc.sans.org/diary.php?storyid=1594

SANS ISC: MS06-040 exploit in the wild (Initial write-up)
http://isc.sans.org/diary.php?storyid=1592

MS06-040 wgareg / wgavm update
http://isc.sans.org/diary.php?storyid=1593

LURHQ: Mocbot/MS06-040 IRC Bot Analysis
http://www.lurhq.com/mocbot-ms06040.html

MSRC Blog:
http://blogs.technet.com/msrc/

Microsoft Security Bulletin MS06-040
Vulnerability in Server Service Could Allow Remote Code Execution (921883)
http://www.microsoft.com/technet/security/Bulletin/MS06-040.mspx

US-CERT Vulnerability Note VU#650769 Microsoft Windows Server service buffer overflow
http://www.kb.cert.org/vuls/id/650769

CVE-2006-3439
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-3439

Protection methods:

Host-based firewall
http://www.microsoft.com/technet/community/columns/cableguy/cg0204.mspx

TCP/IP Filtering
http://support.microsoft.com/kb/309798

Server and Domain Isolation
http://www.microsoft.com/technet/itsolutions/network/sdiso/default.mspx


Regards,

Doug Pearson
on behalf of the REN-ISAC Team
ren-isac () ren-isac net
http://www.ren-isac.net
Previous By Date Next
Previous By Thread Next

Current thread: