Educause Security Discussion mailing list archives
[REN-ISAC] MS06-040 status
From: Doug Pearson <dodpears () INDIANA EDU>
Date: Mon, 14 Aug 2006 11:41:34 -0400
Apologies if you're receiving duplicates... this message was originally posted to the private REN-ISAC mailing list, but because all the information is public (including the botnet c&c names) we thought to share to this list also. Regards, Doug Pearson Research and Education Networking ISAC 24x7 Watch Desk: +1(317)278-6630, ren-isac () ren-isac net web: http://www.ren-isac.net membership: http://www.ren-isac.net/membership.html ----- On August 12 UTC a botnet began assembling utilizing the MS06-040 Server service vulnerability as a means of propagation. When the malware infects a system it downloads a botnet program, connects to botnet command and control hosts (c&c) utilizing IRC on port 18067, and scans for and infects additional vulnerable systems via TCP port 445. Microsoft Security Bulletin MS06-040 Vulnerability in Server Service Could Allow Remote Code Execution (921883) http://www.microsoft.com/technet/security/Bulletin/MS06-040.mspx The Microsoft Server service available at TCP/445 is responsible for file and printer sharing, remote access via Remote Procedure Calls (RPC), and access to computers via named pipes. An unauthenticated attacker can send a specially crafted message to the Server service, execute code, and take complete control of the vulnerable system. If you've been affected, please let REN-ISAC know, as well as other steps that you may normally take. A view to the dramatic increase of TCP/445 activity on the Internet2 Abilene network is at: http://www.ren-isac.net/monitoring/port-costa.cgi?tcp_dst_445_packets The c&c DNS names used by the botnet are: bniu.househot.com bbjj.househot.com CNAME=ypgw.wallloan.com ypgw.wallloan.com Currently, those names resolve to: bniu.househot.com 58.81.137.157 bniu.househot.com 202.121.199.200 bniu.househot.com 61.163.231.115 bniu.househot.com 210.75.211.111 bniu.househot.com 211.154.135.30 bniu.househot.com 61.189.243.240 bniu.househot.com 218.61.146.86 ypgw.wallloan.com 58.81.137.157 ypgw.wallloan.com 211.154.135.30 ypgw.wallloan.com 61.189.243.240 ypgw.wallloan.com 202.121.199.200 ypgw.wallloan.com 61.163.231.115 ypgw.wallloan.com 218.61.146.86 Network and security admins should monitor connection attempts to those hosts from within their network in order to identify local compromised hosts. Two variants of the malware have been identified: File name: wgareg.exe MD5: 9928a1e6601cf00d0b7826d13fb556f0 SHA1: 352a276346eabde7bfce9efee732a973e0d26baa File name: wgavm.exe MD5: 2bf2a4f0bdac42f4d6f8a062a7206797 SHA1: 339717f8b50580ab1af41c15436e10651382952 The malware can only spread to Windows 2000 systems. We've seen conflicting reports regarding the ability to infect XP SP1, but most reports say W2k-only. Note that even a failed exploit attempt against an XP system could result in a system crash. Microsoft calls this: Win32/Graweg.A and Win32/Graweg.B Others names are: Symantec: W32.Wargbot http://www.symantec.com/enterprise/security_response/print_writeup.jsp?docid=2006-081312-3302-99 Trend Micro: WORM_IRCBOT.JK and JL http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FIRCBOT%2EJK http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FIRCBOT%2EJL McAfee: IRC-Mocbot!MS06-040 http://vil.nai.com/vil/Content/v_140394.htm F-Secure: IRCBot.st http://www.f-secure.com/v-descs/ircbot_st.shtml Apparently the bot code is based on year-2005 Mocbot that used the MS05-039 PNP vulnerability. LUHRQ reports that little appears to have changed between the previous Mocbot variants and the new one, except the replacement of the MS05-039 exploit with that of MS06-040. The scanning behavior is such that an infected machine starts scanning 445/TCP within it's own Class B network and will move through it's Class A network, making rare jumps (perhaps at the behest of the botherd) beyond those boundaries. Bleeding Snort rules are available, SIDs 2003081, 2003082: http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/sigs/EXPLOIT/EXPLOIT_MS06-040 eEye Digital Security has created a standalone vulnerability scanner to help identify systems vulnerable to the MS06-040 flaw. The scanner will identify the vulnerability on all systems with the exception of Windows NT. http://www.eeye.com/html/resources/downloads/audits/NetApi.html Safe networking practice calls for blocking when possible UDP ports 135, 137, 138, 445, and TCP ports 135, 139, and 445 - at the institutional network borders and with desktop firewalls. In particular, for MS06-040, blocking TCP/139 and TCP/445 is a recommended mitigation. REN-ISAC has observed 533 hosts at 28 US .edus either scanning 445 or talking to the botnet c&c's. Those hosts have been reported to the respective institution's incident contacts. In addition we've seen similar traffic from 400 non-US edu sites. That information has been shared to appropriate mitigation contacts. It's surprising, given the history of problems centered on the Microsoft RPC and Netbios ports, that we're still seeing a good amount of scanning from .edu space on TCP/445. More often than not, that port should be blocked inbound AND outbound at an institution's border. If you're not currently filtering at the borders, and need assistance in considering that, please contact us at REN-ISAC. Microsoft reports one issue involving the MS06-040 update: Programs that request lots of contiguous memory, such as one gigabyte or more, may fail after you install security update 921883 (MS06-040) on a 32-bit Windows Server 2003 SP1-based computer. http://support.microsoft.com/kb/924054/ References and additional reading: SANS ISC: Information to Help Track Down Infections From WGAREG.EXE http://isc.sans.org/diary.php?storyid=1594 SANS ISC: MS06-040 exploit in the wild (Initial write-up) http://isc.sans.org/diary.php?storyid=1592 MS06-040 wgareg / wgavm update http://isc.sans.org/diary.php?storyid=1593 LURHQ: Mocbot/MS06-040 IRC Bot Analysis http://www.lurhq.com/mocbot-ms06040.html MSRC Blog: http://blogs.technet.com/msrc/ Microsoft Security Bulletin MS06-040 Vulnerability in Server Service Could Allow Remote Code Execution (921883) http://www.microsoft.com/technet/security/Bulletin/MS06-040.mspx US-CERT Vulnerability Note VU#650769 Microsoft Windows Server service buffer overflow http://www.kb.cert.org/vuls/id/650769 CVE-2006-3439 http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-3439 Protection methods: Host-based firewall http://www.microsoft.com/technet/community/columns/cableguy/cg0204.mspx TCP/IP Filtering http://support.microsoft.com/kb/309798 Server and Domain Isolation http://www.microsoft.com/technet/itsolutions/network/sdiso/default.mspx Regards, Doug Pearson on behalf of the REN-ISAC Team ren-isac () ren-isac net http://www.ren-isac.net
Current thread:
- [REN-ISAC] MS06-040 status Doug Pearson (Aug 14)