Last Updated: 2006-08-14 17:48:01 UTC
by Swa Frantzen (Version: 1)
Be on the lookout for:
- laptops that might have been infected returning to the inside of your perimeter.
- infected machines scanning the rest of the network
- infections flaring up due to the above
- If you have not done so yet:
- Roll out the MS06-040 patches ASAP.
- Do not forget to reboot those machines after patching!
- Check that all machines have been patched and rebooted, we have confirmations that the patches are effective in stopping the initial attack.
- Update anti-virus signatures: They might not be in the mainstream signature yet, so check manually what your vendor has to say.
- While at it, install filtering wherever possible for ports 135-139 and 445. E.g. enabling personal firewall on laptops is very smart in future-proofing your machines against this kind of attack.
- If you have an IDS, make sure you have signatures for the MS06-040 exploit
(best not aiming for the payload, but rather the exploit of the vulnerability)
- For snort:
- BLEEDING-EDGE EXPLOIT NETBIOS SMB-DS DCERPC NetrpPathCanonicalize request (possible MS06-040)
- NETBIOS SMB-DS srvsvc NetrPathCanonicalize little endian overflow attempt
[Sourcefire VRT, subscription only till the 16th]
- Check for outgoing traffic to port 18067/TCP of the command and control (C&C) centers:
184.108.40.206Please note these IP addresses can be changed quite easily by the controllers of the botnet, so checking (or even blocking) them in your DNS servers might be much more effective.
- Check for the presence of following files:
- Check for the presence of the registry keys:
- Check for outgoing traffic scanning for others being vulnerable on port 445/TCP
- You really cannot and
- Even if you delete the keys that start the malware,
- your settings will be mangled. E.g.: a test infection with the wgareg.exe:
- created 17 new registry keys
- modified 77 other keys including keys used for firewalls, sharing of files, etc.
- That was just the infection itself, no follow up, no communications with the C&C
- Like any bot it is unpredictable in what the C&C caused the bot to do
- Wipe! (as in nuke from orbit)
- Backup data (if any) and keep these off-line
- Unplug the network
- Wipe the disk effectively (while booted from clean media)
- Reinstall software
- Install (personal) firewall, anti-virus, anti-spyware
- Apply patches & Update signatures
- Carefully restore needed data
For installing, see also our survival guide for XP
- Our initial write-up
- Update with a slight variant
- More infections
- LURHQ - Joe Stewart's analysis
- Symantec - W32.Wargbot
- TrendMicro - Worm.IRCBOT.JK and JL
- McAfee - IRC.Mocbot
- F-Secure - IRCBOT-ST
Swa Frantzen -- Section 66