Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2003-08-16 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Blaster Worm Cleanup

Published: 2003-08-16
Last Updated: 2003-08-17 14:45:56 UTC
by Handlers (Version: 1)
0 comment(s)

Summary

The DDOS attack against windowsupdate.com has been avoided so far due to
Microsofts decision to no longer resolve this particular hostname. Other
hosts within this domain are still accessible, so is 'windowsupdate.microsoft.com', the hostname used by Windows Update.

In the wake of this worms, at least one virus has been reported to
masquerade itself as a "Blaster Worm Fix". As always, do not execute any attachments from unknown sources.

One popup ad has been spotted which attempts to mimic the RPC error message in order to trick users into purchasing a software firewall.

Scanner False Positives

Microsoft made a scanner available which can be used by network administrators to verify remotely if machines are patched for MS03-26. We have received reports that this scanner will show Windows 98 machines as vulnerable, even though they are not.

At this point, we do recommend a followup scan with NMAP to verify the vulnerability, if no other means are available to verify if the machine is a running Windows 98.

Sample output from the scanner and nmap against a Windows 98 machines:

(taget IP replaced with 1.2.3.4)


C:\Program Files\KB823980Scan>KB823980Scan.exe 1.2.3.4

Microsoft (R) KB823980 Scanner Version 1.00.0002 for 80x86
Copyright (c) Microsoft Corporation 2003. All rights reserved.

<+> Starting scan (timeout = 5000 ms)

Checking 1.2.3.4
1.2.3.4: unpatched

<-> Scan completed

Statistics:

Patched with KB823980 = 0
Unpatched = 1
TOTAL HOSTS SCANNED = 1

Needs Investigation = 0
Connection refused = 0
Host unreachable = 0
Errors = 0
TOTAL HOSTS SKIPPED = 0

TOTAL ADDRESSES SCANNED = 1

NMAP output:

Starting nmap V. 3.00 ( www.insecure.org/nmap )
Host somehost.somedomain (1.2.3.4) appears to be up ... good.
Initiating SYN Stealth Scan against somehost.somedomain (1.2.3.4)
Adding open port 139/tcp
Adding open port 135/tcp
The SYN Stealth Scan took 17 seconds to scan 65535 ports.
For OSScan assuming that port 135 is open and port 1 is closed and neither
are firewalled
Interesting ports on somehost.somedomain (1.2.3.4):
(The 65533 ports scanned but not shown below are in state: closed)
Port State Service
135/tcp open loc-srv
139/tcp open netbios-ssn
Remote OS guesses: Turtle Beach AudioTron Firmware 3.0, Windows NT4 or
95/98/98SE
OS Fingerprint:
TSeq(Class=TD%gcd=1%SI=1%IPID=BI%TS=U)
T1(Resp=Y%DF=Y%W=2017%ACK=S++%Flags=AS%Ops=M)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=Y%W=2017%ACK=S++%Flags=AS%Ops=M)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RIPCK=E%UCK=E%ULEN=134%DAT=E)
TCP Sequence Prediction: Class=trivial time dependency
Difficulty=1 (Trivial jo
ke)
TCP ISN Seq. Numbers: 19E8C4 19E933 19E9A1 19EA0F 19EA80 19EAEE
IPID Sequence Generation: Broken little-endian incremental
Nmap run completed -- 1 IP address (1 host up) scanned in 17 seconds
Keywords:
0 comment(s)
Diary Archives