Threat Level: green Handler on Duty: Tom Webb

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2004-05-05 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

port 135 spikes, Lovegate, Welchia.K, Mailbag, Unix Security

Published: 2004-05-05
Last Updated: 2004-05-07 12:03:48 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
Port 135 Spikes

Over the last few days, a number of networks detected a sharp, almost vertical,
rise in port 135 (tcp) traffic and a subsequent exponential decay. Typically,
these traffic bursts last for a few hours. From selected packet captures, it
looks like these scans attempt to exploit the RPC DCOM vulnerability. Several
possible sources have been suggested. It is likely that these scans are caused
by botnets which are scanning given target networks for new, vulnerable hosts.

Lovgate Virus

A virus sample submitted to us on Monday is now identified as LovGate.R.
In addition to spreading via e-mail, the virus uses the RPC DCOM
vulnerability to spread and it will open file shares on infected systems.
This virus is one suspected cause of the rise in port 135 traffic.

McAfee: http://vil.nai.com/vil/content/v_101157.htm

Symantec: http://securityresponse.symantec.com/avcenter/venc/data/w32.lovgate.r@mm.html
Welchia.K Worm

A new version of 'welchia' (aka Nachi) has been identified. This worm, which was
first identified in the wake of blaster last august, is most noted for the ICMP
echo requests that it sends. Welchia.K includes exploits for the following vulnerabilities:

* RPC Locator

* WebDAV (you will see URLs that start with 'SEARCH' in your web log)

* RPC DCOM

* MS Workstation
Fixes for all these vulnerabilities were made available in 2003. Multiple worms and bots are currently scanning for these vulnerabilities.

Trend Micro: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NACHI.K
Mailbag: Cleanup Woes

A reader asked why we recommend a complete rebuild of systems infected with 'sasser', given that 'sasser' is rather benign and easy to clean.

The problem with 'sasser' is that it is an indicator exploit. The fact that you
are infected with 'sasser' indicates that you were vulnerable to the LSASS
exploit. Before sasser, a large number of bot variants exploited this same vulnerability. We find that many systems infected with 'sasser' are infected with one or more bots in addition to 'sasser'.

Each day, we receive several distinct 'bot' samples. Antivirus signatures are typically not able to keep up with all versions, and many 'bots' include specific code to plant backdoors, disable firewalls and antivirus products, or to add additional system accounts.

Antivirus software is not able to reliably detect and clean all of these bots. As a result, it is impossible to tell if any of these bots are left on your system. Only a thorough (and costly) forensics analysis by a trained specialist will provide some assurance.

As a result, if you are infected by 'sasser', try to rebuild your system from scratch. For detailed instructions on setting up a new system safely, see
http://www.sans.org/rr/papers/index.php?id=1298 (Windows XP: Surviving the first day). If you acquire a new system, assume it is not yet patched and use
extreme care the first time you connect it to the network.

Reading Room Recommendation

Given all the Windows security news, don't neglect your UNIX / Linux systems.
You may either want to consult the Center for Internet Security's benchmarks ( http://www.cisecurity.org ) or, for a quick checkup, see fellow handler Bill Stearn's paper: http://www.sans.org/rr/special/essential_host_security.php
-------

Johannes Ullrich, jullrich_AT_sans.org
Keywords:
0 comment(s)
Diary Archives