Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-08-15 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Back to Green, A Word From Microsoft

Published: 2005-08-15
Last Updated: 2005-08-16 02:31:57 UTC
by Joshua Wright (Version: 1)
0 comment(s)

A word from the Microsoft Security Response Center



Mike from the MSRC sent an e-mail with "clarification regarding changing the default setting of NULL sessions and what the impact of changing these settings does to the threat profile of the PnP vulnerability addressed in MS05-039"

The information has been published in the updated earlier today.

Take note of the section on mitigating factors.

Thanks Mike.

Back to InfoCon Green



As of Tuesday, 1:45 AM GMT (Monday 20:45 EDT), we moved back to infocon green.

We moved to 'Yellow' on Friday, after we did see a number of exploits released for last weeks Microsoft Windows vulnerabilities, in particular MS05-039 (PnP) which is exploitable remotely.

As expected, we did see various bots, in particular 'Zotob' take advantage of this vulnerability. At this point, the situation is however static. New bot variations keep getting developed, but they do not add any fundamental new variation of the exploit. We expect that most exploitable systems have been compromised at this point.

The last week showed once more that there is no more patch window. Defense in depth is your only chance to survive the early release of malware. In this particular case, three distinct best practices can mitigate the vulnerability:
- close port 445 at least at the perimeter.

- patch systems quickly.

- eliminate NULL sessions.
Neither one of these measures is perfect, and some may not be applicable to your network (e.g. you may require NULL sessions in some circumstances).
Another development brought to conclusion in this event is the lesser importance of 'worms' with respect to more sophisticated 'bots'. We received a number of bots using the PnP vulnerability. Antivirus scanners did not identify most of them. In many cases, the same bot was packed differently or some function where added to evade detection.
Malware can only develop as fast as it is developing in this case because of extensive code sharing in the underground. The only way we can keep up with this development is by sharing information as efficiently. Being able to do so openly will make it only easier to do this sharing. Please join our effort, and share future observations with us. We will continue to turn them over quickly and make them available via out diaries for everybody to read and to learn from.
I would like to thank in particular handlers Lorna and Tom for their extensive analysis of all the malware submitted.
Yes, the Internet is still "broken", but it was never working all that well to begin with. The Infocon is intended to measure change. We can't stay on yellow for ever.

Johannes Ullrich.

McD's Bomber Message Malware



We've had several reports from folks reporting receipt of messages with the subject line "McDonald's bomber jailed for life". This message includes a link to various sites with the common domain lastrez_DONOTCLICK_.com. (_DONOTCLICK_ added for emphasis!)


Visiting the site redirects to a page "mc.html" on the same site that attempts to exploit the MS05-038 bug, creating a file called w.hta. Handler David Goldsmith has called upon the Yesnic registry to stop resolving this domain, and the China-Netcom ISP to stop hosting this site, but at the time of this writing, the site is still operational. Organizations may want to consider blocking the site at 210.22.50.80 to prevent click-happy users from infecting their systems.



Zotob Update



New and improved Zotob(?): Now with mass mailer. Our malware team (mostly Tom and Lorna) are faced with an increasing flood of PNP bots and worms. The
most recent one looks like a Zotob. However, it does include a mass mailer.

This Zotob variant connects to the same IRC server as others, but to a different channel. Strings taht are likely to be used in the Subject line for e-mail sent by this variant: Warning!!, **Warning**, Hello, Confirmed..., Important!, We found a photo of you in ..., That's your photo!!?, Hey!!, OK here is it!. The attachemnet included in the email looks like a zip file.

Other notable strings:
Botzor2 pnp+asn+mail spread. Greetz to good friend Coder. Based On HellBot3. f-secure,sophos ok wait bitchs!!!

URLs set to 127.0.0.1 via the hosts file: most AV vendors and paypal, moneybookers, ebay and amazon.com.

More MS05-039 fun'ness


Over the course of the day we've seen what appears to be more than a handful of new bots exploiting the PnP bug (Note: PnP is not the same as UPnP, and we wonder who thought adding network-aware capabilities to PnP was a good idea). While TCP/445 scanning hasn't increased significantly, it's always a popular target, so we assume attackers are exploiting pre-populated lists of TCP/445 targets now that a "dot-slash" exploit is readily available and reliable.


Part of the uptick in compromises is likely due to existing bots being configured with the new PnP exploit code, highlighting the "blended threat" problem. Existing malware that has been making the rounds for a while receives a new breath of life when new exploit code becomes available, turning up lots of compromised systems.


A few salient points regarding the current PnP attack threat:


+ There are lots of additional 'bots' in addition to Zotob, directly targeting systems or making use of prepopulated target lists;

+ Ensure all systems have NULL session disabled to block the current threats;

+ Block TCP/445 ingress and egress whenever possible to stop incoming attacks, and to detect infected systems leaving your network;

+ Do not rely on TCP/33333 FTP service detection to identify compromised systems as this port is not used consistently in later bot variants;

+ Ensure AV signatures are up-to-date;

+ Patch!




New Zotob variant (Zotob.b)


F-Secure is reporting a new variant in the Zotob worm currently exploiting the PnP vulnerability addressed in MS05-039. The Zotob.B variant uses the same ports (TCP/445 for scanning, TCP/8888 command shell on exploited systems, TCP/33333 for FTP server) as the previous variant, but uses the executable name "csm.exe" with the description "csm Win Updates" in the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices to load the worm when the system boots. The Zotob.A uses the executable name "botzor.exe" in the same registry key.



It is not believed that Zotob.B worm possesses any additional characteristics that would make it more of a threat compared to Zotob.A.



Links:


http://www.f-secure.com/v-descs/zotob_a.shtml

http://www.f-secure.com/v-descs/zotob_b.shtml




Zotob affecting some XP SP2/2003?


Reader Samuli writes in (thanks Samuli!) pointing out that the houseofdabus code used in the Zotob worm to exploit the Microsoft PnP vulnerability addresses in MS05-039 relies on NULL sessions to exploit the target system. Default installations of Windows XP SP2 and Windows 2003 do not have NULL sessions enabled, and thus are not affected by the worm. However, some server roles may require administrators to enable NULL session functionality, such as legacy domain controllers, Microsoft Exchange servers, Microsoft SQL Servers, etc. If you have permitted NULL session access on your managed systems, you may be at risk of infection by one of the Zotob variants.




Administrators can check their Windows XP SP2 systems to identify if NULL sessions are disabled by checking the registry entry HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymoussam, ensuring it is enabled (1). Note that the registry key "restrictanonymous" refers to the ability to anonymously enumerate shares on the system, and does not grant the ability to enumerate user accounts. If you're checking your systems, you may want to set both parameters to enabled to prevent an anonymous attacker from enumerating shares on your system, although this will require testing to ensure it does not break valid applications.




Update: Reader Chuck Croll writes in with the following comments regarding disabling anonymous share browsing:


"Note that if you enable blocking of anonymous share enumeration, by setting HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous to "1", you will break Windows Networking, ie the ability for the browser subsystem to enumerate servers in Network Neighborhood.

A lot of people have no idea what the browser is, and when Network Neighborhood breaks, can't even describe it accurately."


All the more reason to test settings before applying them in a production environment! Thanks Chuck!



It is still vital that organizations apply the most recent patch updates from Microsoft to resolve several vulnerabilities in Windows. While the current Zotob worm may not be able to exploit default installations of Windows XP SP2 and Windows 2003, it certainly won't be long before there is a variant that won't have this limitation.



What's more, there appears to be some confusion with AV vendors as to the vulnerability of Windows 95/98/ME/NT4 systems.
Symantec claims that while these legacy operating systems cannot be infected (likely due to the fact that they aren't vulnerable to the PnP bug), they can be used as propogation vectors if the Zotob code is executed on the system. briefly mentions that Zotob runs on all of these Windows platforms, but does not provide additional information.



Links:





Paul Asadoorian from Brown University has written and maintains an excellent paper titled
. Thanks Paul!



-Joshua Wright/Handler-on-duty
Keywords:
0 comment(s)
Diary Archives