W32.Blaster.E.Worm

User avatar
Tyby
Dungeon Keeper
Posts: 602
Joined: Sun Jul 06, 2003 10:39 pm
Location: Bucuresti
Contact:

W32.Blaster.E.Worm

Postby Tyby » Fri Aug 29, 2003 1:27 pm

Un nou worm de RPC / DCOM

Additional information and an alternate site from which to download the Microsoft patch is available in the Microsoft article, "What You Should Know About the Blaster Worm and Its Variants."

We recommend that you block access to TCP port 4444 at the firewall level, and then block the following ports, if you do not use the following applications:


TCP Port 135, "DCOM RPC"
UDP Port 69, "TFTP"


http://www.symantec.com/avcenter/venc/d ... .worm.html
Last edited by Tyby on Fri Dec 05, 2003 8:25 am, edited 1 time in total.
formerly known as gaurika ...

May the best from your past be the worst in your future!

Tyby out!

User avatar
costin
senior
senior
Posts: 130
Joined: Sun Jul 06, 2003 3:00 am
Contact:

Postby costin » Fri Aug 29, 2003 9:43 pm

Blaster chiar face ravagii la noi in retea de vreo saptamana. Si ne gandisem eu cu Alin sa blocam portul asta, dar nu am crezut ca e chiar asa eficient. Oricum, accesul la internet pe acest port e acum blocat.
De unde rezulta ca e mult mai usor sa previi decat sa tratezi... 8)
Image Get Firefox!

User avatar
eugen
Site Admin
Posts: 687
Joined: Sat Jul 05, 2003 10:42 pm
Contact:

Postby eugen » Fri Aug 29, 2003 10:45 pm

cred ca e o confuzie la mijloc, e vorba de tcp 4444 si 135 locale, adica pe windozele victimelor.. ce leg. are cu accesul la net, sau filtrarea pe fw?

How Does MSBLAST Infect My Computer?

The worm creates a Mutex named "BILLY." If the mutex exists, the worm will exit.

Adds the value:

”windows auto update" = MSBLAST.EXE (variant A)
”windows auto update" = PENIS32.EXE (variant B)
”Microsoft Inet xp.." = TEEKIDS.EXE (variant C)
"Nonton Antivirus=mspatch.exe" (variant D)

to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the worm runs when you start Windows.

Calculates the IP address, based on the following algorithm, 40% of the time:

Host IP: A.B.C.D
sets D equal to 0.
if C > 20, will subtract a random value less than 20.
Once calculated, the worm will start attempting to exploit the computer based on A.B.C.0, and then count up.
This means the Local Area Network will be infected almost immediately and become become saturated with port 135 requests prior to exiting the local subnet.


Calculates the IP address, based on many random numbers, 60% of the time:

A.B.C.D
set D equal to 0.
sets A, B, and C to random values between 0 and 255.


Sends data on TCP port 135 that may exploit the DCOM RPC vulnerability to allow the following actions to occur on the vulnerable computer:

Create a hidden Cmd.exe remote shell that will listen on TCP port 4444.

NOTE: Due to the random nature of how the worm constructs the exploit data, it may cause computers to crash if it sends incorrect data. This can cause blue screens, out of memory errors, etc.


Listens on UDP port 69. When the worm receives a request, it will return the Msblast.exe binary.

Sends the commands to the remote computer to reconnect to the infected host and to download and run Msblast.exe.


If the current month is after August, or if the current date is after the 15th, the worm will perform a DoS on "windowsupdate.com."

With the current logic, the worm will activate the DoS attack on the 16th of this month, and continue until the end of the year.

The worm contains the following text, which is never displayed:

I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!!

la faza asta trebuie sa cam fiu de acord cu el :lol:

User avatar
costin
senior
senior
Posts: 130
Joined: Sun Jul 06, 2003 3:00 am
Contact:

Postby costin » Sat Aug 30, 2003 4:45 am

Eu intelesesem ca isi downloadeaza corpul principal prin tfpt dintr-un server extern la portul 4444.
Image Get Firefox!

User avatar
sl0bizz
elder
elder
Posts: 671
Joined: Mon Jul 14, 2003 7:33 pm
Location: Boston
Contact:

Postby sl0bizz » Sat Aug 30, 2003 5:29 am

Am vazut pe Garcea americanu' bucuros ca l-au prins pe cel care a facut Blaster. Au vorbit mult si aiurea, au amenintat in stinga si dreapta, au amintit ca a 'fabrica" virusi e crima, l-au saltat pe pushti. Astia au inceput sa rezolve si file-sharingul cu procese, "'na seara, share-ul la control".
Cind te gindesti la bancul ca Windows este un virus cu interfata vizuala, incepi sa te ingrijorezi pentru Bill.
Si asta mai lipsea: un razboi contra terorii in care zilnic apare un Bin Laden cu acnee.
Daca va prisosesc sau va trebuie obiecte, incercati Freecycle Bucuresti. Daca nu va trebuie nimic, ma supar.

User avatar
eugen
Site Admin
Posts: 687
Joined: Sat Jul 05, 2003 10:42 pm
Contact:

Postby eugen » Sun Aug 31, 2003 2:07 am

Federal authorities have arrested a teenager on suspicion of creating and distributing one of the variants of the prolific Blaster worm earlier this month.

Jeffrey Lee Parson, 18, was arrested today and is due to make a court appearance in St. Paul, Minnesota, this afternoon. His arrest follows a search of his home at Hopkins, Minnesota, by FBI and Secret Service agents on Tuesday, where seven computers were seized.

Parson (AKA teekid or t33kid) reportedly admitted to FBI Special Agent Eric Smithmier that he modified the original Blaster worm and created a variant which used the filename penis32.exe (blaster B variant). Parson, who's reportedly 6 foot 4 inches tall and weighs 320 pounds, is alleged to have run a website where viruses were available for download.

of, urasc unitatile astea de masura.. deci e mic, gras, inalt, cum e? si ce legatura avea asta cu ce-a facut? :roll:

User avatar
Draso
senior
senior
Posts: 300
Joined: Sun Jul 06, 2003 10:58 am
Location: Cluj-Napoca
Contact:

Postby Draso » Sun Aug 31, 2003 2:28 am

Cand vad unitatile astea mereu imi aduc aminte de six feet under - care se vrea la doi metri sub pamant 8) Deci e mare si gras :) nu ca asta ar avea vreo legatura ...

User avatar
originaltup
elder
elder
Posts: 1749
Joined: Sun Jul 06, 2003 11:52 am
Location: Ohio

Postby originaltup » Sun Aug 31, 2003 11:12 am

Alleged Internet worm launcher wouldn't need much sophistication

In the underground world of Internet attackers, Jeffrey Lee Parson is a small fish, security experts say.

Parson is the 18-year-old Hopkins high school senior who was arrested Friday for allegedly releasing the second of several variations of the Internet Blaster worm. Beginning about Aug. 11, the worm and its variants shut down consumer and business computers around the world and virtually stopped many corporate networks by flooding them with data traffic. About 500,00 computers were infected.

But security experts said it appears that Parson is far from being a key player in the worm attacks. Instead, he appears to be one of thousands of largely self-taught programmers.

Such programmers generally use normal computers and relatively simple software to copy the work of more creative programmers that is readily available on the Internet.

The innovations that disrupted computers worldwide were the work of Blaster's creator, who remains unknown and at large, the experts said.

The FBI, in papers filed in U.S. District Court in Seattle, said Parson, known online as "teekid," was responsible for attacking about 7,000 of the 500,000 computers that were infected by Blaster and its variants. Experts say it is difficult to tell how many computers were affected by Parson's version because the first three worm versions were so similar.

Parson was charged with one count of intentionally causing damage to a protected computer for releasing his worm, called Blaster.B or Lovsan.B. He did not enter a plea; his next court hearing is scheduled for Sept. 17 in Seattle, where the federal investigation of the Blaster attacks is based because it is near Microsoft's headquarters.

The Blast worm attack has been a setback for Microsoft's Trustworthy Computing initiative, a highly publicized effort to make the company's software more secure. Chairman Bill Gates launched the initiative in January 2002, after the Code Red and Nimda worms demonstrated severe vulnerabilities in Microsoft software. He said security would be the company's top priority.

Microsoft, which said it spent $100 million last year on secure-computing efforts, still is working to improve its image.

"We are committed now more than ever to building more secure software that is resilient to attack while preserving the rich computing experience that our customers expect," Microsoft said Friday.

When the software patch for Windows was offered in July, Jeff Jones, senior director for Microsoft's Trustworthy Computing effort, promised that in the future such flaws would be detected and fixed earlier through the use of automated software scanning tools that look for security holes.

'Script kiddie'

Those efforts are vital for stopping the top tier of malicious hackers, as well as the copycats, one of which Parson is alleged to be.

"I rate him as an advanced 'script kiddie,' meaning he is one of those people that don't invent their own ideas," said Eric Schultze, chief security architect for Shavlik Technologies of Roseville. "He didn't do anything supernew and exciting. He just took other people's ideas and cobbled them together without adding a lot."

Script kiddies "do it for the bragging rights," Schultze said.

"The majority of script kiddies are teenage boys," said Sharon Ruckman, senior director of Symantec Security Response in Santa Monica, Calif. "They are looking for publicity, and they like to see notice of their work in the press. But script kiddies are not criminals. They're not trying to steal credit card numbers or financial information from your computer."

Because Parson is believed to be a copier of the original Blaster worm code, experts also say there is no reason to think that he knew the original author of Blaster. Capturing the worm would have been simple, experts said. Once the original Blaster worm infected a computer, Parson could have used a piece of software called a text editor to view it and make changes in its code.

"Not just anybody could do it, but it's not that difficult," said Vincent Gullotto, vice president of the antivirus emergency response team at Network Associates, a security firm in Beaverton, Ore.

Another aspect of the case, Parson's Web site, loaded with malicious computer code, doesn't really brand him as an experienced Internet attacker, experts said.

The FBI said in court papers that Parson maintained a Web site that contained the source code for other Internet worms and had links to other Web sites that offer downloadable code, such as "back doors" that provide unauthorized computer access.

But experts say it is not illegal or unusual for programming enthusiasts to maintain such a site.

"There are 30,000 Web sites that contain hacker and virus-writing tools," Ruckman said. Such sites are often protected by passwords so that only people who know the operator can access them, she said. "If a person has general programming knowledge, putting those pieces together is not too difficult."

One thing that sets Parson apart from other Internet attackers is that he got caught, something that rarely happens even when the attacks are extremely damaging, Ruckman said.

"The creators of the Code Red, Nimda and Slammer worms have not been caught at this point," Ruckman said.

The Code Red worm swept the Internet in July 2001, causing an estimated $2 billion in damage. The Nimda worm infected hundreds of thousands of computers in September 2001, causing billions of dollars in damage. The Slammer worm caused an estimated $1 billion in damage in February.

Lacking sophistication

Some experts say the ease with which Parson was caught betrays him as an amateur. The FBI's court filing indicates that Parson made two mistakes that enabled the government to trace him. He changed a computer file name within the worm to "teekids," a name he frequently had used when visiting Internet chat rooms and game Web sites. He also directed computers infected with his version of the worm to send their Internet addresses to his own Web site.

"His lack of sophistication in hiding his tracks means he is newer to the game," Ruckman said.

But, sophisticated or not, it would be wrong to say this contribution to Internet worm attacks was insignificant. MS Blast and its variants became one of the worst computer attacks of the year, and their impact was even more keenly felt because they overlapped with an unrelated computer attack, the SoBig.F computer virus, which clogged e-mail inboxes worldwide in late August. (A worm acts without human intervention; a virus such as SoBig works only if an unsuspecting recipient clicks on an e-mail attachment.)

Authorities say Parson's version of the worm maintained the impact of the original one while adding some features. Like the original, it infected a computer and commandeered it for a later attack on a Microsoft Web site (the attack was foiled by Microsoft, but at the expense of considerable time and effort). The worm also spread itself to other computers, then shut down the original computer.

This version added two features and some insulting remarks about Microsoft founder Bill Gates. The worm created a back door to the infected computer that would allow Parson to revisit it later, and it caused infected computers to register their Internet addresses on Parson's Web site, http://www.t33kid.com.Parson also is credited with adding remarks chiding Gates for not being more careful about software security.

While he would be far from the first person to criticize Microsoft's security lapses, one analyst said it's only natural that the software giant is a frequent target of Internet attackers, because its software is so widely used that an attack has huge ripple effects.

"You would not get a lot of respect among your peers for attacking Apple Computer software," Schultze said. "You'll get more respect if you attack Microsoft software, and there are more opportunities to do so."

http://feeds.bignewsnetwork.com/redir.p ... 77c08caf19

User avatar
sl0bizz
elder
elder
Posts: 671
Joined: Mon Jul 14, 2003 7:33 pm
Location: Boston
Contact:

Postby sl0bizz » Sun Aug 31, 2003 1:57 pm

Image
La gazeta de perete, la rubrica "ASA NU", t33kid, Jeffrey Lee Parson.
De la NY Times citire.
Daca va prisosesc sau va trebuie obiecte, incercati Freecycle Bucuresti. Daca nu va trebuie nimic, ma supar.

User avatar
originaltup
elder
elder
Posts: 1749
Joined: Sun Jul 06, 2003 11:52 am
Location: Ohio

Postby originaltup » Thu Sep 04, 2003 11:41 am

LONDON (Reuters) - Police Wednesday said they arrested a 24-year-old Romanian man suspected of releasing a new version of the Blaster Internet worm, the second arrest of a copycat virus writer in the past week
http://story.news.yahoo.com/news?tmpl=s ... t_virus_dc

User avatar
eugen
Site Admin
Posts: 687
Joined: Sat Jul 05, 2003 10:42 pm
Contact:

Postby eugen » Tue Sep 09, 2003 1:54 am

Lansarea de virusi, pedepsita de doua ori mai aspru ca violul

Autoritatile romane au dorit sa dea un mesaj pozitiv lumii, retinind saptamina trecuta un student care lansase un virus informatic, dar gestul li s-a intors impotriva. Anuntul romanilor a picat in acelasi moment in care presa americana descoperea ca FBI ii aplicase un tratament nedrept adolescentului Jeffrey Lee Parson, acuzat de lansarea unui virus inrudit.
Prin urmare, presa internationala, in loc sa ne laude, a pus in discutie duritatea legii romanesti in ceea ce priveste infractiunile informatice. Romania are, intr-adevar, una dintre cele mai aspre legi de acest gen din lume. Reuters relateaza ca un roman care programeaza si lanseaza virusi poate primi 15 ani de puscarie pentru o activitate de numai 15 minute. Corespondentul Reuters, Bernhard Warner, subliniaza ca "o simpla farsa de adolescenti" poate aduce, in Romania, o pedeapsa de doua ori mai mare decit pedeapsa maxima pentru viol. Reuters il citeaza pe co-autorul legii respective, dl. Varujan Pambuccian: "Este bine ca legea romana sa fie dura". Stirea Reuters plaseaza citatul intr-un context care sugereaza ca legea romaneasca ar fi obtuza si inflexibila.
Agentia Associated Press deplinge lipsa de transparenta a autoritatilor romane, care nu au vrut sa divulge date despre starea anchetei, sub motivul ca ar compromite investigatia. Autorul virusului a fost gasit de politie cu sprijinul companiei Softwin. Directorul de relatii cu publicul al companiei Softwin, Mihai Radu, a informat Reuters ca, din informatiile pe care le detine, suspectul ar fi fost eliberat din lipsa de probe. Mihai Radu precizeaza ca virusul scris de roman a facut putine daune. ?Programatorilor din firma noastra le este mila de el. Ei ne-au intrebat de ce a trebuit sa il dam pe mina politiei?, marturiseste Mihai Radu pentru Reuters.
Presa internationala este ingrijorata de faptul ca recentele arestari din America si Romania ar putea fi motivate de dorinta autoritatilor de ?a da o lectie raufacatorilor?. Jurnalistii straini atrag insa atentia ca ?lectiile? nu sint totuna cu justitia.

User avatar
victor
elder
elder
Posts: 1761
Joined: Sun Jul 06, 2003 8:22 am
Contact:

Postby victor » Tue Sep 09, 2003 2:02 am

in loc sa ii premiem si sa ii recrutam...
"Autoritatile romane au dorit sa dea un mesaj pozitiv lumii" - auzi fraza de campanie electorala...

User avatar
darkside
senior
senior
Posts: 410
Joined: Sun Jul 06, 2003 2:04 am
Location: Somewhere in US of A

Postby darkside » Tue Sep 09, 2003 9:23 am

mda, daca cineva acolo sus ar gandi .... :(
Ultimul care pleaca sa stinga lumina ......


Return to “Software”

Who is online

Users browsing this forum: No registered users and 11 guests