PDA

Visualizza versione completa : W32.Blaster.B/C - Rischio 3 - Update


Giorgius
13-08-2003, 19.26.54
http://www.chip.de/ii/13532404_5aea4f6f43.jpg

Sembra che siano state già rilevate le prime 2 varianti del Virus LovSan/Blaster :eek: :rolleyes: :mad:


Aliases:

- Variante "B":
W32.Blaster.B.Worm (Symantec), WORM_MSBLAST.B (Trend Micro), Win32.Poza.C (Computer Associates), W32/Lovsan.worm.c (McAfee), WIN32/LOVSAN.B (Enciclopedia Virus (Ontinent)

- Variante "C":
W32.Blaster.C.Worm (Symantec), W32/Blaster-B (Sophos), W32/Lovsan.worm.b (McAfee), Win32.Poza.B (Computer Associates), WORM_MSBLAST.C (Trend Micro), WIN32/LOVSAN.C (Enciclopedia Virus (Ontinent)


Effetti:

- Variante "B":
W32.Blaster.B.Worm is a variant of W32.Blaster.Worm that exploits the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135.
The excutable for this variant is named "Penis32.exe".
Symantec Security Response is currently analysing this threat and will post more information once it becomes available.

- Variante "C":
W32.Blaster.C.Worm is a worm that exploits the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135. This worm attempts to download the Teekids.exe file to the %WinDir%\System32 folder, and then execute it.
Users are recommended to block access to TCP port 4444 at the firewall level, and then block the following ports, if they do not use the following applications:
TCP Port 135, "DCOM RPC"
UDP Port 69, "TFTP"
The worm also attempts to perform a Denial of Service (DoS) on the Microsoft Windows Update Web server (www.windowsupdate.com). This is an attempt to prevent you from applying a patch on your computer against the DCOM RPC vulnerability.


Info:

http://www.enciclopediavirus.com/virus/vervirus.php?id=498
http://www.enciclopediavirus.com/virus/vervirus.php?id=500
http://www.symantec.com/avcenter/venc/data/w32.blaster.b.worm.html
http://www.symantec.com/avcenter/venc/data/w32.blaster.c.worm.html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.B
http://vil.mcafee.com/dispVirus.asp?virus_k=100551
http://www.sophos.com/virusinfo/analyses/w32blasterb.html
http://www.sarc.com/avcenter/venc/data/w32.blaster.b.worm.html
http://www3.ca.com/virusinfo/virus.aspx?ID=36309
http://www.alerta-antivirus.es/virus/detalle_virus.html?cod=2887
http://www.alerta-antivirus.es/virus/detalle_virus.html?cod=2886


Tool aggiornati per rimozione Varianti "B" e "C" :

http://securityresponse.symantec.com/avcenter/FixBlast.exe
http://www3.ca.com/Files/VirusInformationAndPrevention/ClnPoza.zip
http://www.trendmicro.com/download/tsc.asp
http://download.nai.com/products/mcafee-avert/stinger.exe
http://www.trojaner-info.de/cgi-bin/download.cgi?file=antimblast

Giorgius
14-08-2003, 01.30.33
Update 14/08/03

La stringa di registro dove trovare manualmente l'eseguibile del Virus è questa:

- Variante "B":

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run

Eseguibile:

"windows auto update"="penis32.exe"

:eek: Il 16 Agosto scatta il Time Bombing di questa variante :eek:


- Variante "C":

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run

Eseguibile:

Run "Microsoft Inet Xp.." = teekids.exe Microsoft can suck my left testi! Bill

:eek: Il 16 Agosto scatta il Time Bombing anche di questa variante :eek:

Giorgius
14-08-2003, 02.46.43
https://grc.com/su/su-pageheader.gif

Test "GIBSON" per verificare la sicurezza della Porta "135"
https://grc.com/x/portprobe=135

;)(Y)

Altra utility software per verificare in rete Lan aziendale eventuali Client affetti dalla porta 135:

AhnLab RPC Scanner
http://www.ahnlab.co.jp/upload/RPCScan.exe

;)(Y)

Daniela
14-08-2003, 03.49.03
Originariamente inviato da Giorgius
La stringa di registro dove trovare manualmente l'eseguibile del Virus è questa:

Variante "B" e "C":

HKLM\Software\Microsoft\Windows\CurrentVersion\Run \Microsoft Inet Xp

Gli eseguibili da eliminare su Windows sono:

"teekids.exe"
"penis32.exe"

Il nuovo messaggio all'interno del Virus:

"Microsoft can suck my left testi!
Bill Gates can suck my right testi!
And All Antivirus Makers Can Suck My Big Fat Cock"






Però! Che finezza eh? :rolleyes: (N)

Giorgius
14-08-2003, 04.13.08
Steve Gibson sta realizzando una nuova utility per sistemare il problema Blaster/LovSan

--------------------------------------------------------------
Here's a little 5k console app which incorporates the DCOM/RPC vulnerability testing logic I've worked out to be used in the DCOMbobulator.
If you run it by double-clicking you'll just see a "flash" of a console window since it doesn't have a "pause" at the end. So you'll need to open an MS-DOS Prompt window and run "dcom.exe" from there. (Last time I did this I *did* have a pause so it could be run from Windows with an implied launch of the console window, but that confused people even more.)
For all of you who have already DCOM-patched your systems, and have left DCOM active, it should tell you that DCOM services are available and that your system is NOT vulnerable to the buffer overrun exploit.
For those of you who have disabled DCOM, it should tell you that DCOM services are not available on your system -- and since this means you're not vulnerable to the buffer overrun, it'll say that too. (It can not definitively test for your system's vulnerability with DCOM disabled.)
If any of you have not yet patched your systems, presumably because you're behind filters of one form or another which prevent unsolicited incoming connections to port 135 (as is the case for me), and if your DCOM is still enabled, this little tool should tell you that those systems ARE currently vulnerable to the DCOM remote buffer overrun exploit.
If this little app does anything else strange, I'll love to know!
This core technology will be moved into the DCOMbobulator where many more bells and whistles will be provided.
------------------------------------------------------------------

DCom Test:
http://grc.com/miscfiles/dcom.exe

Dopo averla scaricata su "C:\"

aprite una finestra Dos ed avviate l'eseguibile "dcom.exe"
Il Test verificherà l'eventuale presenza della falla MS. ;)

Giorgius
14-08-2003, 13.02.07
Info Gallery:

http://www.dslreports.com/r0/download/407510~fee99749ca0dc594ae0db1e016521f11/Clipboard.gif

http://www.dslreports.com/r0/download/407626~cec378bae7a9faa9415b15b85380c3f9/Clipboard2.gif

Giorgius
14-08-2003, 15.53.15
http://www.microsoft.com/security/images/bnr-microsoft.gif

What You Should Know About the Blaster Worm
Updated August 13, 2003, 10:20 P.M. Pacific Time
http://www.microsoft.com/security/incident/blast.asp

Giorgius
14-08-2003, 19.13.25
14 ago 17:16 Internet: l'Fbi, Blaster sta finendo

NEW YORK - Gli esperti dell'Fbi non hanno dubbi: si sta esaurendo Blaster, il virus informatico che gira in Internet infettando i sistemi operativi Windows e causando lo spegnimento continuo dei computer dopo l'avvio. "L'epidemia sta rallentando e questa e' una buona notizia" ha detto James Farnan, della divisione cibernetica del Bureau. (Agr)

Giorgius
15-08-2003, 12.00.50
http://vil.nai.com/vil/images/logo_main.gif
E' stata rilasciata la nuova Release Stinger v1.8.2

Download:
Mirror: http://download.nai.com/products/mcafee-avert/stinger.exe

Rileva:
BackDoor-AQJ, Bat/Mumu.worm, Exploit-DcomRpc, IPCScan, IRC/Flood.ap, IRC/Flood.bi, IRC/Flood.cd, NTServiceLoader, PWS-Sincom, W32/Bugbear@MM, W32/Deborm.worm.gen, W32/Elkern.cav, W32/Fizzer.gen@MM, W32/FunLove, W32/Klez, W32/Lirva, W32/Lovgate, W32/Lovsan.worm, W32/Mimail@MM, W32/MoFei.worm, W32/Mumu.b.worm, W32/Nimda, W32/Sdbot.worm.gen, W32/SirCam@MM, W32/Sobig, W32/SQLSlammer.worm, W32/Yaha@MM

;)(Y)

Giorgius
16-08-2003, 00.15.36
http://www.cnnitalia.it/2003/TECNOLOGIA/08/14/1709virus/story.microsoft[1].jpg

LONDRA (CNN) -- Si concentrerà nel weekend del 16 e 17 agosto il picco di massima pericolosità del virus informatico mirato ad infettare i computer gestiti da Windows, che a loro volta attaccheranno il sito della Microsoft.

A partire da sabato 16 agosto i computer infettati dal virus chiamato 'MSBlaster' o 'LoveSAN' inizieranno ad inviare freneticamente pacchetti di dati ad un sito della Microsoft nel tentativo di mandarlo in tilt.

Il sito preso di mira è windowsupdate.microsoft.com, utilizzato dalla Microsoft per diffondere gli update del suo sistema operativo, Windows.

Il virus si è diffuso da lunedì su tutto il web colpendo i computer che montano i sistemi Windows XP, 2000, NT e Server 2003.

Gli esperti di sicurezza informatica ritengono che il virus, che si diffonde sfruttando una vulnerabilità di Windows, non abbia ancora causato significative interruzioni nel traffico di dati sul Web, ma che il rischio che questo avvenga è molto alto, poiché si sta diffondendo in modo decisamente veloce.

I ricercatori hanno infatti già segnalato, tra uffici, università e postazioni domestiche, decine di migliaia di computer infetti.

"Sembra espandersi molto velocemente" – dice Johannes Ullrich, il direttore della D-Shield di Boston.

Il virus è stato soprannominato "LovSan" a causa di un messaggio lasciato sui Pc infetti, che recita: "I just want to say LOVE YOU SAN". I ricercatori hanno poi scoperto un secondo messaggio nascosto nel virus che si rivolge direttamente a Bill Gates sbeffeggiandolo così: "Bill Gates, com'è possibile? Smetti di far soldi e produci del software migliore!"

Il Governo Usa e l'industria informatica avevano preannunciato la diffusione del virus già dal 16 luglio - vedi articolo - quando Microsoft aveva reso nota la vulnerabilità di quasi tutte le versioni di Windows, offrendo nel contempo agli utenti un patch gratuito per proteggere il sistema operativo.

"È ancora troppo presto per aspettarsi qualsiasi cosa" – ha detto Vincent Gullotto, uno dei vice-presidenti della Network Associates – "Tutto dipende dall'ampiezza della diffusione".

Il tallone di Achille di Windows sfruttato dal virus, risiede infatti nella tecnologia usata per condividere file di dati attraverso le reti di computer, siano esse locali o, appunto globali, e riguarda una categoria di vulnerabilità detta "buffer overflow", che può ingannare il software facendogli accettare comandi pericolosi.



Si ricomincia, già segnalati casi stasera in alcuni Server Mondiali (fuso orario).

Occhio per i prossimi 4gg. specie per chi utilizza il Pc da Lunedì prossimo...

Vedremo se le Patch Ms reggeranno l'attacco...


:rolleyes:

Giorgius
16-08-2003, 00.47.23
http://www.nipc.gov/images/2003%20images/dhstitle.jpghttp://www.nipc.gov/images/2003%20images/dhs-threatyellow.jpg

Department of Homeland Security
August 14, 2003

Potential Internet Attack Targeting Microsoft Beginning August 16, 2003

OVERVIEW
The National Cyber Security Division (NCSD) of the DHS / Information Analysis and Infrastructure Protection Directorate is issuing this advisory to heighten awareness of potential Internet disruptions beginning August 16, 2003. An Internet worm dubbed "msblast", "lovesan", or "blaster" began spreading on August 11th that takes advantage of a recently announced vulnerability in computers running some versions of the Microsoft Windows operating system. DHS addressed this issue in an advisory available at http://www.dhs.gov/interweb/assetlibrary/Advisory_Internet_Impact_MS2.PDF.

NCSD would like to highlight that this worm contains additional code which may cause infected computers to attempt repetitive connections to a popular Microsoft web site, www.windowsupdate.com beginning just after midnight on the morning of August 16th.

IMPACT
Because of the significant percentage of infected computers using high speed connections to the Internet (DSL or cable for example) the conditions exist for a phenomena known as a distributed denial of service (DDoS) attack against the Microsoft web site beginning on August 16th. Steps are being taken by Microsoft and by Internet Service Providers to mitigate the impact of the DDoS. Owners of computers infected by the worm may experience a general slowness of their computer along with difficulty in connecting to Internet sites or local network resources. Systems that are still infected on August 16th may stop spreading the worm and may begin flooding the Microsoft Update site with repeated connection requests. Other customers who attempt to use the site to update their Microsoft Windows operating systems on or after August 16th might experience slowness in response or inability to connect to the update site.

DETAILS
Windowsupdate.com is used as a starting point for users of Microsoft Windows operating systems for software updates. The code in the worm instructs infected computers to repeatedly connect to that site beginning on the 16th of August. Starting on January 1, 2004, the worm will switch to cyclic behavior in which it attacks the Microsoft web site from the 16th of each month to the end of the month. Between the 1st and 15th of the month, infected computers may attempt to scan for other vulnerable systems in order to spread the worm. The worm uses the clock in the infected computer to determine when to start and stop; therefore Microsoft may begin seeing attacks on the morning of the 15th due to time zone differences around the world. This pattern of spreading from the 1st to the 15th and flooding Microsoft between the 16th and the end of the month may continue indefinitely.

RECOMMENDATIONS
The worm takes advantage of a serious vulnerability in several versions of the Microsoft Windows operating system. DHS encourages system administrators and computer owners to update vulnerable versions of Microsoft Windows operating systems as soon as possible before August 15th.

Details on which computers are vulnerable and instructions for cleaning infected computers are available at
http://www.microsoft.com/security/incident/blast.asp.

DHS also encourages system administrators and computer owners to update antivirus software with the latest signatures available from their respective software vendor.

In order to limit the spreading of the worm, DHS further suggests that Internet Service Providers and network administrators consider blocking TCP and UDP ports 69, 135, 139, 445, and 4444 for inbound connections unless absolutely needed for business or operational purposes.

DHS encourages recipients of this Advisory to report information concerning suspicious or criminal activity to local law enforcement, local FBI's Joint Terrorism Task Force or the Homeland Security Operations Center (HSOC). The HSOC may be contacted at: Phone: (202) 282-8101.

DHS intends to update this advisory should it receive additional relevant information, including information provided to it by the user community. Based on this notification, no change to the Homeland Security Advisory System (HSAS) level is anticipated; the current HSAS level is YELLOW.

Giorgius
16-08-2003, 12.59.12
UP! ;)(Y)

Il livello di allerta dato dall'Ente Americano alla Sicurezza in Rete, per questa variante, è salito a "4"

Giorgius
16-08-2003, 14.29.05
http://www.microsoft.com/library/mnp/2/gif/bnr_microsoft.gif

MS03-026 Scanning Tool

Effetti:
Download a tool that can be used to scan networks to identify host computers that do not have the 823980 Security Patch (MS03-026) installed.

System Requirements:
Supported Operating Systems: TabletPC, Windows 2000, Windows Server 2003, Windows XP, Windows XP 64-bit, Windows XP Media Center Edition

Download:
Mirror: http://download.microsoft.com/download/7/f/7/7f7f423a-cd47-4c43-bebf-1a18e79bcf72/DCOM-KB826369-X86-ENU.exe

Giorgius
17-08-2003, 03.34.57
http://newsimg.bbc.co.uk/media/images/39405000/jpg/_39405781_update-msoft203.jpg

Internet worm threat 'thwarted'

The virus threatened to bombard a Microsoft website
Software giant Microsoft says it is confident it has thwarted threatened massive disruption to the internet from the MSBlast worm.
The computer virus was set to bombard one of Microsoft's websites from infected machines around the world on Saturday, raising fears it would paralyse the network.

Microsoft implemented a series of countermeasures and reported "no problems" hours after the attack was due to have begun.

However, variants of the worm have already appeared and more dangerous versions are expected in the coming weeks and months, says the BBC's Kevin Anderson in Washington.

In the first phase of its attack, the worm infected an estimated 300,000 computers worldwide, causing them to reboot frequently.

Worm flawed

In the second phase, the computers were expected to fling data at the Microsoft website that helps Windows users patch their machines against viruses and other bugs.

However, a flaw in the worm may have enabled Microsoft to fend off its worst effects.

The worm instructed computers to call up http://windowsupdate.com - which is an incorrect address for reaching the actual Microsoft website that houses the software patch that protects against the worm.

Although Microsoft has long redirected those who visited that incorrect address to the real site, the company disabled the automatic redirection Thursday in preparation for the onslaught of infected computers.

Microsoft said its countermeasures had proved effective.

"We have been through a number of time zones now with no problems and we do not expect any as the [midnight Friday] deadline passes in the UK or US", said a Microsoft spokesman.

Microsoft said customers who have not yet installed software to remove the worm were still being affected by phase one of the virus' attack.

BBC journalist Julian Joyce said he was infected after being sent a link to a Microsoft website page by Microsoft customer support.

"My whole computer shut down and every time I was online for more than about five minutes it would kick in again and shut the computer down," he said.

Giorgius
17-08-2003, 13.55.31
Stando alle rilevazioni di Panda Software c'è stato questa mattina (06:15) un notevole incremento della diffusione del virus Blaster.
In questo momento (anche grazie perchè oggi è Domenica) l'indice d'infezione sta scendendo decisamente...
http://www.pandasoftware.com/virus_info/

Massima attenzione a tutti gli utenti che non hanno ancora aggiornato il Windows XP (patch sicurezza e aggiornamento AntiVirus).

L'FBI sta ancora indagando su un eventuale coinvolgimento del Virus con il Mega BlackOut americano...

Giorgius
18-08-2003, 01.00.52
Il Testo (per ora in inglese)

Subject line: updated
Message text: Dear customer:
At 11:34 A.M. Pacific Time on August 13, Microsoft began investigating a worm reported by Microsoft Product Support Services (PSS). A new worm commonly known as W32.Blaster.Worm has been identified that exploits the vulnerability that was addressed by Microsoft Security Bulletin MS03-026.

Questa Mail ha in allegato il file "03-26updated.exe", che contiene un Trojan, il "Troj/Graybird-A"
http://www.sophos.com/virusinfo/analyses/trojgraybirda.html

Giorgius
18-08-2003, 23.28.21
UP! ;)(Y)

Sono uscite le prime varianti "D" non ufficiali del Virus...
Per ora non arrecano nessun danno per quelli che hanno installato in precedenza la Patch Microsoft ;)

Il livello di guardia per queste 2 Varianti è sceso a "3" ;)

Giorgius
19-08-2003, 00.00.38
http://vil.nai.com/vil/images/logo_main.gif
E' stata appena rilasciata la nuova Release Stinger v1.8.3

Download:
Mirror: http://download.nai.com/products/mcafee-avert/stinger.exe

Rileva:
This version of Stinger includes detection for all known variants, as of August 18, 2003:

BackDoor-AQJ Bat/Mumu.worm Exploit-DcomRpc
IPCScan IRC/Flood.ap IRC/Flood.bi
IRC/Flood.cd NTServiceLoader PWS-Sincom
W32/Bugbear@MM W32/Deborm.worm.gen W32/Elkern.cav
W32/Fizzer.gen@MM W32/FunLove W32/Klez
W32/Lirva W32/Lovgate W32/Lovsan.worm
W32/Mimail@MM W32/MoFei.worm W32/Mumu.b.worm
W32/Nachi.worm W32/Nimda W32/Sdbot.worm.gen
W32/SirCam@MM W32/Sobig W32/SQLSlammer.worm
W32/Yaha@MM

;)(Y)

Giorgius
19-08-2003, 15.51.52
ZDNet UK
August 18, 2003, 14:00 BST

http://www.nipc.gov/images/warnings.jpg

Following last week's MSBlast worm attack, security experts at Microsoft and other firms are worried that a recently discovered vulnerability in DirectX could cause even more problems
http://news.zdnet.co.uk/0,39020330,39115773,00.htm

C'è un'altro pericolo "Blaster" x chi non ha aggiornato le Directx9.0/9.0a alla versione Directx9.0b
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-030.asp

Le varianti del suddetto Virus potrebbero sfruttare il "buco" nella sicurezza scoperto il mese scorso nelle Directx9.0/9.0a

Aggiornate le vostre librerie DIRECTX. ;)(Y)

Sistemi Operativi MS in pericolo:
Tutti, tranne Windows NT

Giorgius
19-08-2003, 23.58.12
http://vil.nai.com/vil/images/logo_main.gif

E' stata rilasciata la nuova Release Stinger v1.8.4

Download:
Mirror: http://download.nai.com/products/mcafee-avert/stinger.exe

Rileva:
This version of Stinger includes detection for all known variants, as of August 19, 2003:
BackDoor-AQJ Bat/Mumu.worm Exploit-DcomRpc
IPCScan IRC/Flood.ap IRC/Flood.bi
IRC/Flood.cd NTServiceLoader PWS-Sincom
W32/Bugbear@MM W32/Deborm.worm.gen W32/Dumaru@MM
W32/Elkern.cav W32/Fizzer.gen@MM W32/FunLove
W32/Klez W32/Lirva W32/Lovgate
W32/Lovsan.worm W32/Mimail@MM W32/MoFei.worm
W32/Mumu.b.worm W32/Nachi.worm W32/Nimda
W32/Sdbot.worm.gen W32/SirCam@MM W32/Sobig
W32/SQLSlammer.worm W32/Yaha@MM

;)(Y)