Blaster rewrites Windows worm rules

The Register ^ | Aug 14th, 2003 | John Leydon

[yhwhsman]

The Blaster worm, which continues to create chaos by crashing numerous vulnerable Windows machines across the Net, has changed the rules on malicious code attacks.

Unlike Slammer or Nimda, home users have borne the brunt of the attack - although businesses of all sizes have also suffered.

Blaster shatters the partially reassuring notion that email-borne nasties are the most significant threat for Harry Homeowner. Now updating patches and using perimeter security, always good ideas, have become prerequisites for Windows users.

With the appearance of new variants of Blaster already appearing on the Net, its worth reviewing the nature of Blaster, the damage it caused and the steps people can take to guard against infection.

Blast off

As we reported on Tuesday, Blaster exploits a critical Remote Procedure Call (RPC) DCOM flaw to infect vulnerable Windows machines. Even at the time we realised this flaw was out of the ordinary and potentially devastating.

Microsoft last month issued a patch to guard against the problem but uptake has been predictably slow. This allowed a vulnerable base to flourish until unknown VXers came up with the Blaster worm (AKA Lovsan, MSBlast or Poza) which began spreading on Monday evening. Spread was particularly rapid across vulnerable Windows 2000 and Windows XP machines, though Windows 2003 and NT machines might also be infected. Windows 95 and 98 installations appear safe.

And Mac, Linux, OS/2, eComStation, and Unix computers are immune to this Microsoft-specific vulnerability.

The Blaster worm will infect vulnerable Windows PCs, often causing them to repeatedly crash as soon as they are connected to a network. The worm will attempt to download malicious code and run it. The worm has no mass-mailing functionality.

Blaster is programmed to commandeer infected machines to launch a DDoS attack against windowsupdate.com on 16 August.

An analysis of Blaster by the Internet Storm Centre, which is generally credited as being the first to spot the problem, can be found here. An advisory by security clearing house CERT can be found here.

Estimates of the number of machines infected by Blaster vary but its generally reckoned hundreds of thousands of machines have caught the worm. Symantec, for example, reckons that 188,000 machines were infected by yesterday afternoon, with the US and UK leading the way in pox-ridden PCs.

How much damage is it causing?

A picture is beginning to emerge of the problems caused by Blaster, and its general behaviour.

According to a report by the Washington Post, the Maryland Motor Vehicle Administration authority shut its offices for the day because its systems were so severely affected by Blaster that it could no longer continue as normal.

Some may see this as a precautionary shutdown that does more harm than good.

However, in many instances companies are taking systems offline in order to deploy patches, which is not quite the same as systems being knocked out or abandoning the Internet "as a precaution" (ie. a self-actuated DoS attack).

Other organisations reportedly suffering network slowdowns or worse because of the worm include German car manufacturer BMW, Swedish telco TeliaSonera, the Federal Reserve Bank of Atlanta and Philadelphia's City Hall.

Russ Cooper, Chief Scientist at security company TruSecure, who has been predicting a worm like Blaster since the original Microsoft vulnerability emerged, said some companies are seeing sporadic infections while others are seeing more concerted attacks from Blaster. Cooper attributes to this variation in behaviour to the way the worm generates new IP addresses to attack.

Numerous Reg readers, many home users or workers in smaller businesses, report that their machines have crashed because of the worm.

Although some large enterprise have been affected, mitigation strategies involving blocking Blaster-associated traffic at the corporate gateway can give companies some breathing space while they update their systems to deal with the worm. Many home users and small business don't really have this option and so they have to problem of getting patches while Blaster is trying to crash their machines using mechanisms that will be a mystery to most home users. This wouldn't be such a problem if the firewall in Windows XP was enabled by default - which it isn't - further exacerbating the problem. Microsoft is reportedly planning to change this practice.

And users are being assaulted by malicious traffic coming in through their network connection - not the more familiar route email-borne nasties - further complicating matters. The system instability effects of Blaster - rather than its scheduled attempt to launch a denial of service attack on windowsupdate.com - are causing the most concern.

It could be worse

So how bad is Blaster, on the general scale of things?

Vincent Weafer, Senior Director at Symantec Security Response Centre, said that Blaster was having nowhere near as severe an effect as the infamous Slammer worm, which took out much of Korea's ADSL network and made a limited number of bank ATMs temporarily unavailable earlier this year.

Weafer said Blaster could be accurately be compared to Code Red. Both worms relied on exploiting fairly recent security flaws, Blaster (like Code Red) tries to perform a DDoS attack and both worms were followed by variants. Neither is Blaster generating the rapid rate of infections seen with Nimda.

Weafer said the rates of new infections from Blaster was slowing down as users apply patches, put up firewalls and update AV tools. Also, and we suspect this might prove to be an even more significant factor, the worm is starting to run out of steam (its finding it more difficult to find fresh, vulnerable but as-yet-uninfected hosts).

TruSecure's Cooper rated Blaster as a more serious threat than Symantec's Weafer.

"Blaster is a slow moving worm - a kind of slug," Cooper told us.

"It has to open a command shell, suck down files and wait for machine to crash to work - that's a lot of attack effort gone to waste. Slammer found infectable hosts quickly.

"But Blaster is three times more prevalent than Slammer and much more damaging to the infected machine. Slammer really only clogged bandwidth.

"With Blaster the rate of attacks has gone down from a peak late on Monday but it's still spreading," he added.

Depressingly Cooper predicted that Blaster will likely stick "around for a long time", perhaps up to two years or above. More destructive variants are likely, he added.

Windows Update likely to stay up

One of the most publicised aspects of Blaster is that it is programmed to flood windowsupdate.com with a DDoS attack from infected machines this Saturday (16 August). Neither Cooper nor Symantec's Weafer thought this attack was likely to succeed mainly because Microsoft has time to put mitigation strategies in place so that, for instance, it can change the way it redirects traffic to the servers that actually run Windows Update.

Despite this apparent confidence that all will be well at Redmond on Saturday, neither Cooper nor Weafer were prepared to offer us odds on Windows Update being live and kicking on the big day.

Spoil sports.

What's to be done

Fortunately there's plenty of advice on the Net on how to protect your machine against Blaster. There's also tips on what to do if you get infected but as usual prevention is easier than cure.

Essentially you need to follow a multi-stage process involving: a) setting up a firewall to block malicious traffic; b) updating your machine with patches from Microsoft; and c) updating AV signatures.

Microsoft has produced an informative guide (which also links to free removal tools). Alternatively there's a step-by-step guide from Visualante here. ®

[yhwhsman]

Thought you might like to know who is at risk from the Blaster worm, as well as how to go about preventing infestation (virus' infect, worms infest?).

Recently it was learned that the computers of the GNU Project had been hacked in March, but evidently this was because they allowed outside users access as local users. Macintosh's and Linux/Unix/*BSD systems are still the most secure.

BTW, a very good firewall can be downloaded from Zone Labs. And Gibson Research Center has an online scanner called Shields Up! that can test your computer for online vulnerabilities.

Yhwhsman

[yhwhsman]

A story on the GNU Project appears here. Thought I had it linked in my comment. :)

Yhwhsman

[StatesEnemy]

WARNING!
The Service Packs and Updates and documentation distributed on the Microsoft® Windows® Web site are provided for your personal use and may not be distributed. The entire risk arising out of the use or performance of such products and documentation remains with you. In no event shall Microsoft or its suppliers be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the products or documentation, even if Microsoft has been advised of the possibility of such damages.

[D-fendr]

Microsoft patch process called into question:

AUGUST 14, 2003 ( COMPUTERWORLD ) - Microsoft Corp.'s Windows Update patch management program has a critical shortcoming that in some cases could fool users into thinking their systems are properly patched against some vulnerabilities when in fact they aren't.

That warning comes from Russ Cooper, moderator of the popular NTBugtraq mailing list and an analyst at Reston, Va.-based TruSecure Corp.

But Stephen Toulouse, a security program manager at Microsoft, strongly disagreed with Cooper's claim about Windows Update, calling it unfounded.

According to Cooper, the problem lies in the manner in which the Windows Update program verifies whether a system has a particular patch. Until last night at least, Windows Update relied only on the "registry key" information associated with each patch to determine whether a system had a specific patch. When a user goes to the Windows Update site, it first scans the user's system for such registry keys to determine which patches are installed on the system.

The problem is that a system may have the registry keys associated with a particular patch even though the patch itself hasn't been installed on the system. This can happen, for instance, if a machine crashes or is turned off during the patch installation process or because there are insufficient system resources to install it, according to Cooper.…

[Leroy S. Mort]

What You Should Know About the Blaster Worm and Its Variants

[Leroy S. Mort]

This can happen, for instance, if a machine crashes or is turned off during the patch installation process or because there are insufficient system resources to install it, according to Cooper.…

I've installed hundreds of patches on scores of computers and never ever encountered this problem. Rare....very rare.

[RedBloodedAmerican]

Ingenious worm. I wonder if hactivismo was behind it.

[Paul C. Jesup]

And Mac, Linux, OS/2, eComStation, and Unix computers are immune to this Microsoft-specific vulnerability.

Don't say that too loudly, current Mac, Linux, OS/2 can all be traced back to Unix software that have suffered from Unix based computer viruses and worms.

[Nick Danger]

This is interesting... I found this here.

Microsoft no longer limits its liability when a customer suffers damages due to gross negligence or intentional misconduct on Microsoft's part, said Morris Kremen, associate general counsel at Microsoft, in an interview on Tuesday.

The improved legal protection on Microsoft products are part of changes the company made earlier this year in its volume licensing program, according to Kremen.

In older contracts, Microsoft only agreed to pay legal fees and be accountable for charges of gross negligence or intentional misconduct up to the value of the software a customer bought. Software buyers did not care for that and often protested those provisions in contract negotiations, Kremen said.

"Customers were not happy with that as a fair allocation of risk and they thought it was too protective of Microsoft," Kremen said.

The changes to the licensing policies went into effect first in the U.S. in March and were introduced in the rest of the world in the months after that. "It is about risk and giving the customer the peace of mind they were asking for," Kremen said.

I think what this means is that Microsoft has agreed to be liable for any amount of damages caused by gross negligence or intentional misconduct on Microsoft's part.

There has got to be some ambulance chaser out there who can fashion what happened here into a gigantic class action suit. The lawyer would have to persuade a jury that all this stuff happened due to Microsoft's "gross negligence," but juries have awarded huge sums to smokers who were told on every pack that the Surgeon General said smoking could kill you. So a clever lawyer might well relieve Microsoft of a few billion over this.

[Leroy S. Mort]

The lawyer would have to persuade a jury that all this stuff happened due to Microsoft's "gross negligence,"

A tough sell since the patch to avoid this worm has been available from Microsoft since the middle of July and the worm itself didn't show til this week.

[sigSEGV]

Microsoft is not negligent in writing bad code, but they are negligent for stupidly having a network available service running on every PC with System level access that 99% of users don't need.

[Nick Danger]

A tough sell since the patch to avoid this worm has been available from Microsoft since the middle of July

It does no good to try the case here in the forum. The Surgeon General Warning had been on every pack of cigarettes for twenty years. That did not stop several juries from holding tobacco companies responsible for other people's failure to heed the warnings. Either some lawyers will do this, or not, depending on whether they see billions at the end of the rainbow. Worldwide, Microsoft's damages could easily run to 8 or 10 billion from all the havoc caused. That has got to have a few of those trial lawyers salivating.

[sigSEGV]

Oh, and to make you all sleep better -- an interesting take on the blackout.

http://www.securityfocus.com/archive/1/333521

[Leroy S. Mort]

Worldwide, Microsoft's damages could easily run to 8 or 10 billion from all the havoc caused.

My money says MS doesn't have to pay a dime of "damages" from this.

[MarkL]

Microsoft is not negligent in writing bad code, but they are negligent for stupidly having a network available service running on every PC with System level access that 99% of users don't need.

Microsoft has a long history of making things easy to use and administer, but nightmarish for security. Examples include the way everything is integrated, making both IE and Outlook Express extremely vulnerable to attacks and infections (although things are getting better), the way file system security in NT/2000 systems worked (all rights is the default), etc... At least in Win2003 server, all the services are turned off by default, and you have to manually turn the services on if you want or need them.

Mark

[shadowman99]

A co-worker was telling me his system was infected. He has a win2000 box behind a Lynksys router/firewall. He has remote logon turned off at the router. How could such an infection take place? Is he high?

[supercat]

This can happen, for instance, if a machine crashes or is turned off during the patch installation process or because there are insufficient system resources to install it, according to Cooper.

I've installed hundreds of patches on scores of computers and never ever encountered this problem. Rare....very rare.

Rare for now. What about when worms 'phone home' about what registry keys they need to adjust to make a user think the relevant patches are already installed?

[Southack]

The legal angle for MicroSoft versus viri/worms/hackers is like the legal angle for Ford and General Motors versus car thieves (aka real world hackers, as in, they hack through your windows and into your car).

If GM doesn't make a good car alarm, or if GM doesn't turn on your car alarm for you even when you leave your own car unlocked, should you be able to sue GM for damages when your car gets stolen and you lose business because you don't have your car for that all important meeting?

Or...and here's a novel idea...should you be able to sue the hacker/thief for her illegal hacking/theft?!

Who is ultimately responsible? The thief/hacker? The corporation/manufacturer? The owner/user?

Of those parties, which committed the illegal act?

[Nick Danger]

Who is ultimately responsible? The thief/hacker? The corporation/manufacturer? The owner/user?

What difference does it make? The lawyer will go after the deep pocket. We have a whole industry now of lawyers who go after deep pockets. Spill your coffee on your private parts? It's not your fault; it's McDonalds' fault. Fall off a ladder? It's the ladder manufacturer's fault. These lawsuits win all the time. Do they make any sense? It doesn't matter.

To say it can't happen here is wishful thinking. Of course it can. Kara Walton sued a nightclub after she fell out of a bathroom window and had her two front teeth knocked out. She won $12,000 plus dental expenses. She fell from the window, which she was using to sneak into the club to avoid the $3.50 cover charge. Who performed the illegal act? She did. Who paid? The nightclub. This crap happens every day.

[Leroy S. Mort]

Rare for now. What about when worms 'phone home' about what registry keys they need to adjust to make a user think the relevant patches are already installed?

Should that occur, I'd expect MS to go to other means instead of registry querying to validate hotfix installs. In fact, freeware already exists which does this.