For Users of Win2K and WinXP

The following are a couple of posts regarding a new vicious worm posted on another forum. I read a write up in a national financial newspaper regarding this worm. I checked my Firewall Log and find that I too have numerous hits on Port 135. Anyone out there that does not have their Windows patched are encouraged to do so immediately. Mine were patched on July 17th ...my computer is in total stealth - thank heavens for that!!
........................................................................................................................................

This post concerns W2k and XP users.
There is a worm Blaster which according to some reports is spreading rapidly. It spreads by scanning for systems with open 135 ports. On finding one it will download a small file that among other things will start attacking the windows update site on August 16.

You can check whether your port 135 is open here. If you have installed the Microsoft patch mentioned here if your PC is not vulnerable.

This forum describes in detail the reports of experts who have been working to identify the worm and counter it.

From my own personal observation of my firewall log I'm getting a port 135 probe from different sources on an average of once every 5 minutes or so.

***********************************************************************

I do not wish to appear alarmist, but I think we are all in deep doo doo.

As Microsoft was preparing to bring XP to market several years ago Steve Gibson (a US computer security expert) warned them that it contained a feature (called raw sockets) that was very dangerous because it would allow evil people to create malware that concealed where it was coming from and which could with impunity infect a lot of PCs that collectively while probing for other PCs to infect crash the Internet with traffic overload. Blaster is particularly evil because it crashes some infected PCs, which when fixed might only get reinfected.

Microsoft derided Gibson and pushed ahead. It seems we may be seeing his predictions come true.

An added feature is that infected PCs all over the world will start bombarding Microsoft's crucial update site with packets starting on Saturday renedering it useless and the rest of us wondering when this is all going to end.

 

No disrespect meant for your opinion.

My experience thus far with these impending doom type scenarios & issues is that they are blown way out of proportion.

I'll check back here Saturday & at the MS update site (if Dos is in play, I shouldn't be able to reach MS update). Who knows maybe I'll have to alter this opinion, but I doubt it.

mitigating factors:

+ those who run a properly configured firewall, should be fine with or without the patch.

+ Affected Software:

Microsoft Windows NT® 4.0
Microsoft Windows NT 4.0 Terminal Services Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server™ 2003

not the end of the world yet

 

I wish I shared your optimism on mitigation, but only a small percentage of users have properly configured firewalls. Few bother to enable their ICF in XP. Even fewer know they need a patch let alone update their systems. I suspect Gibson's concern for raw sockets was right and we may just be seeing one of many things to come. But then, there's a lot of people who'd rather set themselves on fire than believe anything Gibson says. I wouldn't bet against him.

Best Regards, Rickster

 

No problem reaching MS today (Saturday), the day of impending doom.

Well actually I had to add windowsupdate to my trusted zone and lower my defenses to reach the update site, but once I did no problem.

http://windowsupdate.microsoft.com/

http://www.microsoft.com/security/

http://www.microsoft.com/security/incident/blast.asp

and of course

http://www.microsoft.com

Guess I don't get to alter my perception re: the doom and gloomsters of the world.

Not saying MS is in the clear here, they obviously have their work cut out for them going forward.

We all should be thankful for this shot across MS bow, and for the other competitors in the OS space which force MS to attempt to close some of those gapping holes.

If I were MS b4 I did a major release I would hold a contest 2 months b4 release date and invite the best of the best crackers to have a go and offer $100K or some nominal amount to the top 4 cracks discovered.

One final shot, heard an guberment IT dept in Houston did not patch their system and up to 14k pc's for EMS may have been compromised. They switched to their backup system, but good grief they had a whole month to get this done...

the entire EMS IT dept. should be fired!

 

Hi Peakaboo. Well, I'm sort of glad you didn't have to change perception of the doom & gloomers, but consider some of the points Gibson laid out on the Blaster Worm. This worm was evidently designed to be limited. It targeted windowsupdate.com (which MS shut down anyway) but Windows Update uses windowsupdate.microsoft.com., so the worm's targeting was useless.

Using raw sockets it was purposely throttled to send 50 SYN packets per second, limiting the contribution each machine could contribute to the attack. In retrospect, all they had to do is target Microsoft.com with an unthrottled SYN flood and the site would be no more.

You're right though...someone is sending a strong, though annoying message and might prompt MS to take security design architecture seriously. And I love your idea for that too.

Best Regards, Rickster

 

Could you explain what "raw sockets" has to do with the blaster worm?

 

Hi. Note I said what Gibson was saying about it at this link http://grc.com/dos/winxp.htm - about a quarter of the page down. His complaint is having that capacity on consumer-wide off-the shelf version of an OS. I'm no expert, but after reading that and also hearing the Blaster made use of it, it made sense to me. But then, you're more experienced, so after viewing the issue there, I'd value your comment on what raw sockets have to do with the Blaster. If you disagree, I'd be interested in hearing why.

Best Regards, Rick

 

The Blaster worm has nothing to do with raw sockets. Taken from the Symantec Virus Encyclopedia

From McAffee

The worm does NOT use raw sockets to propagate. Raw Sockets (the issue Gibson is talking about) just means it is easier for a script kiddy to spoof their ip address, nothing more, nothing less.

Its very easy to find out infomation about woms/virii and how they spread/work

 

Thanks Khaine. You know the yellow billboard announcements Gibson puts up as a header at Shields-Up occassionally? That's where he said it made use of them early on and what I passed on along with his description. That was two billboards ago and haven't heard a peep about it since.

The link referring to the old issue concerning raw sockets as a DoS attack platform sure makes sense, setting aside spoofing IP's. It isn't the first time I've heard controversy about his complaint and curious to find out if he's dillusional or if there's any credence to it. More to the point, why he said it applied with the Blaster. Perhaps he pulled the trigger prematurely, but hoped nobody would notice.

I've read AV assessments from the on-set. None mention raw sockets, but the absence of this reference neither confirms or precludes the issue clearly for me. Considering the reach of MS and its long-standing objection to his claim, it doesn't suprise me. I'd like Gibson to answer this one, since he specifically said (at least once) that it did. I wrote for an explanation and will let you know if he responds.

Thanks for your information.

Best Regards, Rickster

 

BTW, the objections to Gibson's points also comes from quarters that are deadly enemies of the MS camp.

when mutal enemies agree about some issue, chances are they are right

Having said that see here

http://cert.uni-stuttgart.de/archive/ntbugtraq/2003/08/msg00025.html

 

Makes sense. He pulled the trigger early. Blaster didn't make use of raw sockets, but apparently by design, i.e, point #3:

3. it only has 20 "threads" of execution -- taking advantage of raw sockets would have been much worse (the Internet would have been ("slammed")

If Blaster used them, we’d have seen a big yellow billboard header titled, “I TOLD YOU SO!” and never heard the end of it. That said, I get the uneasy feeling per #3 and elsewhere, there remains a pending threat if exploited by design. Gibson is laying low on this until Rome really does burn, as he should.

Thanks for the good reads. Rickster