Update Windows today - before it gets Blasted

13-08-2003

Microsoft's Windows Update server could be out of service sooner rather than later because of a new worm

Companies and home users should use Microsoft's Windows Update service immediately, before it comes under attack from systems infected with the MSBlast worm this Saturday say security experts.

The MSBlast worm (also knows as Blaster or Lovsan) has been spreading quickly around the globe since Monday by infecting systems that do not have adequate firewall protection. The worm exploits a vulnerability in certain versions of Microsoft's Windows operating systems and has been designed to launch a simultaneous attack on the Windows Update Web site from Saturday 16 August.

Click here for help on dealing with the worm.http://insight.zdnet.co.uk/0,39020415,39115633,00.htm

The attack is unlike any seen before and Microsoft could find it difficult to keep its Windows Update service running.

Jason Holloway, UK general manager at mobile security company F-Secure, believes that although a patch that fixes the exploit has been available for around a month, only half of all computers running a vulnerable version of Windows will have applied it.

The worm is only a problem for users of Windows 2000, Windows XP and possibly NT4. Windows 98, Windows 95 and Windows 3.11 are not at risk.

Holloway said that when a similar attack took place on the White House Web site last year, "it wasn't very hard to knock it offline." If enough machines are infected, the Windows Update Web server's performance will significantly degrade and it could fall over completely: "We can't guarantee that the site will be around afterwards," said Holloway.

Paul Wood, chief information security analyst at Messagelabs, believes that Microsoft has had enough time to prepare: "Plenty of bandwidth and prior notification should enable Microsoft to defend itself," said Wood. However, he said it does depend on how prevalent the worm is.

But Holloway insists that MSBlast is far more sophisticated than previous worms, and will be more difficult to defend against. "Last time, they were attacking the site through its IP address. Administrators fixed the problem by setting up a different Web server, using a different IP address and then reconfiguring the DNS."

Holloway explained that this time, the worm uses the Web site's full name and looks up its DNS on the fly. "So Microsoft can't just change the IP address or load balance against this attack."

Another potential problem is that the worm has an activation date of 16 August, but not all computers are set with the correct time and date, so the attack has already started. "Some PCs will already be mounting an attack on Windows Update and I would expect that to escalate. By Friday it could become quite difficult to connect to that site."

Additionally, MSBlast is not spread by email. Instead it scans random IP addresses, looking for machines that are not protected with a firewall. "It has port scanning abilities. If it finds a specific port open, it launches a buffer overflow attack. After this, it can take control of the machine and do pretty much what it wants -- such as download a piece of code or take over the machine," said Wood.

Both Wood and Holloway agreed that a well-configured firewall and up to date antivirus software will protect most users.

***w hole*** · 14-08-2003

Hello All

Anyone suggest a free firewall?

Regards

W.H.

**rolfw** · 14-08-2003

Go for Kerio WH http://www.kerio.co.uk/kpf_download.html free for personal use.

14-08-2003

Protecting yourself from the MSBlast worm

What to do about a worm exploiting widely publicised holes in Microsoft Windows

MSBlast, also known as Lovsan, is an Internet worm that exploits a known vulnerability in Windows 2000, NT, and XP. The worm takes advantage of the Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface, which was patched in MS03-026, on 17 July, 2003. Because many people have yet to patch their systems, the worm is very active. MSBlast spreads quickly via the Internet and could damage infected system files, therefore, this worm rates a 7 on the ZDNet Virus Meter.

How it works
MSBlast does not spread via email. Instead, it scans the Internet on port 135 looking for vulnerable computers. When it finds one, it attempts to exploit the DCOM RPC buffer overflow, create a remote root shell on TCP port 4444, then use FTP to download a file called msblast.exe onto the infected computer.

At this time, antivirus vendors are still analyzing what msblast.exe does.

MSBlast updates the system Registry with the following line so that it will run each time the computer is rebooted.

Hkey_local_machine\software\Microsoft\Windows\Curr entVersion\ Run "windows auto update" = msblast.exe I just want to say LOVE YOU SAN!! Bill

Prevention
Users who have not yet patched their Windows 2000, NT, and XP systems should do so.

Windows NT 4.0 Server
Windows NT 4.0 Terminal Server Edition
Windows 2000
Windows XP 32-bit Edition
Windows XP 64-bit Edition
Windows Server 2003 32-bit Edition
Windows Server 2003 64-bit Edition

Removal
A few antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Central Command, F-Secure, McAfee, Symantec, and Trend Micro.

**rolfw** · 14-08-2003

Try this site, NAI have made the stinger, which will remove the virus http://vil.nai.com/vil/stinger/ , first read the instructions specific to XP though, as it involves disabling the system restore points. http://vil.nai.com/vil/SystemHelpDoc...SysRestore.htm

Also make sure that you download the patch from microsoft, if you can't get a friend to do it.

I've just spent an hour on the phone trying to get my brother's computer up and running again.

14-08-2003

more info here;

http://news.bullguard.com/

***w hole*** · 15-08-2003

Hello Rolf et al.

I downloaded the Firewall as suggested, and it seems to be working OK.

The most common 'intrusion' seems to be :

"Someone on address c-134-72-58.b.dial.de.ignite.net [62.134.72.58] wants to send ICMP packet to your machine"

Is this a fairly common one, and is there any way of telling what it is?

Kind regards

W. Hole

**rolfw** · 15-08-2003

Looks like the BT Ignite server pinging you, is that your ISP?

You can always look up an IP address at http://www.ripe.net/ripencc/pub-serv...ois/whois.html

***w hole*** · 15-08-2003

Hello Rolf

My ISP is NTL.World.

I had a look at that site, but I don't nderstand it at all.

Kind regards

W.H.

***w hole*** · 19-08-2003

Hello All

Having installed the FireWall as above, I have it currently set to advise me of any alerts, and there seem to be quite a few messages each time I go OnLine along the lines of:

Someone on address m39-mp1.cvx5-c.bre.dial.ntli.net [62.255.208.39] wants to send ICMP packet to your machine

tcpip kernel driver

Until this moring that is when I seem to have be innundated with them, I guess probaly about 50 or 60 from various addresses.

Can anyone tell me exactly what the alert message means? - Are these all malicious attempts, or are there legitimate reasons why someone would be sending 'tcpip kernal drivers' to my system?

ALSO - I have installed Ad-aware software, and as mentioned in another posting, it found quite a lot of stuff when I ran it, and despite having the firewall installed, it still found another six 'miners' yesterday.

Can anyone give me an Idiot's Guide as to what is going on?

Kind regards

W. Hole

PS As I type this, the attacks are still comming in, and the only programmes I have run this morning are Outlook to read my Email, and W/Explorer to access the Forum and reply to a posting.

**rolfw** · 19-08-2003

Well the IP address is part of the NTL block, so could be them, or some of their subscribers. If you are concerned, send an E-mail to abuse@ntlworld.com and attach a copy of the day's log. or copy and paste the page.

***w hole*** · 19-08-2003

Hello Rolf

Thanks for the reply, but they are now comming in nearly as fast as I can clear them from the screen.

I can't find a log anywhere which details them, can you advise [Ignore this I have found it now - I recieved 30 items between 10h30 and 10h38 ]

Do you think they are malicious, or is there a legitimate reason they are comming in like this.

Regards

W.H.

**rolfw** · 19-08-2003

You will normally receive a few of these W.H., are these all from NTL addresses?

First thing i would do is turn off notifications, you don't need to know when it is stopping everything.

I am the other side of a hardware firewall/router, so I don't get these type of intrusions, but very often anyway, they are benign.

***w hole*** · 22-08-2003

Hello R

All has quietned down now.

I had a word with my B/i/Law who tells me that sometimes when logging on to an ISP one picks up the 'traffic' from a previous user.

This seems to make sense, as I have not had this problem since, or perhaps the 'inturders' were put off by the firewall.

It is all very confusing for a poor initiate, but unless it happens again, I suppose it is best left alone.....

BUT...

I had been getting a load of Junk Mail before I started running a Mail Intercepto on Outlook, but after a week of 'reporting' abuse, it seems to have been reduced by about 90%

I don't know if this is because there has been a drop off in items sent, or if it is because of the 'reporting' of the programme created Emails, but would be interested in any recent observations of other members.

regards

W. H.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
How Can I Update My Reciver	excell	Viaccess	12	19-07-2008 07:20 AM
Official TD Image	Llew	Triple Dragon	29	13-12-2007 04:56 PM
Free-xtv Update Sky Box Not Responding	ars1604	Receiver software, international Section	17	07-01-2005 09:19 AM
On the brink of an attack	net1	Computer Discussion	2	27-04-2004 12:42 PM

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)