xiven.com stating the blatantly obvious since 2002

Smooth

GwieF, Kamakaze and Cosmo all got their computers infected today with a worm. GwieF discovered it first when he spotted a suspicious file (msblast.exe) in the running processes list. Kam then checked for the file and didn't have it, but shortly afterwards the same file appeared in his system32 directory. Upon asking, it was discovered that Cosmo also had the same file. The times of infection (discovered by checking the created date on the msblast.exe file were: some time in the morning, 8.33pm, and 7.13pm respectively.

Google yielded no results so I went to Symantec and noticed a link to details of the W32.Blaster.Worm on the front page. Apparently this particular worm was only discovered today.

The worm exploits a flaw in Windows DCOM, which allows it to infect a machine without the user actually doing something stupid since all it needs is an unpatched computer with TCP port 135 exposed.

A patch for this flaw has been available since 16 July 2003 (revised on 21 July 2003), so the lesson here as usual is that if you are using Windows, make sure you keep up to date with the latest security patches (after all, you can be sure that as soon as a flaw has been publically announced, it's only a matter of time before someone tries to exploit it).

Fortunately for me:

  1. I always keep up to date with Windows security patches. To help with this, I'm subscribed to Microsoft's Product Security Notification mailing list, so I always know when I need to go get a new patch.
  2. I have a lovely shiny firewall/router that I installed last week. It's an Olivetti M4 (P133 with 16MB RAM) running SmoothWall v2.0 beta 5 (incidentally I had been having trouble getting SmoothWall 1.0, or indeed any form of Linux at all to install on this machine, apparently because Linux has had some weird problems with the Olivetti M4 - fixed in later versions of the kernel, but that's another story).

Looking at the firewall logs, in the past 40 minutes alone my firewall has detected 29 attempts to access TCP port 135, from a different IP address every time, so it would appear that this thing is spreading quite rapidly (especially given the rate at which it infected the aforementioned PCs).

Update 1: In the past hour or so, the hit rate on port 135 has increased from 43.5 per hour to 64.5 per hour. I'll definitely be keeping an eye on this.

Update 2: Symantec's description of the worm has been updated with more details about the payload and slightly more comprehensive removal instructions. Apparently, the worm will activate a Denial of Service attack directed at windowsupdate on 16 August, and continue until the end of the year

Update 3: Some news reports have now appeared:

Posted: 2003-08-11 16:12:47 UTC by Xiven | Cross-references (0) | Comments (5)

Cross-references

None

Comments

  • Kai Hendry (2003-08-12 06:31:35 UTC)

    Silly question: Why are the kids running with TCP port 135 exposed?

  • Xiven (Registered) (2003-08-12 08:33:18 UTC)

    Silly answer: Because if you just connect to the Internet with a Windows OS and without a firewall, it will always be open.

  • Ben (2003-08-12 15:12:24 UTC)

    'coz the silly kids use a silly OS :-p

  • Basil Crow (2003-08-13 09:15:05 UTC)

    Actually, it's fairly easy to enable Windows XP's "Internet Connection Firewall." Although it's software-based, I've found that it does an excelelnt job of stealthing my system.

  • Xiven (Registered) (2003-08-13 13:09:22 UTC)

    There are now 340 results for "msblast.exe" on Google, up from 0 yesterday :)