Emergency Threat Update Nov 10, 2008

Windows Worm BreakoutPresented by Jose Varghese

Agenda

What is the vulnerability and associated threat ?

How does the worm work ?

What are the mitigating controls ?

How do we prepare for Incident Management?

Summary – Immediate Action and Long term solutions

2

Vulnerability and Threat

Vulnerability

Buffer overflow vulnerability in Windows server service

Attacker sends malformed RPC requests to the server service

Unexpected input leads to “overflow” condition

If successful, attacker can run any code of his choice

Example- change passwords, steal data or modify parameters

4

Previous buffer overflow vulnerabilities

Slammer worm in 2002, Blaster worm in 2003, Sasser

worm in 2004 - all exploited buffer overflow vulnerabilities

A bit of history

On Nov 2 , 2008 , it was 20 years since the first Internet worm

“Morris “ spread – targeting buffer overflow vulnerability on

Unix systems

5

Does attacker need authentication?

Authentication requirements

No authentication required Windows 2000/2003/Windows XP

Authentication required for Windows 2008/ Windows Vista

Windows 2000/2003/XP more vulnerable than Windows

2008/Vista

6

Threat

Infected machines become unusable

System try to spread the worm and also upload data to

attacker

High CPU/memory utilization and machine becomes unusable

Data Leakage

Password information and system details are passed to

attacker

Network choking

Rapid propagation of worm results in high utilization of LAN

and WAN network

7

Worm – How it works and what it steals

Worm functioning

Worm targets machine running vulnerable version of

Windows Server service

The worm file name is n1.exe, n2.exe , n*.exe

When the worm starts

Installs a dll file in \system32\wbem directory – sysmgr.dll

Sets up a new service in Windows

Displayed in Control Panel as “ System Maintenance Service”

Connects to Internet and downloads more components

Installs and adds one more service “Windows NT Baseline”

9

Worm functioning

Worm collects the following data and passes it to attacker

Operating system version, Antivirus version

MSN Messenger / Outlook Express credentials

Username / Computer Name

Installed patches, applications

Recently opened documents

Network adapter / IP addresses

Uploads it after encrypting to http://www.t35.com

11

Worm functioning

Trojan also updates itself automatically from below sites

http://summertime.1gokurimu.com

http://perlbody.t35.com

http://doradora.atzend.com

One of the images downloaded is popular

character Homer Simpson

12

Prevention and Detection

Technical Controls

Preventive Controls

Best solutions

Disable the Server service and Browser service in the Windows

system

OR

Apply the patch MS08-067 and use the Services

13

Impact of service stoppage

Disable the Server service and Browser service in the

Windows system

You cannot share your folders but can still access remote

shares

You will not be able to view others computers in your

“Network Neighbourhood”

Netlogon service which allow domain login depends on Server

service

14

Out-of-Band patch release

Microsoft follows a monthly patch release cycle

New patches every second Tuesday of the month

Next one due on Nov 11

The patch for this vulnerability was released out-of-cycle

or out-of-band

In the middle of the month on Thursday, Oct-23

Out-of-band patch release indicates the criticality associated

with this vulnerability

15

Checking Patch rollout

Is the patch deployed?

If you have an automated patch management solutions

Easy to track status

WSUS, BigFix, Landesk – deploy patch and report status in the

console

If patch deployment is manual, tracking is difficult

Use Nessus and scan for this specific plug-in [ 34476]

www.nessus.org/plugins/index.php?view=single&id=34476

Use Microsoft MBSA tool 2.1

17

If we cannot patch nor disable service…

1

Workarounds – Network Port blocking

Disable TCP 139/TCP 445 at Internet Firewall

Almost all Internet firewalls will already be doing this

Disable TCP 139/ TCP 445 at Internal Firewalls and WAN

routers

This will affect file sharing across branches and locations

We can have this till the patch roll out is complete

19

Workaround – Checkpoint SmartDefense

Checkpoint Firewall has released Smartdefense update to

detect and block these malformed RPC requests

Only relevant if have to allow TCP 139/ TCP 445

Will help prevent propagation and also identify internal

infected sources

http://www.checkpoint.com/defense/advisories/public/2008/cpai-

23-Oct.html

20

How do I know if I am infected ?

Early detection is key to limiting damage

Detection

Anti-Virus Tracking

IDS and IPS monitoring

Network traffic Monitoring

Internet browsing traffic logs

22

Anti-Virus detection

The proof-of-concept worm is detected by AV vendors.

Each vendor calls the worm by a different name

TrendMicro – GIMMIV.A

Symantec – Trojan.Gimmiv.A

McAfee - Spy-Agent.da

Expect to see more variants from attacker and

corresponding new names from AV vendors

23

AV has limitations ..

This is a self-propagating worm and not a virus

AV can only detect and clean

Even if AV is updated , cleaned system can get re-infected

Only MS 08-067 patch can prevent re-infection

24

Anti-Virus Server Statistics

Methodology

Check daily for Top 50 Viruses present in your network

Look out for Gimmiv. , Infostealer or its variants

These could be the infected PCs/Isolate and clean them before

it spreads

Pre-requisites

All servers/desktops report infection data to central console

All servers/desktops have the updated DAT that detects

Gimmiv

25

IDS and IPS signatures

Methodology

Have IDS sniffing on Internal WAN and Server traffic

Alert on Gimmi traffic

Pre-requisites

IDS signatures for Gimmi worm is updated in NIDS

Snort IDS has already released the signature

-www.snort.org/vrt/advisories/vrt-rules-2008-10-23.html

All leading IDS/IPS vendors have released signatures

IDS is positioned to see internal traffic

26

Network Traffic Monitoring

Methodology

Check for denied traffic on TCP 139/445 from Internal

LAN/servers

Look out for abnormal high amount of denied packets

These could be the infected PCs/Isolate and clean them before

it spreads

Pre-requisites

Denied traffic ar router/firewall is logged

Mechanism exists for real time tracking and alerting

27

Internet Browsing Logs

Methodology

Check URL access logs for any access to these sites

www.t35.com

http://summertime.1gokurimu.com

http://perlbody.t35.com

http://doradora.atzend.com

59.106.145.58

Pre-requisites

Internet Browsing logs are available and can be easily filtered

28

Hope for the best, prepare for the worst

What if the worm still hits us?

If the worm strikes

Identify the affected systems/office/region

Isolate the network

Clean up, patch, check and reconnect

30

From past experience ..

When an incident breaks out

Links might not work, Email and Internet might have to be

turned off

Designated people may not be available to help

Decisions have to be taken with minimum delay

31

What can we do now ?

Send out the actual patch file [not the link] to all your

location administrators

WAN links and Internet links may not work when worm strikes

Send out the worm cleanup instructions/toolkits to all your

locations

Send out the AV DAT version that detects the virus [if

possible]

Decide criteria for cutting off a link or branch or region if

virus strikes

32

How to check global activity of the virus?

SANS Incident Internet Storm Center

http://isc.sans.org

Today’s Rating – Green [ meaning Safe]

34

Symantec Threat Management Center

https://tms.symantec.com

Todays Rating - Elevated – [meaning Unsafe]

35

Summary of Action Items

Quick Checklist

Rollout MS 08-067 across Windows desktops/servers

Track patch deployment using Nessus or MBSA

For unpatched systems turn off Server/Computer Browser

service

Update AV/IDS signatures

Track infections and alerts

Monitor TCP 139/445 traffic logs and Internet URL logs

Be prepared for incident – Distribute patches and clean up

instructions now

37

Worms will come again

Long term planning

Long term action plan

Desktop patching takes time, tracking is difficult

Have an automated patch mgmt solution

Anti-Virus centralized tracking is critical

Make sure AV console can provide a full view of organization

Have a vulnerability scanner operational and used

regularly

Nessus or MBSA

39

Long term action plan

Disable desktop sharing. Sharing only on designated

servers

Block vulnerable ports at branch routers and WAN

aggregation points

Block known bad , Allow rest

Have traffic log monitoring and alerting on suspicious

patterns

Network device and firewall logs

IDS to monitor Internal and WAN traffic

Not just Internet side40

Recommended Reading

More details available at ..

Microsoft Knowledge Base

www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

support.microsoft.com/kb/958644.

Detailed FAQ on patch and worm

http://blogs.securiteam.com/index.php/archives/1150

How the worm operates

http://tools.cisco.com/security/center/viewAlert.x?alertId=16947

42

Questions? Suggestions?

Thank you for your time