Worms! (a public service message)
Aug. 12th, 2003 10:38 am![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
fishsupremeNoticed any of the following symptoms?
* Windowsupdate.com is phenomenally, incredibly slow!
* For that matter, the whole Internet is pretty slow!
* My computer keeps telling me I have 60 seconds before it shuts down!
They're all the worm's fault! The MSBLAST.EXE/W32.Blaster worm is currently hammering the crap out of most of the Internet.
A few weeks back (may have been months by now, I don't recall), a security vulnerability in the RPC service was found; now, this worm has been written to take advantage of that known vulnerability. The vulnerability being exploited is a buffer overflow. The worm sends a specially malformed packet to the RPC service, which tries to put the data in a buffer too small for it, thus overflowing past the end and over the stack frame pointer. The result is that the packet, rather than just being used as data, is actually executed by the RPC service. This packet, of course, contains code to download and install the worm on your machine.
All the worm does is spread itself through the buffer overflow, then launch a DDoS attack on August 16th (so that part, at least, hasn’t happened yet). However, a side effect of a buffer overflow attack is that after the attack code has finished, the stack is corrupted, so the program (in this case the RPC service) will start jumping wildly to other places in memory. Sooner or later (usually sooner), it will try to jump out of its own process space, which causes an access violation (error 0xc0000005, what UNIX users call a segmentation fault). An access violation is fatal if unhandled, so the process crashes. Normally, you’d get an error dialog when a process crashes this way (as an access violation counts as a general protection fault), but since RPC is a Windows service, it fails silently in the background. If you look in Event Viewer, though, you’ll see a fatal error logged from SVCHOST.EXE when it crashed.
However, while you’re looking in Event Viewer, you’ll also notice a second event at the exact same time as the crash. USER32.EXE notices that the RPC service is no longer running, and takes corrective action. RPC, remote procedure call, is a critical Windows service – large portions of Windows will not function properly without RPC. The only way to get RPC back after it’s gone down is… to reboot. So USER32.EXE, upon noticing that RPC is gone and thus many applications will probably no longer work correctly, schedules an emergency system shutdown in 60 seconds, with the machine set to restart after shutdown. The worm actually has nothing to do with this – the worm just crashed RPC, and Windows is trying to clean up the damage. If you just killed RPC in task manager, or stopped the service with a net stop, you’d get the same countdown.
You can actually stop this shutdown if you want – executing the command “shutdown /a” will abort the countdown and return control to you. However, you may or may not want to do this… because about half the apps you run will probably not work without RPC. However, if your network is so hammered by worm traffic that you’re having trouble staying up long enough to download and apply the patch, a good “shutdown /a” can give you more time to work. Also, once USER32.EXE has scheduled one shutdown for RPC crashing, it won’t schedule another until you reboot (or manually restart RPC, which is not advisable) – so you don’t have to sit there aborting countdowns over and over again.
How can you protect yourself? Four ways:
* Use a personal firewall that blocks RPC ports. If you have XP, turning on the Internet Connection Firewall will do it. If not, download ZoneAlarm.
* Go to windowsupdate.com and download and install all Critical Updates. You should do this routinely anyway.
* Directly download the patch for Windows XP or Windows 2000. This is the same patch you'd get from windowsupdate.com. But right now windowsupdate.com is really slow... because of people getting this patch. :)
* Run Linux, Mac OS X, or any Microsoft OS made before 1995, when RPC was introduced. Yeah, I'd go for one of the first three ways, too. Alternately, if you're running Windows 95, 98, or ME, the worm will crash RPC, necessitating a reboot, but will not be able to actually infect your computer. The infection code it uses is structured for NT operating systems (Windows NT 4, 2000, XP, and Server 2003)
Finally, if you've been infected by the worm (i.e. you've seen that 60-second countdown at least once), you need to deworm your computer. There are instructions on doing it here, along with the tools you need. It is not a trivial process; you have to disable system restore to do it, so it'll take some time. However, if you don't go through this process, your computer a.) will continue spreading the worm to others, and b.) on August 16th, will launch an attack on windowsupdate.com and will continue this attack until you perform this procedure. Chances are your ISP will not consider b.) to be a kind action on your part, and will take steps to stop the attack from your computer (such as cutting off your Internet access).
* Windowsupdate.com is phenomenally, incredibly slow!
* For that matter, the whole Internet is pretty slow!
* My computer keeps telling me I have 60 seconds before it shuts down!
They're all the worm's fault! The MSBLAST.EXE/W32.Blaster worm is currently hammering the crap out of most of the Internet.
A few weeks back (may have been months by now, I don't recall), a security vulnerability in the RPC service was found; now, this worm has been written to take advantage of that known vulnerability. The vulnerability being exploited is a buffer overflow. The worm sends a specially malformed packet to the RPC service, which tries to put the data in a buffer too small for it, thus overflowing past the end and over the stack frame pointer. The result is that the packet, rather than just being used as data, is actually executed by the RPC service. This packet, of course, contains code to download and install the worm on your machine.
All the worm does is spread itself through the buffer overflow, then launch a DDoS attack on August 16th (so that part, at least, hasn’t happened yet). However, a side effect of a buffer overflow attack is that after the attack code has finished, the stack is corrupted, so the program (in this case the RPC service) will start jumping wildly to other places in memory. Sooner or later (usually sooner), it will try to jump out of its own process space, which causes an access violation (error 0xc0000005, what UNIX users call a segmentation fault). An access violation is fatal if unhandled, so the process crashes. Normally, you’d get an error dialog when a process crashes this way (as an access violation counts as a general protection fault), but since RPC is a Windows service, it fails silently in the background. If you look in Event Viewer, though, you’ll see a fatal error logged from SVCHOST.EXE when it crashed.
However, while you’re looking in Event Viewer, you’ll also notice a second event at the exact same time as the crash. USER32.EXE notices that the RPC service is no longer running, and takes corrective action. RPC, remote procedure call, is a critical Windows service – large portions of Windows will not function properly without RPC. The only way to get RPC back after it’s gone down is… to reboot. So USER32.EXE, upon noticing that RPC is gone and thus many applications will probably no longer work correctly, schedules an emergency system shutdown in 60 seconds, with the machine set to restart after shutdown. The worm actually has nothing to do with this – the worm just crashed RPC, and Windows is trying to clean up the damage. If you just killed RPC in task manager, or stopped the service with a net stop, you’d get the same countdown.
You can actually stop this shutdown if you want – executing the command “shutdown /a” will abort the countdown and return control to you. However, you may or may not want to do this… because about half the apps you run will probably not work without RPC. However, if your network is so hammered by worm traffic that you’re having trouble staying up long enough to download and apply the patch, a good “shutdown /a” can give you more time to work. Also, once USER32.EXE has scheduled one shutdown for RPC crashing, it won’t schedule another until you reboot (or manually restart RPC, which is not advisable) – so you don’t have to sit there aborting countdowns over and over again.
How can you protect yourself? Four ways:
* Use a personal firewall that blocks RPC ports. If you have XP, turning on the Internet Connection Firewall will do it. If not, download ZoneAlarm.
* Go to windowsupdate.com and download and install all Critical Updates. You should do this routinely anyway.
* Directly download the patch for Windows XP or Windows 2000. This is the same patch you'd get from windowsupdate.com. But right now windowsupdate.com is really slow... because of people getting this patch. :)
* Run Linux, Mac OS X, or any Microsoft OS made before 1995, when RPC was introduced. Yeah, I'd go for one of the first three ways, too. Alternately, if you're running Windows 95, 98, or ME, the worm will crash RPC, necessitating a reboot, but will not be able to actually infect your computer. The infection code it uses is structured for NT operating systems (Windows NT 4, 2000, XP, and Server 2003)
Finally, if you've been infected by the worm (i.e. you've seen that 60-second countdown at least once), you need to deworm your computer. There are instructions on doing it here, along with the tools you need. It is not a trivial process; you have to disable system restore to do it, so it'll take some time. However, if you don't go through this process, your computer a.) will continue spreading the worm to others, and b.) on August 16th, will launch an attack on windowsupdate.com and will continue this attack until you perform this procedure. Chances are your ISP will not consider b.) to be a kind action on your part, and will take steps to stop the attack from your computer (such as cutting off your Internet access).
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2003-08-12 10:56 am (UTC)I dunno. I really enjoy never having to worry about worms, viruses, or the like. :)
no subject
Date: 2003-08-12 10:58 am (UTC)no subject
Date: 2003-08-12 11:03 am (UTC)Besides, MS posted a fix for this at least a week ago. Those people being hit by this are experiencing the penalty of not keeping their systems updated. That said, I really haven't followed it but this seems to be a really big problem.
no subject
Date: 2003-08-12 11:16 am (UTC)Overall, though, I think this is is the biggest threat since NIMDA. So many home users both don't run a firewall and don't keep their systems updated (this vulnerability was discovered July 16th, so they've had plenty of time) that it can spread like wildfire.
Honestly, I think what will have to be done to completely stem the tide is ISPs blocking the RPC ports on their routers. People shouldn't be using RPC for routable Internet communication anyway.
no subject
Date: 2003-08-12 11:19 am (UTC)no subject
Date: 2003-08-12 05:02 pm (UTC)Less than four weeks, and the next worm may follow the release of an exploit more closely.
You think that's plenty of time for a typical home user? So, they should be updating every two weeks or something?
Not that I disagree they should update more often, but it seems like it will be a while before this is a realistic expectation.
Even corporate environments will have a hard time updating desktop boxes that often with all the concerns about potentially breaking things.
If you manage to get everyone updating every week or every day (and have update servers that can handle the load) you get different vulnerabilities if anyone can break the update servers.
Damn shame this effected 2003 dispite the secure programming effort.
no subject
Date: 2003-08-12 08:29 pm (UTC)I do think home users should be updating every two weeks -- I make sure to check for updates at least once a week -- but just because I think they should doesn't mean that I actually expect them to. However, the automatic download of critical updates seems to be about as agressive as Microsoft can get for forcing people to keep up-to-date. If it weren't for automatic critical update download, I would not find this expectation reasonable, but when all people have to do is click "yes" and wait 5 minutes, my sympathy for them when they fail to update is reduced at least somewhat.
However, you're right that 4 weeks from vulnerability location to exploit use is a very short time. Usually it takes much longer.
Honestly, what was needed to prevent this from becoming widespread is not patching the vulnerability, but rather people not exposing their entire TCP/IP stack to the Internet. Anyone who runs a personal firewall will never even notice this worm's existence, and could run unpatched until the end of time with no adverse effects. The Internet has become so huge that leaving your computer openly on it is dangerous -- hell, it's so large at this point it has weather. A firewall (either on organization boundaries in the case of corporations, or personal firewalls on home systems) is imperative for safe operation these days -- and Windows XP has one built-in; you only have to turn it on. After things like this, I'll bet you that the next version of Windows has it turned on by default, and makes you turn it off if you don't want it.
I agree that it's too bad this affect Windows Server 2003. This has been there since NT 4.0 unnoticed.
no subject
Date: 2003-08-12 11:21 am (UTC)no subject
Date: 2003-08-12 03:20 pm (UTC)no subject
Date: 2003-08-12 11:20 am (UTC)no subject
Date: 2003-08-12 11:21 am (UTC)Here's a question: is deworming really necessary if you have ZoneAlarm anyway? I must have gotten the worm while I was working, since ZA screws up my ASP sessions, but I leave it on all the time otherwise.
no subject
Date: 2003-08-12 11:26 am (UTC)