VIRUS BULLETIN www.virusbtn.

com

VIRUS ANALYSIS 3
BLAST OFF! per cent of the time, the exploit is tuned for Windows XP
systems, the other 20 per cent for Windows 2000 systems.
Peter Ferrie, Frédéric Perriot, Péter Ször This selection is made only once, whenever the worm
Symantec Security Response, USA initializes.
All unpatched Service Packs of both Windows XP and
On 11 August 2003 – the same day it was completed – a Windows 2000 systems are affected, but because of this
6176-byte-long UPX-compressed bug started to invade the random tuning, the worm will sometimes just cause a denial
world using a recent vulnerability described in Microsoft’s of service (DoS) on the attacked machines, crashing the
MS03-26 security bulletin. Even Windows Server 2003 was RPC service.
affected by this vulnerability. Patches were made available
by Microsoft, but on this occasion there was only a short
delay between the announcement of the vulnerability and SECOND STAGE – THE SHELL
STAGE
the appearance of the worm that exploited it. The infection of a new machine is a three-phase process,
Users of Windows XP had a chance to get the patch applied involving quite a lot of network activity in comparison
automatically via Windows Automatic Updates. However, with the single-connection CodeRed and the lightweight
the same cannot be said for the Windows 2000 platforms, Slammer.
where users would need to pay closer attention to the update First, the worm sends its attack buffer over port 135/tcp,
procedures. which exploits the RPC DCOM vulnerability and causes the
remote machine to bind a shell in the SYSTEM context
(‘cmd.exe’) to port 4444/tcp.
ALL SYSTEMS GO
Second, the worm sends a command to the newly created
The first thing Win32/Blaster does when it runs on a shell to request a download of the worm file from the
system is to create a value ‘windows auto update’ in the attacking host to the victim. The transfer is done over port
‘HKLM/…/Run’ registry key, pointing to the bare file name 69/udp using the tftp protocol (the worm implements its
‘msblast.exe’ (for variant .A). This relies on the assumption own crude tftp server which formats sent data according to
that the executable has ended up in a directory that Windows RFC 1350, and uses the tftp client that is present by default
searches by default, which is usually the case. on most Windows systems).
Then the worm attempts to create a mutex named ‘BILLY’, Finally, once msblast.exe has been downloaded successfully,
and aborts if the mutex exists already, in order to avoid or after 21 seconds, the worm requests the remote system to
multiple instances of the worm running at the same time. execute the downloaded file.
Win32/Blaster then waits for an active network connection,
and starts searching for machines to infect.
HOUSTON, WE HAVE A PROBLEM
HAVE
Once the shell exits, the hijacked RPC service thread
SP4, SP3, SP2, SP1, IGNITION! running the shell code calls ExitProcess(), causing the
The target selection in Blaster is somewhat different from service to terminate. The termination of the RPC service,
that found in CodeRed and Slammer. Sixty per cent of the regardless of how it occurs, triggers a reboot in Windows XP
time, Blaster will go after entirely random IP addresses, and systems after one minute. On Windows 2000 systems, the
the other 40 per cent of the time it will attack machines on termination will result in a variety of unusual side effects,
the same class-B-sized network as the host, hoping to take among the most critical of which is the inability to use the
over pools of vulnerable systems on the local area network. Windows Update web service.

The scanning for targets is linear (the target address is

increased monotonically until it reaches the end of the IP PAN GALACTIC GARGLE BLASTER
space) and, in the case of a local attack, starts at or slightly
As is common for fast-spreading worms, Win32/Blaster
below the class-C of the host.
reuses an exploit code that was posted previously to various
The worm targets machines running Windows 2000 and security mailing lists. The exploit uses two so-called
Windows XP, and intentionally favours the exploitation of ‘universal offsets’ as return addresses in a classic stack
Windows XP machines (probably because the payload relies buffer overflow, each of which is compatible with multiple
on the increased availability of raw sockets there – the service packs of one Windows version. The vulnerability is
requirement to be administrator was removed). Eighty located in the code of the rpcss.dll file, in a function related

10 SEPTEMBER 2003
 VIRUS BULLETIN www.virusbtn.com

to the activation of DCOM objects. The buggy function octets are randomized for each sent packet; the high octets
extracts a NetBIOS server name from a UNC path specified are either taken from an IP of the source host, or otherwise
by a DCOM client, and attempts to place it into a 32-byte initialized once to random values.
buffer on the stack, without bounds checking. The traffic features various characteristics that can help in
Once the stack is smashed, the hijacked return address leads recognizing it: the two low bytes of the TCP sequence
to a ‘call ebx’ instruction (in a ‘well-known’ constant data number are always zero, the source port is between 1000
table) which then jumps back to a nop ramp in the shell and 1999 (inclusive), and the IP identification field always
code. This is possible because the ebx register is pointing to has a value of 256.
a local variable in an earlier stack frame (i.e. at a higher
memory address) created by the fourth-level (!) caller of the
buggy function (see Figure 1). CONCLUSION
The shell code retrieves some useful API addresses, binds to The first use of a command shell attack by a Win32 worm
port 4444/tcp, accepts one incoming connection, spawns the has finally arrived. The spawning of a shell had previously
shell and ties its input to the port 4444 socket, waits for the been used only by Win32 exploits and by Unix worms
shell process to finish, then exits. executing /bin/sh with system calls such as system() or
execve().
Windows worm writers are slowly merging existing exploit
code with their creations to make them more harmful. The
tendency that started with CodeRed, Slammer and other
Unix worms, continues. The delay between the appearances
of such creations seems to have decreased from a year to
six months.
It is evident that among defensive technologies, proactive
behaviour blocking techniques will become essential to
fight back against such ‘cloned’ worms in the future. Peter
Ször’s paper, ‘Attacks of the worm clones – can we prevent
them?’ (to be presented at this year’s RSA Europe
conference in November) uncovers the details of how
we can get closer to this goal and demonstrates research
prototypes that work effectively against this clone.
This time not only corporate servers risked being affected;
the threat had the potential to reach the majority of Windows
desktops. This is ‘Buffer Overflow for the Masses’.

Figure 1: Memory layout and control flow. Win32/Blaster

Size: 6176 bytes.
MS-D
MS-DooS Aliases: W32.Blaster.Worm,
Win32/Blaster implements a SYN-flooding Distributed W32/Lovsan.worm,
Denial of Service attack against the website Win32.Poza.A.
‘windowsupdate.com’, an alias of the main Microsoft
Type: Worm, exploits buffer overflow
Windows Update site.
vulnerability in DCOM/RPC
The attack is carried out if the day of the month is greater (described in Microsoft’s MS03-026
than 15, or the month is greater than 8, i.e. every day from Security Bulletin).
16 August to the end of the year, and then starting again
on 16 January until 31 January, 16 February until 28(/29) Trigger: DoS attack attempt against
February, and so on. windowsupdate.com after
16th of each month or after August
To generate the traffic, the worm uses raw sockets. DoS each year.
packets have spoofed source IP addresses, the two low

SEPTEMBER 2003 11