• Welcome to Overclockers Forums! Join us to reply in threads, receive reduced ads, and to customize your site experience!

MSBLAST Worm background information

Overclockers is supported by our readers. When you click a link to make a purchase, we may earn a commission. Learn More.
T

Toysnomore

Disabled
Joined
Aug 12, 2003
Bah... I just had a FIVE PAGE post on the ins and outs of MSBLAST, where it started, and what it's doing. ect. ect. ect...

Power went out and I lost it all LoL!

Info in comming post, please don't reply until I post.
 
Ok... Straight up. I got banned. Never got an email(guess it when to an old account) No worries. On to the Shot version of the 5 page post from memory.

**********

I'm currently a lvl3 tech support for one of the LARGEST DSL providers in the USA. (you don't get any higher than myself and I did that in six weeks from the date I was HIRED, go me! That's imsane!?)

************

OK! It seems everyone knows what it uses to move around now. Windows RPC.

Our ISP Has been tracking the worm for the last three days internially, and internially have had reports that are now know to be the worm from the last 5-7 days.

The worm has been traced by ourselves, and severial other Broadband ISP's to OUR backbone, Genuity(largest backbone on the west coast)

Actually, we know the EXACT point where the worm originated from, so if you're reading. Live in fear! We knew that a week ago and Genuity is ****ed!

Anywhos...

**********

How it spreads for dummies.

Routers/Switches/Hubs (RSH from now on) are for this discussion THE SAME THING (stay shut up network savvy people and go along wiht it)

They all support in some way, remote administration. This is how network admins are able to upgrade entire pools of computers and make changes; seemingly at will "easily" (hah yeah right heh)

BECAUSE:
*SOME* Win2K
***ALL*** Win XP
Win 2K3 (we don't know, not enough 2k3 sold for us to do internial testing on it OR track it!)

Automatically accept ALL remote admin calls, EVERY SINGLE PC that is somehow conencted to the internet is succeptable.

NO RSH (yes even your precious routers and hardware firewalls), Secure Passwords, Anti Virus Programs(right now they can only take off HALF the virus, last I chaked, and NOT keep you from getting it)

Is going to protect you... It's just how it is... The SRH's let the calls go straight through no matter what you do to a limited extent.

**********

Trust me when I tell you this... There is NO reason to think youre safe unless you're in no way chained to the internet... If there is a single router, hub, or computer on your LAN or WAN on the internet, you are succeptable.

The only reason you don't have it so far is because you haven't had a switch above yourself hit yet. It's comming...

**********

Currently I can tell you... Damned near EVERY XP copy in California is down if it's been on the internet for any legnth of time within the last 8 hours.

Our Tech support office handles ALL western US T.S. calls BY OURSELVES.

We had WELL over 13,000 calls from CALIFORNIA ALONE in JUST my 8 hour shift today...

It averaged out to an extra 49 calls per person on my shift. Average calls in a day is around 38... Thank god we eventually(by the end of the shift) threw our great service out the window and open every call with are you running windows XP. (answer yes) then call 1-800-936-5700 (MS basic support center)

**********

Becuase of the way it spreads, please... For God's sake! DON'T Think you're invencable! I can attest to it! I have RPC disabled in my Linksys router at the house and even have X.X.X.255 COMPELTELY blocked for a week.

I STILL came home to a W2K3 box and a new XP Pro box infected... The Pro box is also compeltely blocked of all IP's and ports from the internet.

What I'm saying, is that EVERYONE on THIS FORUM, MICROSOFT or elsewhere telling you a router is protecting you either:

1) is Bull****ting you to cover their product liabilities
2) dosen't know what they're talking about

Want proof???

When I left work LATE (8:30 cnt) approximately 33% of all switches Genuity has on the west coast were infected and transferring the worm.

Only the stupid will think if a $400,000 large switch or DHCP box get's used like crap through a goose, a $50 Linksys router is nothing...
 
I'll answer any questions I can if anyone has one. I feel sorry from everyone on the west coast. If you people could only see the numbers we're getting reported at work... Big hush, hush... They don't even tell the low end people the stats. It's too horrible, they'd die of shock! (That's a half haearted joke)

**********

I'll let you guys in on whatever I find out tomorrow. Hopefully I can get on when I get at work and post during the day. AFA right now, the entire ISP is on an externial shutdown. Every service we support that requires outside information is no longer supported.
Noone is allowed outside of our lan. All outside connections from our 1,300 agent and 680 PC call center are COMPELTELY blocked.

So like I said... If We're all lucky, I'll post some info tomorrow if I learn any interesting tidbits.
 
OK... Here's a question I've been wondering about...

If I have a software firewall, am I protected against this? I would assume that it would automatically block any (unrequested) incoming traffic, and so I'd be safe from it. But then again, it IS the default XP firewall, so who knows.... :rolleyes:

JigPu
 
Microsoft seems to say it dose.

However noone here seemd to agree with them. The fact is that if the OS sees the call to "hey install this". It's going to isntall it.

And since every call goes through the OS, then the software firewall running ON the OS, it's till going to answer it.

People think software firewalls are outside their PC keeping stuff out. Really it's more like an inner wall where you're still exposed to some extint.

**********

Software firewalls are useless to begin with. Don't believe me? 99% of all internet hacking is done by versions of the same Remote Adminstration exploit (This is abit different than what this worm uses, but actually close to the same principle)

Anyways... If 99% of all hacking is a variation on ONE theme, and SO EASY that you can walk a CHILD through it, or just give directions to a pre-teen with average reading skills.

Then why don't they protect from it? Just random food for thought ;)

**********

TO answer the question completely <grins> No I wouldn't trust it at all. The simple reasoning that it transfers by backdooring through all kinds of hardware and software firewalls in ISP's, end users, and server PC's, routers and hubs, IMHO I wouldn't trust anything an end user can buy no amtter what they say.

Just get the patch.
 
Why will a hardware or software firewall not block the worm. I really dont' know anything about it so I'm just trying to learn some more so I can be protected. I have my router blocking port 135 and I'm downloading the patch at the moment but it sounds like I am still at risk according to you.
 
I'm jsut going off what I've been told and how we're tracking it. Basically think of a tree.

At the trunk is going to be the genuity switch that was hacked.

That person got admin access to the switch and started a remote call install on everything DIRECTLY connected to that particular switch.

**********

Because of the way remote admin works in most switches and hubs, if a switch get's a remote call, it passes it along to everything that's directly connected to IT.

So now we've gone from the trunk to all the main limbs.

The cycle continues basically indefinately, except that at some point, the worm started going "upwards" above the original switch at some point. (how it got to the rest of the internet)

Since the original infected switch is located in an undisclosed part of california (I know where, but aint saying, it's a major city that's having an insane amount of problems though)

Most of that area of california had what we term and outtage. (allthough this isn't like a blackout, or complete outtage)

**********

Closing 135 might work, but really from what I read on that guys site, I don't see how its going to get you from being hacked more than once.

From my basic understanding of routers, switches and hubs, They can send the calls out all ports. I've seen them on others and allthough 135 is the default RPC port; windows will answer the call on any port so long as its addressed with the admin information.

(think not of the admin on the computer or router. think the network components are compeltely stupid, and someone waaaay down the line said, "Hey! My admin told everyone to jump off a bridge". Then everyone told everyone around them to jump off the bridge, while they're jumping off theirselves.

What makes this so ingenious is that it dosen't amtter WHO'S admin access it is, because all windows realizes is someone, somewhere said it had admin acces and to do this.

It's not like Windows NT has ever been smart enough to verrify who the admin is ;)
 
I've been doing some more research since I posted (since it seems everybody is getting this), and it seems that those behind firewalls (mainly software, but a few hardware) are actually not getting hit by it. They're logs show TONS of attempts to hit port 135 in the past few days, but it hasn't gotten through.

I'm not network savvy, but I don't understand why a firewall wouldn't protect you from any sort of attack (...as long as it dosen't take advantage of a firewall hole anyway, and you had every port closed/stealthed). It would be horrible programming to let things through that the user said not to, even if it's 'probable' they want it.

Regardless, it still dosen't mean that the patch shouldn't be downloaded... Anybody who says not to (for any reason) is stupid. Why not plug yet another hole in the window? :D
JigPu
 
I guess that above is how "I" percieve it getting around firewalls.

I know we were getting calls with people behind all kinds of routers today with builting firewalls, and afew bis customers transferred to us because our buisness tech support couldn't handle them.

I personally took a call from a network admin in a small buisness behind a voxtech. hardware firewall. Their entire network was hit.

(some deep thinking)

Ok... Let's revise this I had a revalation... Because large networks (Buisness and banks of computers and the like) MUST be able to use remote admin, they problably leave 135 always open.

End users may not leave that open. I know I had it on 2 PC's when I came home. Maybe it went from the old DMZ to the one that has everything disallowed, but whatever! Dosen't matter I still got it!

**********

Ok! So working theroy, if you're on a large network, you're still screwed.

Even if blocking 135 protects you, go ahead and patch, cause it wont take but one guy to decomple it and stick it on different ports and we're all in the same boat again.
 
issues

im having some major issues with Aim and MIRC.. It keeps restarting them for no reason at all.... my connection is fine and all but its just getting annoying. Is there anything i can do?

Iv downloaded the new patch and everything.. but nothings working..
 
Last edited:
yeah i just checked my linksys router logs and port 135 is getting hammered by tons of IP's So then I checked my routers log at work and WHOAH! talk about major hammering. Glad I've got it closed down. Remember everyone disable Upnp in your Linksys router (if it supports it)
 
Toysnomore said:
Ok... Straight up. I got banned. Never got an email(guess it when to an old account) No worries. On to the Shot version of the 5 page post from memory.
Click to expand...

And straight up.......you got banned again. Starting a new account only reinforced the reason to make it perma. IF you want to email a mod or myself, we can discuss this.

Nice post, but it's a poor excuse to ignore our rules.

my email is [email protected] if you wish to contact me.
 
Well, I work for the biggest isp in finland, and I don't see anything massive here. While we have a load of infected customers, I believe that _this_ version can be easyly blocked. I had my computer at home with win2k running for the last week without patchin until today morning, and it did'nt get infected. I do however see alot of blocked requests on port 135.

The patch should be good for future worms based on the same vulrnability, but I would say this one is pretty harmless. (apart from congestion in internet traffic) The situation would have been completly diferant if the worm was'nt coded so badly that it shuts the computer down every few minutes, and if it would actually do some permanent damage.
 
dropadrop said:
Well, I work for the biggest isp in finland, and I don't see anything massive here. While we have a load of infected customers, I believe that _this_ version can be easyly blocked. I had my computer at home with win2k running for the last week without patchin until today morning, and it did'nt get infected. I do however see alot of blocked requests on port 135.

The patch should be good for future worms based on the same vulrnability, but I would say this one is pretty harmless. (apart from congestion in internet traffic) The situation would have been completly diferant if the worm was'nt coded so badly that it shuts the computer down every few minutes, and if it would actually do some permanent damage.
Click to expand...
Well lets just thank our lucky stars that the writer of the worm had a wee bit of a conscience. He even wrote in his code "billy gates, why do you let this happen and why dont you fix your OS? Something to that effect anyways.
 
First of all I have patched all my machines since July 16th when the vulnerability was first announced. Second of all, I run an all Windows network in my house and my father's office. I manage his network as well. Both mine and his server, which acts as a router using the Routing and Remote Access role are running Windows Server 2003. Also, my ISP blocks port 135 at the internal and external level (Optimum Online in New York, New Jersey, and Connecticut). My father is current;y using Verizon Online Business DSL, and will soon be switching to a T1. I checked mine, and his snort logs for hits on port 135, and see no attempts. I also checked every machine in my house, and his office for msblast.exe. None of the servers or workstations have the virus. This tells me that Routers (Either hardware, or Windows based) are secure against the virus. It also tells me that the patch works. All machines have been on since the worm was first introduced, and none have even hiccupped. So, my personal conclusion tells me that Routers can and do block this worm. All routers that handle NAT functions should be secure against this worm. You claim that all your switches just send out admin requests on all ports. If a client has a router, this packet cannot get by it. The router will examine the packet, and since the packet won't have a defined address where it needs to be delivered, it can't be delivered. This is a very simple function that even a 13 dollar router should handle.
 
TUK101 said:
Well lets just thank our lucky stars that the writer of the worm had a wee bit of a conscience. He even wrote in his code "billy gates, why do you let this happen and why dont you fix your OS? Something to that effect anyways.
Click to expand...

Yeah. he told Bill Gates to stop making money and fix the problem that lets this occur. Firstly, the problem has been fixed, and only stupid users have been infected. Secondly, I hat people who take there anger out on users. if you hate a company, why take it out on the users of the company. I can use this metaphor. Say I despice GMC vehicles. I can say the tires they choose to use suck. What the kind of person who wrote this worm would do is go around slashing tires to prove that these tires suck.
 
As long as the port anyvirus is using is blocked you should be safe, I have zone alarm, in the log for the past two weeks before monday, it had 2 access attempts to 135, after that in a 24hour period it had more then 100, all blocked, no virus and I didnt have the patch till tuesday, so it did its job.

They arent useless as long as they are set up correctly.
 
A friend asked me to post this for him...

Shadow, I compeltely understand, as I said. No worries about it. However a PM for information would have been nice or some contact information. No grudges though.

**********

Wasn't able to get on at work today, sorry guys... Looks like it'll by a company wide shutdown for the rest of the week on outside connections at work.

Today the calls seemed to trail off. You'd think we'd have had none as the night shift recorded a 30 second message about the worm and all of it's symptoms and what to do about it... People are just stupid what can you say!!!

Anyways, hopefully it's all downhill for the original worm. No numbers for the day, but overally the call load most definately improved from yesterday, however Inquire allready had a story on another version.

http://www.theinquirer.net/?article=11018

Look! I made Inquirer frontpage!!!

http://www.theinquirer.net/?article=11006


**********

Anyways... No KraziKid I guess I was unclear on what I said. Until the refix the issue, it will only take someone to recode the worm to send the calls across other ports than 135 and it will turn into just as large a problem as the original.

I'm also very glad your ISP is smart enough to block port 135 on both levels, however many others are not so lucky.:mad: :mad:
 
You must log in or register to reply here.

Similar threads

don256us
FAQ: What is T32's current standing in the world?
Replies
8
Views
470
dfonda
dfonda
don256us
(Un)Official Race Week Thread.
2
Replies
26
Views
871
dfonda
dfonda
don256us
40 BILLION!! Oh. And a mid race update.
Replies
7
Views
260
Grub
Grub
don256us
Billionaires galore and the # 1 earner for the team is once again....
2
Replies
20
Views
1K
EarthDog
EarthDog
don256us
Flat line. CODE BLUE.
Replies
10
Views
2K
dfonda
dfonda
Back