Network Engines' Issues Prescriptive Security Alert and Recommendation Re: Zotob, Seven New Threats Uncovered.CANTON, Mass. -- Network Engines, a leading OEM (Original Equipment Manufacturer) The rebranding of equipment and selling it. The term initially referred to the company that made the products (the "original" manufacturer), but eventually became widely used to refer to the organization that buys the products and appliance partner for Microsoft security solutions, in partnership with its NICE technology partners, has identified two more versions of Zotob. We are now tracking seven (7) Zotob permutations that are exploiting the PnP vulnerability. The worms are all based on versatile attack programs, known as bot (1) (roBOT) A program used on the Internet that performs a repetitive function such as posting a message to multiple newsgroups or searching for information or news. Bots are used to provide comparison shopping. Bots also keep a channel open on the Internet Relay Chat (IRC). software, which have added the ability to spread via a flaw in Microsoft's Windows Plug-and-Play functionality. Several bot programs had incorporated the code to exploit the flaw late last week, and starting with the Zotob worm, began adding the ability to automatically find and infect systems by last weekend. As of yesterday morning, at least 12 versions of bot software were using the exploit to spread. It is also important to note that not all PnP exploits are characterized as Zotob, and some may escape AV detection all together. Several new bots bots maggots of flies which infest animals, especially horses and sheep. The term bot is also loosely used to include the invasive maggots such as those of Cuterebra and Wohlfahrtia spp. horse bots see gasterophilus. , including two based on IRCBot, three on Botzori, two variants of Esbot, a version of Bobax, and a version of Spybot may escape AV detection. Zotob.A Executable size: 22,528 bytes Executable Name: botzor.exe Ports: TCP (1) (Transmission Control Protocol) The reliable transport protocol within the TCP/IP protocol suite. TCP ensures that all data arrive accurately and 100% intact at the other end. - 445,8080,33333 Aliases: Zotob.A (F-Secure), W32/Zotob.worm (McAfee), W32/Zotob-A (Sophos), WORM_ZOTOB.A (Trend) Other details - Opens FTP server (networking) FTP server - A network server program or computer which responds to requests for files via FTP. A busy Internet archive site may have one or more computers dedicated to running FTP server software. These will typically have hostnames beginning with "ftp.", e.g. on port 33333, copies 2pac.txt and haha.exe to the system directory, adds itself to the run and run services in the registry. Modifies the hosts file to prevent updating of antivirus and security programs from updating. Zotob.B Executable size: 27,648 bytes Executable Name: csm.exe Ports: TCP - 445,8080,33333 Aliases: Zotob.B (F-Secure) W32/Zotob.worm.b (McAfee) W32/Zotob-B (Sophos) WORM_ZOTOB.B (Trend Micro) Other details - Opens FTP server on port 33333, copies 2pac.txt and haha.exe to the system directory, adds itself to the run and run services in the registry. Modifies the hosts file to prevent updating of antivirus and security programs from updating. Zotob.C Executable size: 41,984 bytes Executable Name: per.exe Ports: TCP - 445,8080,33333 Other details - Mass-mailing worm uses a predefined list of recipient names appending the domain names that it gathers from an infected computer. Contains its own SMTP (Simple Mail Transfer Protocol) The standard e-mail protocol on the Internet and part of the TCP/IP protocol suite, as defined by IETF RFC 2821. SMTP defines the message format and the message transfer agent (MTA), which stores and forwards the mail. engine to email to the addresses that it finds. Opens FTP server on port 33333, adds itself to the run and run services in the registry. Modifies the hosts file to prevent updating of antivirus and security programs from updating. Zotob.D Executable size: 51,326 bytes Executable name: windrg32.exe Ports: TCP - 6667,1117,445 Other details - Opens FTP server on port 11173, attempts to end a variety of processes, Modifies the registry and deletes a variety of registry entries, and deletes a variety of files from the system and program files directories, adds itself to the run and run services in the registry. Modifies the hosts file to prevent updating of antivirus and security programs from updating. Zotob.E Executable size: 10,366 bytes Executable Name: wintbp.exe Ports: TCP - 8594,8080,445, UDP UDP (uridine diphosphate): see uracil. (User Datagram Protocol) A protocol within the TCP/IP protocol suite that is used in place of TCP when a reliable delivery is not required. - 69 Aliases: WORM_RBOT RBOT Rotating Bomb Oxidation Test .CBQ See traffic engineering methods. (Trend Micro) Other details - Opens TFTP (Trivial File Transfer Protocol) A lightweight version of the FTP protocol that has no directory browsing or password capability. Employing UDP rather than TCP for transport, TFTP is typically used to transfer firmware upgrades to network equipment such as server on port UDP 69, Connects to IRC (Internet Relay Chat) Computer conferencing on the Internet. There are hundreds of IRC channels on numerous subjects that are hosted on IRC servers around the world. After joining a channel, your messages are broadcast to everyone listening to that channel. server at 72.20.27.115 on TCP port 8080 to listen for update instructions, adds itself to the run in the registry. Zotob.F Executable size: 10,878 bytes Executable name: wintbpx.exe Ports: TCP - 445 Other details - Opens multiple TCP ports. Connects to IRC server at 72.20.41.139 to listen for update instructions, adds itself to the run in the registry, creates a file named %Temp%\(NUMBER) which if successful contains TFTP scripts to download additional files. Zotob.G Executable size: 73,728 bytes Executable name: windrg32.exe Ports: TCP - 445,6667,1171 Aliases: W32.Drudebot.A Other details - Attempts to connect IRC servers on port 6667, Opens a TFTP server on port 1171, attempts to end a variety of processes. Modifies the registry and deletes a variety of registry entries, and deletes a variety of files from the system and program files directories, adds itself to the run and run services in the registry, creates a file named %Temp%\(NUMBER) which if successful contains TFTP scripts to download additional files. Modifies the hosts file to prevent updating of antivirus and security programs from updating. Zytob exploits MS05-039 by generate random IP addresses to which they try to connect through port 445, searching for vulnerable computers. When a computer is found, they will send instructions to download a copy of the worm by TFTP. Once installed on a system, the worm modifies a registry key to ensure its execution on every system startup, and initializes a backdoor See trapdoor. component made available through IRC, and awaiting orders in a specified channel. The intent is to allow a remote attacker to take control of the system. It only spreads to systems having operating systems Operating systems can be categorized by technology, ownership, licensing, working state, usage, and by many other characteristics. In practice, many of these groupings may overlap. Windows 2000, XP and Windows Server 2003 RECOMMENDATION: 1. Disable TCP/IP Port 445 - Among the new ports introduced in Windows 2000, Windows XP and Windows Server 2003, is port 445. TCP Port 445 is often exposed to the Internet because the Microsoft-DS Service uses port 445 for resource sharing on Windows 2000, XP, 2003, and other samba based connections. It is difficult to describe the usage of Port 445 in simple terms. Essentially it is used by the Server Message Block See SMB. (protocol) Server Message Block - (SMB) A client/server protocol that provides file and printer sharing between computers. In addition SMB can share serial ports and communications abstractions such as named pipes and mail slots. (SMB (1) (Small to Medium-sized Business) Also called "SME" (small to medium-sized enterprise), it refers to companies that are larger than the small office/home office (SOHO), but not huge. ) protocol for file sharing. It is also used for NetBIOS Services over TCPIP See TCP/IP. TCPIP - Normally written "TCP/IP". , described as NBT (NetBIOS over TCP/IP) Support for the NetBIOS protocol in Windows when running in a TCP/IP network. NBT supports legacy applications that use the NetBIOS protocol as well as NetBIOS name resolution, which converts NetBIOS names into IP addresses. . When file sharing is required and NBT is enabled, a connection to the remote computer is tried simultaneously on both port 139 and 445. If there is a response from port 445, it continues its SMB session on port 445 only. If there is no response from port 445, it will continue its SMB session on port 139 if that responded. If there is no response from either of the ports, the session will fail. Many viruses have targeted port 445 and it is not commonly used. For this reason we recommend you secure it by blocking inbound TCP port 445 scans at the NS Series security appliance. On a small percentage of networks disabling port 445 may block access to some network devices. If this occurs it is possible to Rollback or Unsecure this setting. Block Inbound 445 Traffic - Inbound scans are typically systems which are trying to connect to file shares that might be available on your system and hence these should be blocked. While most of this traffic is the result of worms or viruses that can use open file shares to propagate, port 445 traffic can also be the result of malicious users attempt to connect to your computer. Once connected they can download, upload or even delete or edit files on the connected file share. If you use open file shares (including sharing of printers, etc) on your local network (LAN (Local Area Network) A communications network that serves users within a confined geographical area. The "clients" are the user's workstations typically running Windows, although Mac and Linux clients are also used. ), then you should configure the NS Series security appliance such that your local file shares are not accessible from the Internet. Connecting to open file shares is likely the easiest and most common hack on the Internet and yet one of the most effective for malicious activities like identity theft or installing RATs (Remote Access Trojans) to take control of systems remotely for example. Benefit When Secure: Disabling port 445 gives greater protection against virus attack. Important: Disabling Port 445 may block access to other computers, printers or devices on a network. 2. Block TCP/445 egress See ingress. whenever possible to detect infected systems leaving your network. 3. Ensure all systems have NULL session disabled to block the current threats - Null sessions are un-authenticated connections (not using a username or password.) to an NT or 2000 system. Windows NT and 2000 systems are vulnerable to syntax exploits that can expose hidden interprocess communications shares to the Internet. For example: C:\>net use \\192.168.###.###\IPC (1) (InterProcess Communication) The exchange of data between one program and another either within the same computer or over a network. It implies a protocol that guarantees a response to a request. $ "" /u:"" The preceding syntax connects to the hidden interprocess communications "share' (IPC$) at IP address 192.168.###.### as the built-in anonymous user (/u:"") with a null ("") password. If successful, the intruder now has an open channel over which to attempt various techniques which allow him/her to gather as much information as possible from the target i.e. network information, shares, users, groups, registry keys, and so on. Null session connections, or anonymous logons, can be the single most devastating dev·as·tate tr.v. dev·as·tat·ed, dev·as·tat·ing, dev·as·tates 1. To lay waste; destroy. 2. To overwhelm; confound; stun: was devastated by the rude remark. network foothold sought by intruders. Null sessions require access to TCP 139 (and/or 445 on Win 2000). The most prudent way to eliminate them is to filter TCP and UDP ports 139 and 445 at all perimeter NS Series security appliances. (Note: Some server roles require NULL functionality, including Exchange and SQL servers). 4. If Null Sessions are required - Organizations that require the use of NULL sessions should keep those servers properly patched or block port 139 at the NS Series security appliance. 5. Do not rely on TCP/33333 FTP FTP in full file transfer protocol Internet protocol that allows a computer to send files to or receive files from another computer. Like many Internet resources, FTP works by means of a client-server architecture; the user runs client software to connect to service detection - Configuring intrusion detection systems to monitor for outbound TCP 3333 service establishment is effective for detecting compromised systems infected with Zytob variants A-C A-C Air Conditioning . However replying of port 3333 service detection will not identify all potential compromised systems as port 3333 is not used consistently in the latest bot variants. It is necessary to configure service detection policies for all phone home permutations (see worm profiles described above). 6. Ensure AV signatures are up-to-date - The most likely scenario is that the bot would use the Plug and Play vulnerability to compromise a remote user's laptop. Once inside the perimeter, that infected device will scan for unpatched systems, which the bot could then attack using other exploits. It is imperative that AV signatures are up-to-date to mitigate as much of this risk as possible. 7. Patch! - Zotob can be virulent, and while the bot variants make use of the Plug and Play vulnerability, it also includes code for exploiting other Windows' bugs, including 2004's LSASS LSASS Local Security Authority Subsystem Service (Microsoft) LSASS Lightweight Seismic/Acoustic Surveillance System vulnerability, the one that Sasser exploited. That means some of the new bots can infect not only Windows 2000 PCs, but other unpatched Windows machines. Therefore it is necessary to patch all systems to current levels in order to prevent future variants that exploit other MS vulnerabilities. About Network Engines Network Engines is a leading developer and manufacturer of security and storage appliances. The Company works with its software partners to develop storage and security networking appliances for mission critical applications. Network Engines is headquartered in Canton, Massachusetts and trades on the NASDAQ NASDAQ in full National Association of Securities Dealers Automated Quotations U.S. market for over-the-counter securities. Established in 1971 by the National Association of Securities Dealers (NASD), NASDAQ is an automated quotation system that reports on exchange under the symbol NENG. For more information about the company's products and services, visit www.networkengines.com. |
|
||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion