ISS X-Force - "MS Blast" MSRPC DCOM Worm Propagation
ISS X-Force has captured active samples of an automated Internet worm that propagates via the MS RPC DCOM vulnerability documented in ISS X-Force Alert titled "Flaw in Microsoft Windows RPC Implementation". MS Blast is currently propagating aggressively across the Internet.
eEye - 'Blaster' Worm Description and Technical Details
The Blaster worm uses a series of components to successfully infect a host. The first component is a publicly available RPC DCOM exploit that binds a system level shell to port 4444. This exploit is used to initiate a command channel between the infecting agent and the vulnerable target. Once the target is successfully compromised, the worm transmits the msblast.exe executable (the main body of the worm) via TFTP to infect the host. The payload used in the public DCOM exploit, as well as the TFTP functionality, are both encapsulated within msblast.exe.
Cisco Systems - W32.BLASTER Worm Mitigation Recommendations
Cisco customers are currently experiencing attacks due to a new worm that is active on the Internet. The signature of this worm appears as UDP traffic to port 69 and high volumes of TCP traffic to port 135 and 4444. Affected customers have been experiencing high volumes of traffic from both internal and external systems. Symptoms on Cisco devices include, but are not limited to high CPU and traffic drops on the input interfaces. This document focuses on both mitigation techniques and affected Cisco products which need software supplied by Cisco to patch properly.
DNS Commentary - Blaster Only Set to Stun
Once again, it appears that the worm authors had caught system administrators with their trousers down. Despite the availability of a patch since mid-July to fix the vulnerability exploited by W32.Blaster, the widespread infection of both business and home computers showed that in the vast majority of cases, it had not been applied. Such was the infection rate that, at its pinnacle, the worm was taking only 30 seconds to find an uninfected computer somewhere in the world.
Virus vendors on the MS SQL worm
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.