Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Virus
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

ms05-039

from [hc0d3] Network Security [Permanent Link]
Subject: ms05-039
Date: Mon, 15 Aug 2005 13:12:29 -0700 (PDT) 
All,

here is what the worm does:

Spreading using Plug and Play service vulnerability

The worm scans for systems vulnerable to Microsoft
Windows Plug and Play service (MS05-039) through
TCP/445.

It creates 300 threads that connect to random IP
addresses within the B-class (255.255.0.0) network of
the infected system. 

First it tests connection to port 445 and if
successful, it tries to exploit the vulnerability. If
the attack is successful a shell (cmd.exe) is started
on port 8888. 

Through the shell port, the worm sends a ftp script
which instructs the remote computer to download and
execute the worm from the attacker computer using FTP.


The FTP server listens on port 33333 on all infected
computers with the purpose of serving out the worm for
other hosts that are being infected. The downloaded
file is saved as 'haha.exe' on disk. 

This worm spreads via uPnP exploitation on port 445.
Your antivirus will not do anything to stop this,
because it is a memory resident virus at time of
exploitation. It will detect it, but will not have
access to quarantine or delete it. The machine will
have to be rebooted in order to dump it from memory. 

I suspect it will not be long before this worm becomes
nastier.

There is not a whole lot that can be done as far as
mitigation is concerned. ISS, TippingPoint, and Snort,
all have sigs for this. You could implement
Block/Notifies for this sig on the IPS to prevent it
coming from the outside. You could implement sigs on
the Snorts to catch it if it does get in.

Once it gets in though, you will have to shutdown the
site links so it doesn't spread like wildfire ---
which it most likely will.

Thats my word.

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • ms05-039, hc0d3 <=
Previous by Date:  Re: Virus Outbreak Attacking MS05-039, Chris Wensink
Next by Date:  RE: Virus Outbreak Attacking MS05-039, Eddie Willett
Previous by Thread:  RE: zotob, Brady McClenon
Next by Thread:  wintbp.exe, Schlegel, Justin
Indexes:  [Date] [Thread] [Top] [All Lists]