Tuesday, October 31, 2006

The Worms of August

On network worm defense and a retrospective on the year of the worm - 2003

I wrote this in early August 2003 as the world held its breath following the discovery of an infamous vulnerability affecting nearly the entire Windows population. Organizations everywhere were bracing for one of the worst global worm outbreaks, now known as the blaster worm, which ravaged many organizations during the fall of 2003. The high-level response plan outlined in the "action items" is still valid today for many types of worm threats including the latest win32 worms which continue to rampage across the net three years later.

Craig Chamberlain
September 2006

Historical URLs

The Securityfocus story:
Microsoft Issues Doubleplus Critical Security Fix
CERT Advisory:

Advisory 4-2003: Increased concern exists around Microsoft security bulletin MS03-026 - August 4,2003



Conditions are developing that present severe risks of unauthorized access and disruption to business continuity for networks running Windows NT, 2000, 2003 and XP.

The level of concern in the security community is sufficiently high that Microsoft has taken the unusual step of issuing an email advisory which may be a first. The Microsoft advisory is quoted in its entirety at the bottom of this page.

Further developments have taken place surrounding the Windows vulnerability discussed in Microsoft Security Bulletin MS03-026 on July 16. Additional exploit code has surfaced on the Internet and we can expect to see widespread proliferation of hostile and invasive code exploiting this vulnerability for some time to come. A patch has been released which should be applied as soon as possible to eligible hosts. Eligible hosts are those running the following operating systems:

# Microsoft Windows NT® 4.0
# Microsoft Windows NT 4.0 Terminal Services Edition
# Microsoft Windows 2000
# Microsoft Windows XP
# Microsoft Windows Server™ 2003

(Windows ME is not vulnerable according to Microsoft; other versions of Windows are not being tested due to their unsupported status. These unsupported versions should probably not be in production).


* Any hostile code using this attack profile would present a severe risk of unauthorized access to systems and / or data on target computers; target computers are defined as those using affected Microsoft operating systems.

* The contents of a target computer could be compromised including passwords, email, and / or documents.

* Self-replicating mobile code using this attack profile could compromise large numbers of target computers at "wire speed", much faster than security teams or administrators could react.

* Self-replicating code that either 1) uses this attack profile to deliver a destructive payload or 2) generates sufficient propagation related traffic to disrupt network communications could significantly impact business continuity.

* Affected target computers would likely be used to attack other targets.


These are prioritized iaccording to time & effort requirements. Not all of these can be implemented in all organizations. Prioritize them as appropriate for your organization.

- Identify and close potential routes of penetration to RPC based attack profiles. These types of vulnerabilities commonly target ports 139, 445 and 1026 on Windows hosts. Examples of routes of penetration include VPNs and extranets to business partners with windows host populations that will not be patched in time.

- Update intrusion detection and / or prevention systems to recognize this attack profile.

-. If you cannot close available routes of penetration, consider developing procedures for quickly closing these routes in the event of a widespread outbreak (this may or may not be possible depending on the amount of warning time). In order to execute these plans within the available window of time first responders may need to be empowered to activate them.

- Consider compartmentalizing desktop networks by applying access lists to VLANS and / or layer 3 switches and routers to block Windows RPC ports between desktop populations. This tends to help contain infections by preventing infected desktops from directlly infecting other desktop populations, provided servers are patched and do not serve as infection vectors for different desktop populations. Compartmentalizing can also be used to aid in cleanup efforts by quarrantining infected desktop populations .

- Apply the MS03-026 patch for to all eligible systems as soon as possible. The patch is available at the URL below. If you have compartmentalized windows desktop populations, patching servers first may tend to slow or contain infection.

- As with any malicious code risk, develop and test plans for restoring business continuity in case containment efforts fail.


-----Original Message-----
From: Microsoft [--.microsoft.com]
Sent: Monday, August 04, 2003 11:17 AM
To: [--]
Subject: Security Update for Microsoft Windows

*** PLEASE NOTE: Due to the critical importance of this message,
this communication is being sent to all of our Microsoft customers
to alert you of this Security Bulletin. ***

It has been widely reported in the press and on Microsoft's own web site, that on July 16th we released a critical security bulletin (MS03-026) and a patch regarding a vulnerability in the Windows operating system. We wanted to make sure that if you were not aware of this bulletin and corresponding patch that you take a moment to
go to http://www.microsoft.com/security/security_bulletins/ms03-026.asp to find out if you are running an affected version of the Windows operating system and get the specific information as to what you need to do to apply this patch if you have not already.

Although we encourage you to pay attention to all security bulletins and to deploy patches in a timely manner we wanted to call special attention to this particular instance as we have become aware of some activity on the internet that we believe increases the likelihood of the exploitation of this vulnerability. Specifically,
code has been published on several web sites that would allow someone to spread a worm/virus that takes advantage of the vulnerability in question thereby impacting your computing environment.

Although it is our goal to produce the most secure and dependable products possible, we do become aware of these types of vulnerabilities. In order to minimize the risks of such vulnerabilities to your computing environment, we encourage you to
subscribe to the Windows Update service by going to http://www.windowsupdate.microsoft.comand also subscribe to Microsoft's security notification service at http://register.microsoft.com/subscription/subscribeme.asp?ID=135 if you have not already. By subscribing to these two services you will automatically receive information on the latest software updates and the latest security notifications thereby improving the likelihood that your computing environment will be safe from worms and viruses that occur.

We apologize for any inconvenience the implementation of this patch might cause and appreciate you taking the time to update your system.

Thank you,
Microsoft Corporation

No comments: