Sunday, August 14, 2005

Plug and Play Worm in Wild

The SANS ISC is reporting that a worm which exploits the Plug and Play (PnP) vulnerability described by MS05-039 is in the wild. The F-Secure Blog reports the worm is called Zotob. The Microsoft bulletin lists three mitigating factors:

  • On Windows XP Service Pack 2 and Windows Server 2003 an attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely by anonymous users or by users who have standard user accounts. However, the affected component is available remotely to users who have administrative permissions.

  • On Windows XP Service Pack 1 an attacker must have valid logon credentials to try to exploit this vulnerability. The vulnerability could not be exploited remotely by anonymous users. However, the affected component is available remotely to users who have standard user accounts.

  • Firewall best practices [e.g., blocking SMB ports] and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.


Frank Knobbe is writing rules for the worm, which can be found by watching changes to the Bleeding Snort CVS interface for the all.rules file. Search for MS05-039 or 2002185, the rule SID.

His latest rule as of posting this story is

# Created 2005/08/14 by Frank Knobbe in response to first information posted on ISC
alert tcp any any -> any 1024:65535 (msg:"BLEEDING-EDGE Possible MS05-039 PnP worm infection";
flow:established,to_server; content:"get winpnp.exe"; depth:200; nocase;
reference:url,isc.sans.org/diary.php?date=2005-08-14; classtype:trojan-activity;
sid:2002185; rev:2;)

That rule watches for the compromised victim to retrieve a copy of itself using FTP from the infecting machine. Who says intrusion detection or full content monitoring is dead in an "age of encryption?" Remember the phases of compromise:

  1. Reconnaissance

  2. Exploitation

  3. Escalation

  4. Consolidation

  5. Pillage


During steps 3 and 4, the victim can't expect the tools he needs to already be on the victim (like an encrypted transport tool such as scp). Hence the intruder uses FTP, TFTP, etc. These are good reasons to remove such client programs from production servers if possible. Escalation is the process of moving from user privileges to root privileges, if the exploitation phase doesn't yield root immediately. Consolidation is the process of installing back doors, retrieving tools, or other actions to establish control of the victim. In the case of a worm, consolidation is the means whereby the worm replicates itself.

SANS ISC is also releasing rules that appear to concentrate on the initial exploitation, not the propagation of the worm via FTP.

You can test the vulnerability of your systems via controlled exploitation using this Metasploit module. The worm may be based on this exploit by houseofdabus.

Incidentally, while writing this post, I came across the new OpenRCE.org (Open Reverse Code Engineering) site. I also found that the Security Forest Exploit Tree CVS Interface is up, and that site has started a blog.

1 comment:

Ronaldo C Vasconcellos said...

Hi Richard!

You mentioned only one of the Bleeding Snort rules that address MS05-039 vulnerability. There´s a better way of viewing all the rules:

Bleeding: EXPLOIT/EXPLOIT_MS05-039
http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/EXPLOIT/EXPLOIT_MS05-039

By the way, there´s a nice way to browse the Bleeding rules:

Bleeding Snort - directory - Bleeding
http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/

Regards,

--
Ronaldo C Vasconcellos

CAIS/RNP
Security Incidents Response Center
Brazilian Research and Academic Network
http://www.rnp.br/en/cais