Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

MS06-040: BOLO -- Be On the LookOut

Published: 2006-08-14
Last Updated: 2006-08-14 17:48:01 UTC
by Swa Frantzen (Version: 1)
0 comment(s)
Over the weekend there was a botnet doing fairly wide scale scanning for hosts affected by the vulnerabilities in the MS06-040 advisory. While technically a botnet, it was spreading in a worm like fashion.

Be on the lookout for:
  • laptops that might have been infected returning to the inside of your perimeter.
  • infected machines scanning the rest of the network
  • infections flaring up due to the above
Preventive actions to take:
  • If you have not done so yet:
    • Do not forget to reboot those machines after patching!
  • Check that all machines have been patched and rebooted, we have confirmations that the patches are effective in stopping the initial attack.
  • Update anti-virus signatures: They might not be in the mainstream signature yet, so check manually what your vendor has to say.
  • While at it, install filtering wherever possible for ports 135-139 and 445. E.g. enabling personal firewall on laptops is very smart in future-proofing your machines against this kind of attack.
Reactive actions to take:
  • If you have an IDS, make sure you have signatures for the MS06-040 exploit
    (best not aiming for the payload, but rather the exploit of the vulnerability)
    • For snort:
      • BLEEDING-EDGE EXPLOIT NETBIOS SMB-DS DCERPC NetrpPathCanonicalize request (possible MS06-040) 
        [Bleedingsnort, free] 
      • NETBIOS SMB-DS srvsvc NetrPathCanonicalize little endian overflow attempt
        [Sourcefire VRT, subscription only till the 16th]
  • Check for outgoing traffic to port 18067/TCP of the command and control (C&C) centers: 
bniu.househot.com: (the main one)
61.189.243.240
202.121.199.200
210.75.211.111
211.154.135.30
218.61.146.86
58.81.137.157
61.163.231.115
ypgw.wallloan.com: (the fallback one)
58.81.137.157
61.163.231.115
61.189.243.240
202.121.199.200
211.154.135.30
218.61.146.86
Please note these IP addresses can be changed quite easily by the controllers of the botnet, so checking (or even blocking) them in your DNS servers might be much more effective.
  • Check for the presence of following files:
MD5                               FILENAME
9928a1e6601cf00d0b7826d13fb556f0  wgareg.exe

2bf2a4f0bdac42f4d6f8a062a7206797  wgavm.exe
  • Check for the presence of the registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WGAREG
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WGAVM
  • Check for outgoing traffic scanning for others being vulnerable on port 445/TCP
Cleaning up:
  • You really cannot and
    • Even if you delete the keys that start the malware,
    • your settings will be mangled. E.g.: a test infection with the wgareg.exe:
      • created 17 new registry keys
      • modified 77 other keys including keys used for firewalls, sharing of files, etc.
      • That was just the infection itself, no follow up, no communications with the C&C
    • Like any bot it is unpredictable in what the C&C caused the bot to do
  • Wipe! (as in nuke from orbit)
    • Backup data (if any) and keep these off-line
    • Unplug the network
    • Wipe the disk effectively (while booted from clean media)
    • Reinstall software
    • Install (personal) firewall, anti-virus, anti-spyware
    • Apply patches & Update signatures
    • Carefully restore needed data

      For installing, see also our survival guide for XP
Other sources:
--
Swa Frantzen -- Section 66
Keywords:
0 comment(s)
Diary Archives