RE: New Worm??? - High level of activity on port 445
MS04-011 fixed 14 different vulnerabilities but the two that have
received most attention are the PCT and LSASS vulnerabilities. Both have
publicly available exploit code and are fairly trivial to automate.
You are most likely experiencing traffic caused by the LSASS
vulnerability. To successfully exploit this vulnerability either locally
or remotely, one has to acquire the handle of a running user session.
Remote exploits and worms can only exploit the LSASS vulnerability
anonymously by using a NULL session, which is retrieved over the
microsoft-ds port 445.
It has long been a good practice to disable NULL sessions, and Microsoft
has documented how to accomplish this in several Knowledge Base
articles:
How to Use the RestrictAnonymous Registry Value in Windows 2000
http://support.microsoft.com/?kbid=246261
Restricting information available to anonymous logon users
http://support.microsoft.com/?kbid=143474
RestrictAnonymous Access Enabled Lets Anonymous Connections Obtain the
Password Policy
http://support.microsoft.com/?kbid=129457
The RestrictAnonymous policy can have some impact on functionality in
mixed-domain environments, in which case one can set the
RestrictAnonymous value to 1 instead of 2, as detailed in the following
Knowledge Base articles:
The "RestrictAnonymous" Registry Value May Break the Trust to a Windows
2000 Domain
http://support.microsoft.com/?kbid=296405
The RestrictAnonymous Value Breaks the Trust in a Mixed-Domain
Environment
http://support.microsoft.com/?kbid=296403
The PCT vulnerability is exploited over port 443 which have led many to
believe that it was intrinsically linked with SSL - it is not, it is a
separate protocol and can be separately disabled. (The PCT/SSL confusion
gave a dilemma as some production servers naturally rely on SSL but
could not implement the patch as it has several functionality
regressions).
When IIS receives a request for a secure communication channel over port
443 it tries several independent protocols in the following order: PCT
1.0, SSL 2.0, SSL 3.0 and TLS 1.0. Disabling the PCT protocol itself
does not impact SSL functionality and can be accomplished by specifying
a binary value of 00000000 in the following value:
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SC
HANNEL\Protocols\PCT 1.0\ServerEnabled
This has also been documented in Knowledge Base article 187498
Disable PCT 1.0, SSL 2.0, or SSL 3.0 on IIS
http://support.microsoft.com/?kbid=187498
Regards
Thor Larholm
Senior Security Researcher
PivX Solutions
24 Corporate Plaza #180
Newport Beach, CA 92660
http://www.pivx.com
thor@xxxxxxxx
Stock symbol: (OTCBB:DRIL)
Phone: +1 (949) 231-8496
PGP: 0x5A276569
6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569
PivX defines a new genre in Desktop Security: Proactive Threat
Mitigation.
<http://www.pivx.com/qwikfix>
-----Original Message-----
From: Tony Abell [mailto:TonAbe@xxxxxxxxxxx]
Sent: Thursday, April 29, 2004 9:45 AM
To: 'bugtraq@xxxxxxxxxxxxxxxxx'
Subject: New Worm??? - High level of activity on port 445
Since late yesterday 4/28/04 afternoon around 4pm our firewall started
throwing alarms on netprobes. We are seeing a large amount of probes
coming from one machine that is probing random IPs on port 445. The
source port is random as well. We traced it back to a Japanese Win2K
machine w/SP4 installed. No idea if it's fully patched or not, I have no
desire to put it back on my network to patch it until I get this figured
out. I scanned the machine in safe mode as well as booting normally
using SAV 8.1 with 4/28/04 Rev 38 defs and came up with nothing.
Is anyone else seeing anything like this?
Tony Abell
Network Administrator
OSG Tap & Die