Alerts
BotNet Leveraging Flaw Patched in MS06-040
Date:
August 13, 2006
Severity:
Critical
Systems Affected:
Windows 2000
Windows XP
Overview:
eEye Digital Security is advising customers Malware that is currently spreading in attempts to add vulnerable systems to a BotNet. The Malware is using the Server Service flaw that was patched last patch Tuesday with MS06-040. To quickly review MS06-040 fixed a flaw in an unchecked buffer in the Server Service, allows for anonymous exploitation remotely. In addition, US-CERT and Microsoft, at the time of bulletin release had claimed to have seen attacks in the wild but no evidence had been offered. As of this weekend, we have now seen evidence in our Honeynet systems of these new attacks.
At time of writing there are currently two separate variants of this malware both using a variant of publicly disclosed exploit code for MS06-040. While both samples appear to be very similar they each use a different executable when infecting the system. The first variant uses the file name; wgareg.exe and the second used wgavm.exe. Antivirus vendors have named this threat W32.Wargbot (Symantec), Worm.IRCBOT.JK/JL (Trend Micro), IRC.Mocbot (McAfee), and IRCBOT-ST (F-Secure).
Detection:
Users of eEye Digital Security Blink are already protected from this threat but for those not running Blink here is a description of what the Malware will do. As we said above both of them while using different executables in their infection but act in very similar manners. The following steps are what you can expect the Malware to do:
Note the last three registry keys control the Windows firewall and the Windows security alert that Windows XP SP2 provides when your Anti-Virus software is disabled.
The end result is of course, an IRC BOT that allows your system to be used for Distributed Denial of Service (DDOS) in addition the Malware allows its controller the ability to execute programs, update the BOT software, and exploit other machines.
When the Malware executable is ran by itself and not as a service, it builds the file name "%SystemRoot%\system32\wgareg.exe". It then sets the file attributes on that to Archive only. Next it then tries up to 5 times to copy itself from wherever it's run to that destination. Regardless of whether that succeeds or fails, then it goes on and creates the "wgareg" service with that EXE as the image name, a display name of "Windows Genuine Advantage Registration Service", type flags "interact with desktop" and "run in its own process", and start type "Automatic". It sets the service's description to "Ensures that your copy of Microsoft Windows is genuine and registered. Stopping or disabling this service will result in system instability." then starts the service.
Removal:
If you find yourself infected by this Malware, the general reccomendation would be to wipe the systems and rebuild them from known good backups. User will notice that the malicious service automatically restarts itself everytime you kill it so by using the eEye Research Faultmon the following steps can be taken to insure that it no longer restarts:
Next you will have to clean up the registry keys that the Malware creates. As you read previously in this alert a number of keys are modified. Check these keys against a default uninfected system and return them to default:
The above steps should take care of the Malware on infected systems although to completely trust the system again, as we said, you are better off starting with a completely new, and patched, build.
Prevention:
As we said previously, users of eEye Digital Security's Blink are protected against this vulnerability. Others should insure that this patch is installed. It is also a good idea to fitler TCP ports 139 and 445 at your corporate gateways and instruct users to not open any unexpected email attachments. If you are using an Anti-Virus solution you should make sure that you have the latest reactive signature files.
Links:
eEye Digital Security Blink
eEye Digital Security Retina
eEye Research Faultmon
This alert was last updated on August 13, 2006.
August 13, 2006
Severity:
Critical
Systems Affected:
Windows 2000
Windows XP
Overview:
eEye Digital Security is advising customers Malware that is currently spreading in attempts to add vulnerable systems to a BotNet. The Malware is using the Server Service flaw that was patched last patch Tuesday with MS06-040. To quickly review MS06-040 fixed a flaw in an unchecked buffer in the Server Service, allows for anonymous exploitation remotely. In addition, US-CERT and Microsoft, at the time of bulletin release had claimed to have seen attacks in the wild but no evidence had been offered. As of this weekend, we have now seen evidence in our Honeynet systems of these new attacks.
At time of writing there are currently two separate variants of this malware both using a variant of publicly disclosed exploit code for MS06-040. While both samples appear to be very similar they each use a different executable when infecting the system. The first variant uses the file name; wgareg.exe and the second used wgavm.exe. Antivirus vendors have named this threat W32.Wargbot (Symantec), Worm.IRCBOT.JK/JL (Trend Micro), IRC.Mocbot (McAfee), and IRCBOT-ST (F-Secure).
Detection:
Users of eEye Digital Security Blink are already protected from this threat but for those not running Blink here is a description of what the Malware will do. As we said above both of them while using different executables in their infection but act in very similar manners. The following steps are what you can expect the Malware to do:
- Copy itself to a blank .exe file (".exe")
- Creates a thread in explorer.exe which is used for self destruction purposes.
- Registers itself as one of the executables either wgareg.exe or wgavm.exe.
- Copies itself to %system%\<executable>
- The Malware then sets some or all of the following registry keys:
- HKEY_LOCAL_MACHINE\software\microsoft\ole\enabledcom: REG_SZ = "n"
- HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\restrictanonymous: REG_DWORD = 1
- HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\restrictanonymoussam: REG_DWORD = 1
- HKEY_LOCAL_MACHINE\system\currentcontrolset\services\lanmanserver\parameters\autoshareserver: REG_DWORD = 0
- HKEY_LOCAL_MACHINE\system\currentcontrolset\services\lanmanserver\parameters\autosharewks: REG_DWORD = 0
- HKEY_LOCAL_MACHINE\software\microsoft\security center\antivirusdisablenotify: REG_DWORD = 1
- HKEY_LOCAL_MACHINE\software\microsoft\security center\antivirusoverride: REG_DWORD = 1
- HKEY_LOCAL_MACHINE\software\microsoft\security center\firewalldisablenotify: REG_DWORD = 1
- HKEY_LOCAL_MACHINE\software\microsoft\security center\firewalldisableoverride: REG_DWORD = 1
- HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\domainprofile\enablefirewall: REG_DWORD = 0
- HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\standardprofile\enablefirewall: REG_DWORD = 0
- The Malware will then create "%WINDIR%\debug\dcpromo.log" but leaves it empty and sets the "read only" (+R) attribute on the file. Next it will stop the "sharedaccess" service which disables the Windows Firewall.
Note the last three registry keys control the Windows firewall and the Windows security alert that Windows XP SP2 provides when your Anti-Virus software is disabled.
The end result is of course, an IRC BOT that allows your system to be used for Distributed Denial of Service (DDOS) in addition the Malware allows its controller the ability to execute programs, update the BOT software, and exploit other machines.
When the Malware executable is ran by itself and not as a service, it builds the file name "%SystemRoot%\system32\wgareg.exe". It then sets the file attributes on that to Archive only. Next it then tries up to 5 times to copy itself from wherever it's run to that destination. Regardless of whether that succeeds or fails, then it goes on and creates the "wgareg" service with that EXE as the image name, a display name of "Windows Genuine Advantage Registration Service", type flags "interact with desktop" and "run in its own process", and start type "Automatic". It sets the service's description to "Ensures that your copy of Microsoft Windows is genuine and registered. Stopping or disabling this service will result in system instability." then starts the service.
Removal:
If you find yourself infected by this Malware, the general reccomendation would be to wipe the systems and rebuild them from known good backups. User will notice that the malicious service automatically restarts itself everytime you kill it so by using the eEye Research Faultmon the following steps can be taken to insure that it no longer restarts:
- Open the Services window (services.msc)
- Go to the "Windows Genuine Advantage Registration Service"
- Right-click, then select Properties
- Set the Start type to "Disabled" so it won't be restarted on reboot
- Go to the Recovery tab and set the three drop-downs to "Take No Action"
- Open Task Manager and find the "wgareg.exe" process
- Run Faultmon.exe PID, where PID is the "wgareg.exe"'s process ID and the process will automatically terminate itself when it detects the debugger
Next you will have to clean up the registry keys that the Malware creates. As you read previously in this alert a number of keys are modified. Check these keys against a default uninfected system and return them to default:
- HKEY_LOCAL_MACHINE\software\microsoft\ole\enabledcom
- HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\restrictanonymous
- HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\restrictanonymoussam
- HKEY_LOCAL_MACHINE\system\currentcontrolset\services\lanmanserver\parameters\autoshareserver
- HKEY_LOCAL_MACHINE\system\currentcontrolset\services\lanmanserver\parameters\autosharewks
- HKEY_LOCAL_MACHINE\software\microsoft\security center\antivirusdisablenotify
- HKEY_LOCAL_MACHINE\software\microsoft\security center\antivirusoverride
- HKEY_LOCAL_MACHINE\software\microsoft\security center\firewalldisablenotify
- HKEY_LOCAL_MACHINE\software\microsoft\security center\firewalldisableoverride
- HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\domainprofile\enablefirewall
- HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\standardprofile\enablefirewall
The above steps should take care of the Malware on infected systems although to completely trust the system again, as we said, you are better off starting with a completely new, and patched, build.
Prevention:
As we said previously, users of eEye Digital Security's Blink are protected against this vulnerability. Others should insure that this patch is installed. It is also a good idea to fitler TCP ports 139 and 445 at your corporate gateways and instruct users to not open any unexpected email attachments. If you are using an Anti-Virus solution you should make sure that you have the latest reactive signature files.
Links:
eEye Digital Security Blink
eEye Digital Security Retina
eEye Research Faultmon
This alert was last updated on August 13, 2006.
