« Indirect Detection of Mass Mailing Worm-Infected PC terminals for Learners | Main | Impeding worm epidemics through destination address filtering »
New Worm: Dasher
There's a new worm on the loose. It goes by the name "Dasher", and it's attacking the MSDTC vulnerability reported by Microsoft on October 11, 2005. Furthermore, it uses Swan's MSDTC heap overflow to achive it's attack.
The worm has two known variants at this point, Dasher.A and Dasher.B. In many ways, they are very similar worms. They both have separate programs that act as the TCP SYN scanner (scanning a /16 network for TCP port 1025 reponses, all packets with the IPID of 256, an initial TTL of 120, and a source port of 6000), and a program that is the actual MSDTC exploit (it looks like Swan's exploit, compiled and named "SqlExp.exe"), driven by another process (Sqltob.exe in the A variant, svchost.exe in the B variant). When the worm attacks a host, the exploit is directed to download the worm package from a central location.
The A variant is not propagating much in the wild at this time, the central location has been shut down. The B variant, however, is in the wild and has been caught and analyzed by several groups.
If you need to protect against this, block inbound TCP port 1025, which is the service the attack comes in over. IDS signatures for the MSDTC exploit from Swan should pick it up.
Analysis
Having analyzed the worm earlier today, it looks to me like the worm was quickly put together by someone of limited coding skill, especially in managing recycled exploit code. If the author had been smart they would have sent the worm from the attacker to the new victim, not from a central site (which is prone to being shut down). Furthermore, they would have done this all as one process, not as a process that gathers the result of the scanner into a .bat script and then launches the exploit binary against those targets.
The B variant shows some increased sophistication, but recycles components from other malware.
Look for this worm to be worked on by malware authors in the coming days and possibly perfected. The exploit's reliability is not more than about 50%, meaning the worm isn't able to propagate all that well.
Links
Dasher.A from F-Secure
Dasher.B from F-Secure
W32/Dasher-B from Sophos
Swan's original MSDTC exploit
MS05-051 from October 11, 2005, describing the vulnerability and the patch
Microsoft Distributed Transaction Coordinator Memory Modification Vulnerability from eEye, who discovered the vulnerability
December 16, 2005 in dasher, new worms | Permalink
Tell others: digg submit
|
del.icio.us this
|
Reddit
