Enterprise Mac | Tom Yager » Sequelae of that seldom-seen, irrelevant, could only happen on Windows worm

August 25, 2006 | Comments: (0)

Sequelae of that seldom-seen, irrelevant, could only happen on Windows worm

TAGS: Politics, strategy and culture, Software

In the preceding post, I laid out a case that Windows is inherently less secure than OS X based on a real life case-in-point, that being my server's infestation with a worm now universally identified as MS06-040.

I've placed myself in the situation of being a Windows server administrator who can't just apply the pat help desk cure "erase and reinstall." What happens when I try to hang in and use the tools at my disposal to fight the good fight?

First, remember that I wrote that this problem is bigger than so far realized or reported? My Windows mail server coughed up this bit:

Attempting MX: P=010 D=apple.com TTL=(31) MX=[xx.xx.apple.com] {17.xx.xx.xx}
Attempting SMTP connection to [17.xx.xx.xx : 25]
Waiting for socket connection...
Socket connection established
Waiting for protocol initiation...
554 <unknown[65.xx.xx.xx]>: Client host rejected: 5.7.1.: Message rejected. See http://njabl.org/ and http://www.spamhaus.org/SBL
QUIT

I have never raised a louder alarm for a security threat than have commercial security product vendors, but in this case, we're just seeing the tip of the iceberg. Clicking the spamhaus.org link took me to CBL (Composite Blocking List). CBL's getting so many click-throughs from e-mail delivery failures that it put the MS06-040 worm on its home page:

UPDATED 2006/08/21: NEWS ALERT 2006/08/14

Commencing August 13th, we have been seeing large numbers of CBL detections caused by the vulnerabilities referenced in Microsoft's MS06-040 security bulletin. At least one of the vulnerabilities can occur without users/administrators doing anything. If you are running Microsoft Windows, we strongly advise patching as soon as possible.

Ah, but the patch is prophylaxis, not cure. That word's not really getting out. Once MS06-040 (it's good that everyone's agreed on a name for it) busts in, it turns your server into party central for the MBM (mommy's basement mafia). If you figured on scraping MS06-040 from your system, SANS has this to say:

You really cannot and

• Even if you delete the keys that start the malware,
• your settings will be mangled, e.g. a test infection with the wgareg.exe:

• created 17 new registry keys
• modified 77 other keys including keys used for firewalls, sharing of files, etc.
• That was just the infection itself, no follow up, no communications with the C & C

• Like any bot it is unpredictable in what the C & C caused the bot to do

Incidentally, C & C is "command and control," referring in this case to Internet Relay Chat servers that are wired with scripts to drive infected systems remotely. SANS makes the chilling statement that it's impossible to tell what the bot is making your server do.

This worm takes cover behind Windows' many areas of opaqueness, specifically: The monolithic, non-human-readable, omnipotent Registry; Windows' "hidden" file flag and bugs that make files invisible even from the command prompt; the ease with which processes and threads can avoid identification; and invisible Windows "administrative file shares." There are also Windows' facilities for foster parenthood. For example, the process tree for a Windows server can be dotted with multiple "svchost.exe" and "rundll32.exe" entries.

There are way too many places to hide in a Windows server.

It is possible to analyze an infected Windows system's interaction with the network by running it in a sandnet, and tools let you watch changes to the Registry in real-time. But everything that this bit of malware does prior to its victim's discovery is an unsolvable mystery, and even watching the WAN traffic doesn't point back to the code that generates it.

MS06-040 quietly brought in another trojan, SDBOT (various flavors), with which I'm having fun. I have ClamAV running in quarantine mode in a constant loop, wondering what's next.

Every step of this process is enlightening.

Posted by Tom Yager on August 25, 2006 05:44 PM

RATE THIS ARTICLE: