BleepingComputer.com > MS04-011: RBOT.CC worm (attacks in multiple ways)

Full Version: MS04-011: RBOT.CC worm (attacks in multiple ways)

BleepingComputer.com > Security > AntiVirus, Firewall and Privacy Products and Protection Methods

harrywaldron

Jun 22 2004, 02:12 PM

The Interent Storm Center highlights this new MS04-011 blended threat that attacks vulnerable systems in a number of ways. So far, this is low risk as it is not found in the wild, but is highlighted for it's potential capabilities.

Internet Storm Center: RBOT.CC worm
http://www.incidents.org/diary.php?date=2004-06-21

This worm vociferously scans for TCP port 445, and then tries to break in via RPC DCOM flaws (a la Blaster), IIS5/WebDAV flaws (a la Nachi/Welchia), and LSASS vulnerabilties (a la Sasser). When it infects a system, Rbot.cc runs a process called systemse.exe that starts at boot time. Be on the lookout for it in your environment.

MS04-011: RBOT.CC worm (attacks in multiple ways)
http://www.trendmicro.com/vinfo/virusencyc...RBOT.CC&VSect=T

A summary of key attack methods include:

Unpatched Microsoft Systems lacking the following updates:

http://www.microsoft.com/technet/security/...n/MS03-026.mspx
http://www.microsoft.com/technet/security/...n/MS03-007.mspx
http://www.microsoft.com/technet/security/...n/MS04-011.mspx

Network Propagation and Exploits

This worm spreads through network shares. It uses NetBEUI functions to gather cached passwords of the currently logged user. It then uses the gathered passwords to log on to accessible network shares, where it will drop and execute a copy of itself. If this fails, the worm may also use a hardcoded list of passwords.

Backdoor capabilities on Infected Systems

This worm has a built-in IRC (Internet Chat Relay) client engine, which enables it to connect to an IRC channel. It connects via port 6667 and awaits commands from a remote user. At this point, the worm becomes an IRC bot, functioning as an automated software program that can execute certain commands when it receives a specific input. These commands include:

* Download an update version of itself
* Disable network shares
* Download and Execute a file
* Launch a SYN and ICMP flood attack
* List and terminate services and processes
* Open and execute a file
* Perform several IRC-related functions
* Redirect connections
* Visit a particular Web site
* Denial of Service
* This worm steals CD keys for several games
* Steal system information, such as: CPU speed, Currently logged-in user, Free/Total RAM, Malware uptime, Windows version and build

DDOS capabilities against targeted websites

This worm also has the capability to perform a Distributed Denial of Service (DDoS) attack against a target site by using the following methods:

* Ping flood
* SYN flood
* UPD flood
* Information Theft

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.