Skip to main content

W32.Zotob.K and TFTP port 69/udp

Two years and dozens of worm variants after the W32.Blaster.worm worm infected millions of machines using an easy to block TFTP callback mechanism, the latest variant of the Zotob family is using the same technique. The W32.Zotob.K worm may spread on some networks more successfully than previous variants, all of which attempt to exploit the MS05-039 buffer overflow defect in Windows systems. Using this technique, a worm author trades complexity in one area of the worm design (the overall transport logic) for simplicity in another (the code which exploits the buffer overflow). Previous variants have connected to the victim computer on port 139 or port 445, where it hopes to find an unpatched software agent listening. Then, a packet is sent containing some things that the victim expects to receive, and some things it does not -- all must be arranged very precisely. This package includes the message which trips the buffer overflow, and the code the attacker seeks to run on the remote system immediately thereafter -- which includes a copy of the worm. It turns out that most variants of the worms that exploit MS05-039 directly have been limited in their ability to spread, even on networks of systems entirely vulnerable and unpatched. Their slow spread appears to be due to a quirk -- the attempt to execute the complicated instructions and upload the entire worm to the victim will sometimes fail, causing the target system to reboot, without having first been infected. The TFTP callback allows a simpler package to be delivered through the buffer overflow, and probably makes it more reliable as a result. Instead of a big payload with lots of instructions, a small payload can be delivered. Basically, the worm says, "Hey, call me back." The attacking, worm-infested computer first sets up a listener on port 69, which is able to respond to TFTP requests. It's a small bit of code and it has become standard fare in the "off the shelf" worm building toolkits. The instructions sent through the buffer overflow ask the victim computer to fetch a file from the attacker, using a TFTP client software utility built into Windows, and then execute the resulting file. Organizations which have continued exposure of large numbers of Windows systems (unpatched for MS05-039, and with NULL sessions enabled) should consider blocking the TFTP port 69/udp on internal routers before these new variants hit your network. If this TFTP callback on port 69/udp is so easy to block, why do so many organizations still have it open on their networks? It turns out that many network devices including routers and switches occasionally use TFTP to communicate with network management consoles. This is another good reason why the port should be blocked -- just remember to leave it open to and from a small number of network management consoles or subnets, not throughout the entire network. You can easily block these TFTP callback worms without interfering with your ability to manage routers and switches. Will this become an arms race with new variants opening the TFTP callback trojan on a different port each time? Perhaps. Some worms exploiting the MS05-039 vulnerability apparently open their own FTP server on a high numbered port, using that for a callback transport rather than TFTP. However, the TFTP callback remains a popular exploit, and it's easy enough to block it. The TFTP program on Windows seems to be hard-wired to call to port 69, which explains the continued popularity of this particular port. Permanently blocking this port deprives the worm of a propagation technique with a long and successful history. Worm authors might possibly switch to a different protocol. The other obvious choices, FTP and HTTP, would seem to place a greater burden on the instructions that need to be sent through the buffer overflow exploit, sending the worm author back to square one -- a worm that doesn't propagate very well because the buffer overflow exploit is too fragile. In any case, you won't likely be chasing TFTP all over the port map. It has stayed right there on port 69 for years, and partitioning your internal network on this port remains an effective strategy for mitigating the spread of many worm variants.

Technorati Tags: , , , , , , , , ,

Comments

Popular posts from this blog

Verified by Visa (Veriphied Phishing?)

If you have used a Visa card to make a purchase online lately you may have encountered a relatively new program, Verified by Visa . I've encountered it twice. The system is an interesting attempt by Visa to reduce online fraud and identity theft. It's a noble effort, but the user experience is unsettling, and the security implications are not exactly crystal clear. Here's what happened to me, both times the Verified by Visa system was activated. I was redirected away from the domain at which I was shopping, to a URL which was: not the domain where I was shopping, not the domain of the bank that issued my card not visa.com I've been telling people for years that if anything like that happens to you, close your web browser immediately and do not under any circumstances enter any personal information into the form, because this is a sure sign of a man in the middle or phishing scam. (Never mind that all the best phishing scams now-a-days look like the actual dom

Splunk acquires Phantom Cyber

I hope it doesn't come across as too cynical, the observation that most acquisitions in the tech domain fail to produce anything useful and often as not wind up killing a promising upstart technology, even if only by accident. I have hope for this one, though. Splunk strikes me as a likely exception. This acquisition of fresh ideas and talent might breathe new life into a solid, if somewhat staid, security company. Splunk’s data analytics gets a security boost with $350 million acquisition of Phantom Cyber

Jailbreaking iOS is a Dead Man Walking

Rumor has it that Apple will include a new security feature (possibly known to the developers in Apple as "Rootless") in the upcoming releases iOS 9 and OS X 10.11. Although details are sparse, it looks like Apple may have implemented what other UNIX systems call "namespaces" (See this nice discussion of namespaces on Linux ). Most of the public speculation about the rumor concerns a possible end to jailbreaking , a sport which has fallen on hard times with successful jailbreaks coming fewer and farther between. Since the defects which enable jailbreaking are inherently open to malware, Apple's ongoing efforts to find and fix these bugs with the LLVM/Clang compiler's ever-more-diligent static analyzer make it harder for the jailbreak community to find a toehold. However, a namespaces-like security architecture might fix one of the biggest issues that leads people to desire a jailbroken iPhone. When iOS was created, the system extension features were