-----BEGIN PGP SIGNED MESSAGE----- __________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ TECHNICAL BULLETIN Remote Detection of the MyDoom.A Worm January 31, 2004 00:00 GMT Number CIACTech04-001 ______________________________________________________________________________ PROBLEM: Before systems containing the MyDoom.A worm can be cleaned, they must be detected. As running a scanner on each system can be difficult and time consuming, a method of remote scanning for infected machines is needed. PLATFORM: Doomkill.vbs runs on a Windows platform. Nmap can run on many platforms. ABSTRACT: The Mydoom worm is probably the fastest growing worm so far. The only way to stop it is to detect the infected systems and clean them up. Unfortunately, running a scanner on each system is difficult and time consuming so a method of remote detection is preferable. In this paper, two members of the FIRST community (www.first.org) have made available remote scanners for detecting Mydoom.A. The first is a configuration file for the nmap scanner (www.insecure.org) which uses its application detection capability to detect Mydoom.A running on port 3127. The second is a vbscript program that uses WMI to detect the linkages between Mydoom and .dll files on the system. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/techbull/CIACTech04-001.shtml OTHER LINKS: Doomkill.zip: http://www.ciac.org/ciac/techbull/doomkill.zip ______________________________________________________________________________ The Mydoom worm is probably the fastest growing worm so far. The only way to stop it is to detect the infected systems and clean them up. Unfortunately, running a scanner on each system is difficult and time consuming so a method of remote detection is preferable. In this paper I describe two remote detectors for Mydoom.A that were made available by two members of the FIRST community (www.first.org). The first is a configuration file for the nmap scanner (www.insecure.org) which uses its application detection capability to detect Mydoom.A running on port 3127. The second is a vbscript program that uses WMI to detect the linkages between Mydoom and .dll files on the system. To use the nmap method, you need only be able to scan port 3127. To use the WMI detector, you need to have logon privileges to the systems you are scanning. NMAP Method =========== The current version of the nmap scanner from www.insecure.org has the capability of identifying the application listening on a port by probing that port and detecting the reply. This is more reliable than using the port number as applications can be configured to listen on different ports. To use this scanner, you need only be able to scan systems using nmap. In most cases, this means that you must be behind any firewall for the network you want to scan. Add the following detection string to nmap’s nmap-service-probes file. #Detector for mydoom worm run with nmap -sV -p 3127 host #From John Krostoff of northwestern.edu Probe TCP return-enter q|\n| ports 80,1080,3127,3128,8080,10080 match mydoom m/^\x04\x5b\x00\x00\x00\x00\x00\x00$/ v/original/// You may then scan systems using the command: nmap –sV –p 3127 Where is the host or network you want to scan. We do not know if this will work with Mydoom.B or other variants of Mydoom still to come. We will modify this bulletin when we have an answer. WMI Scanner Method ================== Richard Puckett and David Stafford worked out the means by which process-to-DLL handle associations can be remotely determined on a host using the CIM_ProcessExecutable association class in WMI. Using this, they created a remote cleaner for Mydoom.A . The program is a Visual Basic Script that should run on any current Windows system. You need to have an account on any system you want to scan so this will normally be run by a domain administrator to scan his domain. SYNTAX: cscript.exe doomkill.vbs -F [-U ] [-P ] [-R] PARAMETER SPECIFIERS: - -F REQUIRED: full path to carriage return-delimited host list - -U OPTIONAL: supply alternate credentials to connect to hosts in the host list (If omitted, defaults to logged-on user's credentials) - -P OPTIONAL: supply alternate credential password (If omitted, defaults to logged-on user's credentials) - -R OPTIONAL: Reboot the remote host if an infection has been cleaned EXAMPLES: cscript.exe doomkill.vbs -F c:\servers.txt -U DOMAIN\userid -P secret –R - runs against c:\servers.txt using the DOMAIN\userid & password, reboots infected hosts cscript.exe doomkill.vbs -F c:\servers.txt –R - runs against c:\servers.txt with default credentials, reboots infected hosts cscript.exe doomkill.vbs -F c:\servers.txt - runs against c:\servers.txt with default credentials, no reboot The log writes to the root of C:\ on the box it was run from (c:\doomkill-.log) ______________________________________________________________________________ Thanks to John Kristoff for the nmap signature and Richard Puckett (rpuckett@cisco.com) and David Stafford for the WMI scanner. ______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) O-058: Hewlett-Packard SharedX Vulnerability O-059: Debian Linux-Kernel-2.4.14-ia64 Vulnerabilities O-060: Debian Password Expiration Vulnerability O-061: Red Hat Updated tcpdump Packages Fix Various Vulnerabilities O-062: CERT Advisory Multiple H.323 Message Vulnerabilities O-063: Red Hat Elevated Privileges Vulnerability O-064: HP 'rwrite' Utility Vulnerability O-065: Security Vulnerabilities in ASN.1 O-066: Cisco - Voice Product Vulnerabilities on IBM Servers O-067: Sun Vulnerability with Loading Arbitrary Kernel Modules -----BEGIN PGP SIGNATURE----- Version: PGP for Business Security 5.5.2 iQCVAwUBQBr2VbnzJzdsy3QZAQG1swQAoAFH8fUtbzIbHi7pr/covW0Atu01mnSn cBIpzq4/0GJeMwXzRkw+nkNSo8LVjZWX4ZLBXL4ZRHUmqoS38bGs8wUHYCowpsn1 BV/31wDzSjAbpNv+RNeahklvym9TX6UKGFbGaZfi+SGu7f/GC8HGONZ9TEwuikyw J3KWcj7dvxQ= =o1eR -----END PGP SIGNATURE-----