TECHNICAL BULLETIN
TECHNICAL BULLETIN
| PROBLEM: | Before systems containing the MyDoom.A worm can be cleaned, they must be detected. As running a scanner on each system can be difficult and time consuming, a method of remote scanning for infected machines is needed. |
| PLATFORM: | Doomkill.vbs runs on a Windows platform. Nmap can run on many platforms. |
| ABSTRACT: | The Mydoom worm is probably the fastest growing worm so far. The only way to stop it is to detect the infected systems and clean them up. Unfortunately, running a scanner on each system is difficult and time consuming so a method of remote detection is preferable. In this paper, two members of the FIRST community (www.first.org) have made available remote scanners for detecting Mydoom.A. The first is a configuration file for the nmap scanner (www.insecure.org) which uses its application detection capability to detect Mydoom.A running on port 3127. The second is a vbscript program that uses WMI to detect the linkages between Mydoom and .dll files on the system. |
| LINKS: | |
| CIAC BULLETIN: | http://www.ciac.org/ciac/techbull/CIACTech04-001.shtml |
| OTHER LINKS: | |
|
Doomkill.zip |
http://www.ciac.org/ciac/techbull/doomkill.zip |
The Mydoom worm is probably the fastest growing worm so far. The only way to stop it is to detect the infected systems and clean them up. Unfortunately, running a scanner on each system is difficult and time consuming so a method of remote detection is preferable. In this paper I describe two remote detectors for Mydoom.A that were made available by two members of the FIRST community (www.first.org). The first is a configuration file for the nmap scanner (www.insecure.org) which uses its application detection capability to detect Mydoom.A running on port 3127. The second is a vbscript program that uses WMI to detect the linkages between Mydoom and .dll files on the system. To use the nmap method, you need only be able to scan port 3127. To use the WMI detector, you need to have logon privileges to the systems you are scanning.
The current version of the nmap scanner from www.insecure.org has the capability of identifying the application listening on a port by probing that port and detecting the reply. This is more reliable than using the port number as applications can be configured to listen on different ports. To use this scanner, you need only be able to scan systems using nmap. In most cases, this means that you must be behind any firewall for the network you want to scan.
Add the following detection string to nmap’s nmap-service-probes file.
#Detector for mydoom worm run with nmap -sV -p 3127 host #From John Krostoff of northwestern.edu Probe TCP return-enter q|\n| ports 80,1080,3127,3128,8080,10080 match mydoom m/^\x04\x5b\x00\x00\x00\x00\x00\x00$/ v/original///
You may then scan systems using the command:
nmap –sV –p 3127 <host>
Where <host> is the host or network you want to scan. We do not know if this will work with Mydoom.B or other variants of Mydoom still to come. We will modify this bulletin when we have an answer.
Richard Puckett and David Stafford worked out the means by which process-to-DLL handle associations can be remotely determined on a host using the CIM_ProcessExecutable association class in WMI. Using this, they created a remote cleaner for Mydoom.A . The program is a Visual Basic Script that should run on any current Windows system. You need to have an account on any system you want to scan so this will normally be run by a domain administrator to scan his domain.
cscript.exe doomkill.vbs -F[-U ] [-P ] [-R]
-FREQUIRED: full path to carriage return-delimited host list -U OPTIONAL: supply alternate credentials to connect to hosts in the host list (If omitted, defaults to logged-on user's credentials) -P OPTIONAL: supply alternate credential password (If omitted, defaults to logged-on user's credentials) -R OPTIONAL: Reboot the remote host if an infection has been cleaned
cscript.exe doomkill.vbs -F c:\servers.txt -U DOMAIN\userid -P secret –R
- runs against c:\servers.txt using the DOMAIN\userid & password, reboots infected hosts
cscript.exe doomkill.vbs -F c:\servers.txt –R
- runs against c:\servers.txt with default credentials, reboots infected hosts
cscript.exe doomkill.vbs -F c:\servers.txt
- runs against c:\servers.txt with default credentials, no reboot
The log writes to the root of C:\ on the box it was run from (c:\doomkill- Thanks to John Kristoff <jtk@northwestern.edu> for the
nmap signature and Richard Puckett (rpuckett@cisco.com) and David Stafford for
the WMI scanner.
CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193 (7 x 24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@llnl.gov
World Wide Web: http://www.ciac.org/
http://ciac.llnl.gov
(same machine -- either one will work)
Anonymous FTP: ftp.ciac.org
ciac.llnl.gov
(same machine -- either one will work)
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
UCRL-MI-119788
[Privacy and Legal Notice]