TruSecure ALERT- TSA 03-003

UPDATE: Click here for a detailed analysis of the Deloder Worm by KLC COnsulting.

TSA 03-003 - W32/Deloder worm

Initial Assessment: RED HOT

Date: March 10, 2003

Time: 0200 UTC

On March 8th, TruSecure became aware of a probable new worm spreading via port 445. The worm is currently known as W32/Deloder, and appears to spread only by exploiting shares with null passwords, or with weak passwords. The worm has a list of about 50 passwords, such as 'admin', 'root','1','12','123','1234' etc. The worm installs a backdoor, and puts itself in the startup path.

While no corporate networks should have 445 exposed to the Internet, two scenarios exist that need to be addressed.

The first scenario concerns computers connected to the corporate network via VPN. If these machines become infected, then the worm can probably infect the corporate LAN.

The second scenario is laptops becoming infected over the weekend, and then being plugged into the corporate LAN on Monday morning.

While TruSecure could not reproduce it in our testing, it appears that the code may be capable of enumerating windows networking shares on local networks, as well as by probing remote IP addresses.

If this is correct, then there is considerable potential for corporate infections on Monday morning.

Current Assessment: RED HOT

Threat: Low - For enterprises implementing TruSecure Essential Practices. However the threat could become High - If laptops are infected and brought into the corporate LAN, third-party connections to infected hosts or home-office to VPN infections.

Vulnerability Prevalence: Medium to High - Laptops are likely to be trusted. Windows 2000 and XP hosts with open shares or shares with weak passwords are vulnerable.

Cost: Potentially High - The worm creates a VNC (Virtual Network Computer) as a backdoor, something that won't be detected by anti virus software, so even if infections are cleared up, the back door might be left there. The VNC uses TCP ports 5800 and 5900.

MITIGATIONS:

1. Update your desktop anti virus software. Most anti virus companies have updates out.

Some useful URLs:

http://vil.nai.com/vil/content/v_100127.htm  

http://www.f-secure.com/v-descs/deloader.shtml  

http://www.sarc.com/avcenter/venc/data/w32.hllw.deloder.html

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_DELODER.A  

http://www.sophos.com/virusinfo/analyses/w32delodera.html  

2. Ensure laptop and VPN clients have strong passwords.

3. Disable TCP ports 445, 5800 and 5900 or block them to/from the Internet.

Notes: This event may not translate into the corporate environment at all, but the worm is being very successful somewhere, and it is worth taking extra steps.

DISCLAIMER:

Copyright 2003 TruSecure Corporation. All rights reserved. This Alert is the property of the TruSecure Corporation. It may not be redistributed except within your own company or organization. This Alert is being provided for informational purposes only and is provided AS IS.“ The TruSecure Corporation makes no warranties of any kind, express or implied, including, but not limited to warranties of merchantability, fitness for a particular purpose, non-infringement, and warranties arising out of any course of dealing or course of conduct.

Impenetrable security is unattainable in real world environments; the TruSecure Corporation cannot and does not guarantee protection against breaches of security.

IN NO EVENT WILL THE TRUSECURE CORPORATION BE LIABLE FOR ANY BUSINESS INTERRUPTION, LOST REVENUE, PROFITS OR DATA, OR FOR DAMAGES OF ANY KIND, HOWEVER CAUSED, ARISING OUT OF YOUR USE OF OR INABILITY TO USE THE INFORMATION CONTAINED IN THIS WARNING, OR YOUR FAILURE TO RECEIVE ANY PRIOR OR FUTURE ALERTS, WATCHES OR WARNINGS, EVEN IF THE TRUSECURE CORPORATION HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.