[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 657/05 - Cisco - ZOTOB and WORM_RBOT.CBQ Mitigation Recommendations



 
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 657/05 dated 19.08.05  Time: 16:22  
  UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Title
=====
Cisco - ZOTOB and WORM_RBOT.CBQ Mitigation Recommendations 


Detail
====== 

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cisco Security Notice: ZOTOB and WORM_RBOT.CBQ Mitigation
Recommendations

Revision 1.0

For Public Release 2005 August 18 2100 UTC (GMT)


Contents
========

    Summary
    Details
    Detection
    Symptoms
    Affected Products
    Software Versions and Fixes
    Obtaining Fixed Software
    Workarounds
    Status of This Notice: FINAL
    Revision History
    Cisco Security Procedures
    Related Information

- - -----------------------------------------------------------------------

Summary
=======

Cisco customers are currently experiencing attacks due to new worms and
bots that are active on the Internet. The signature of these worms and
bots appears as TCP traffic to port 445 as well as traffic to several
secondary TCP ports depending on the variant of the worm. Affected
customers have been experiencing high volumes of traffic from both
internal and external systems. Symptoms on Cisco devices include, but
are not limited to, high CPU and traffic drops on the input interfaces.
This document focuses on both mitigation techniques and affected Cisco
products that need software supplied by Cisco to patch properly.

These worms and bots have been referenced by the name ZOTOB in multiple
variants, WORM_RBOT.CBQ in multiple variants, and by several other
names. These worms and bots exploit a vulnerability previously
disclosed by Microsoft, details of which can be found at http://
www.microsoft.com/technet/security/Bulletin/MS05-039.mspx 

Cisco has made free software available for the affected products listed
in this Notice that require Cisco-distributed updates.

Details
=======

Details of the worms and bots can be found on Microsoft's web site at  
http://www.microsoft.com/technet/security/advisory/899588.mspx 

The effects of these worms and bots can be mitigated by blocking the
required ports it uses to spread itself, scan for new infections, and
propagate the executable code. This document focuses on blocking the
spread of the worm, either before or after your internal network is
infected. These worms spread using the well known port TCP/445 which
makes the worms challenging to stop as blocking this port may impact
existing functionality such as file sharing between Microsoft Windows
hosts. As with all network configuration, Cisco recommends
establishing a network traffic baseline during normal times and using
the baseline to make decisions about blocking ports or traffic in the
network. Block ports with caution to avoid disabling functionality in
the network.

Detection
=========

Using IOS with NetFlow Enabled to Detect Infected Hosts
+------------------------------------------------------

NetFlow is a technology for obtaining traffic flow information across a
network and can help identify infected hosts. Netflow must be enabled
on an interface with the command ip route-cache flow. The following
example shows infected hosts attempting to infect random systems on a
destination port of 445, which shows in the output as the hexadecimal
string 01BD. Other ports used by worm and bot variants are 7778  which
is hexadecimal 1E62, 8888 which is hexadecimal 22B8, 8594 which is
hexadecimal 2192, 8563 which is hexadecimal 0890, 7778 which is
hexadecimal 1E62, 33333 which is hexadecimal 8235, 11173 which is
hexadecimal 2BA5, 8080 which is hexadecimal 1F90, 6667 which is
hexadecimal 1A0B, and 69 which is hexadecimal 0045.

The destination port 445 output is most useful at the network edge.
Within the network where legitimate connections are using port 445, the
other listed ports may be used to correlate the port 445 data and
identify infected hosts.

    Router>show ip cache flow | include 01BD
    
    SrcIf      SrcIPaddress    DstIf    DstIPaddress  Pr SrcP DstP    Pkts
    
    Fa2/0      XX.XX.XX.242    Fa1/0    XX.XX.XX.119  06 0B88 01BD    1
    Fa2/0      XX.XX.XX.242    Fa1/0    XX.XX.XX.169  06 0BF8 01BD    1
    Fa2/0      XX.XX.XX.204    Fa1/0    XX.XX.XX.63   06 0E80 01BD    1
    Fa2/0      XX.XX.XX.204    Fa1/0    XX.XX.XX.111  06 0CB0 01BD    1
    Fa2/0      XX.XX.XX.204    Fa1/0    XX.XX.XX.95   06 0CA0 01BD    1
    Fa2/0      XX.XX.XX.204    Fa1/0    XX.XX.XX.79   06 0C90 01BD    1

IDS/IPS Signatures
+-----------------

If a Cisco Intrusion Detection System or Intrusion Prevention System is
in use, the S185 signature update file includes signatures for both the
vulnerability and specific worms and bots attempting to exploit it.
S185 is available at: http://www.cisco.com/tacpage/sw-center/
ciscosecure/ids/crypto 

Symptoms
========

For symptoms on an infected Microsoft host, refer to the Microsoft
Advisory at http://www.microsoft.com/technet/security/advisory/
899588.mspx 

Overall network symptoms may manifest as increased load on firewalls,
routers and switches due to increased traffic. There may be instability
in networks due to increased load.

Affected Products
=================

To determine if a product is vulnerable, review the list below. If the
software versions or configuration information are provided, then only
those combinations are vulnerable. This is a list of appliance software
that needs patches downloaded from Cisco:

  * Cisco CallManager
  * Cisco Customer Response Application Server (CRA)
  * Cisco Personal Assistant
  * Cisco Conference Connection (CCC)
  * Cisco Emergency Responder

Other Cisco products that run on a Microsoft-based operating system
should strongly consider loading the security update from Microsoft at 
http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx 

This list is not all inclusive, so refer to Microsoft's Advisory if you
think you have an affected Microsoft platform.

  * Cisco Unity
  * Cisco Building Broadband Service Manager (BBSM)
  * Cisco CNS Network Registrar (CNR)
  * Cisco Customer Voice Portal
  * Cisco ICM Enterprise Edition
  * Cisco ICM Hosted Edition
  * Cisco IP Contact Center (IPCC) (Express, Enterprise, Hosted, Remote
    Agent)
  * Cisco E-mail Manager (CEM)
  * Cisco Web Collaboration Option
  * Cisco Collaboration Server Dynamic Content Adapter
  * Cisco Media Blender (CMB)
  * Cisco IP Interactive Voice Response
  * IP Queue Manager
  * Cisco Customer Voice Portal
  * Cisco Computer Telephony Integration Option
  * Cisco Outbound Option
  * Cisco Remote Monitoring Suite Option
  * Cisco Support Tools
  * TrailHead (Part of the Web Gateway solution)
  * Cisco Networking Services for Active Directory (CNS/AD)
  * Cisco SN 5400 Series Storage Routers (driver to interface to
    Windows server)
  * CiscoWorks
      + CiscoWorks VPN/Security Management Solution (CWVMS)
      + User Registration Tool
      + LAN Management Solution
      + Routed WAN Management
      + Service Management
      + IP Telephony Environment Monitor
      + Small Network Management Solution
      + QoS Policy Manager
      + Voice Manager
  * Cisco Transport Manager (CTM)
  * Cisco Broadband Troubleshooter (CBT)
  * DOCSIS CPE Configurator
  * Access Control Server (ACS)
  * Videoconferencing Applications
      + IP/VC 3540 Video Rate Matching Module
      + IP/VC 3540 Application Server

Software Versions and Fixes
===========================

When considering software upgrades, please also consult http://
www.cisco.com/warp/public/707/advisory.html and any subsequent
advisories to determine exposure and a complete upgrade solution.  

In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release.  If the information is not clear, contact
the Cisco Technical Assistance Center ("TAC") for assistance

Cisco CallManager, Cisco Customer Response Server/Cisco IP Contact
Center Express, Cisco Personal Assistant, Cisco Conference Connection,
Cisco Emergency Responder

If the operating system version is in the 2000.4.1 train, customers
should download and install one of the following options:

  * Latest service pack that includes the fix for this issue:
    win-OS-Upgrade-K9.2000-4-1sr3.exe
  * Hotfix specifically for this issue: win-K9-MS05-039.exe

If the operating system version is in the 2000.2.7 train, customers
should download and install one of the following options:

  * Latest service pack that includes the fix for this issue:
    win-OS-Upgrade-K9.2000-2-7sr7.exe
  * Hotfix specifically for this issue: win-K9-MS05-039.exe

All software is available at http://www.cisco.com/pcgi-bin/
tablebuild.pl/cmva-3des 

Other Windows-based Cisco Products
+---------------------------------

Customers should download the Security Update directly from Microsoft
and follow the directions for installation at http://www.microsoft.com/
technet/security/Bulletin/MS05-039.mspx 

Obtaining Fixed Software
========================

Customers with Service Contracts
+-------------------------------

Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's worldwide
website at http://www.cisco.com.

Customers using Third-party Support Organizations
+------------------------------------------------

Customers whose Cisco products are provided or maintained through prior
or existing agreement with third-party support organizations such as
Cisco Partners, authorized resellers, or service providers should
contact that support organization for assistance with the upgrade,
which should be free of charge.

Customers without Service Contracts
+----------------------------------

Customers who purchase direct from Cisco but who do not hold a Cisco
service contract and customers who purchase through third-party vendors
but are unsuccessful at obtaining fixed software through their point of
sale should get their upgrades by contacting the Cisco Technical
Assistance Center (TAC). TAC contacts are as follows.

  * +1 800 553 2447 (toll free from within North America)
  * +1 408 526 7209 (toll call from anywhere in the world)
  * e-mail: tac@xxxxxxxxx

Please have your product serial number available and give the URL of
this notice as evidence of your entitlement to a free upgrade. Free
upgrades for non-contract customers must be requested through the TAC.

Please do not contact either "psirt@xxxxxxxxx" or
"security-alert@xxxxxxxxx" for software upgrades.

As the fix for this vulnerability is a default configuration change,
and a workaround is available, a software upgrade is not required to
address this vulnerability. However, if you have a service contract,
and wish to upgrade to unaffected code, you may obtain upgraded
software through your regular update channels once that software is
available. For most customers, this means that upgrades should be
obtained through the Software Center on Cisco's Worldwide Web site at 
http://www.cisco.com.

If you need assistance with the implementation of the workarounds, or
have questions on the workarounds, please contact the Cisco Technical
Assistance Center (TAC).

  * +1 800 553 2447 (toll free from within North America)
  * +1 408 526 7209 (toll call from anywhere in the world)
  * e-mail: tac@xxxxxxxxx

See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for
additional TAC contact information, including special localized
telephone numbers and instructions and e-mail addresses for use in
various languages.

Customers may only install and expect support for the feature sets they
have purchased. By installing, downloading, accessing or otherwise
using such software upgrades, customers agree to be bound by the terms
of Cisco's software license terms found at http://www.cisco.com/public/
sw-license-agreement.html, or as otherwise set forth at Cisco.com
Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml.

Workarounds
===========

The effectiveness of any workaround is dependent on specific customer
situations such as product mix, network topology, traffic behavior, and
organizational mission.  Due to the variety of affected products and
releases, customers should consult with their service provider or
support organization to ensure any applied workaround is the most
appropriate for use in the intended network before it is deployed. 

General Worm Mitigation
+----------------------

For general information regarding strategies and technologies for Worm
Mitigation, please refer to the Cisco MySDN site: http://www.cisco.com/
en/US/about/security/intelligence/worm-mitigation-whitepaper.html.

ACL for IOS
+----------

Caution: As with any configuration change in a network,
evaluate the impact of this configuration prior to applying the change.

The access list entries shown below are examples for several of the
worm variants now being tracked. New variants using different ports are
possible and should be filtered using the information below as
examples. Any added access list entries should be implemented as part
of a Transit Access Control List that filters transit and edge traffic
at network ingress points.

For more information on tACLs, refer to Transit Access Control Lists:
Filtering at Your Edge, available at: http://www.cisco.com/warp/public/
707/tacl.html.

Note: If  trying to track source addresses, use Sampled NetFlow, rather
than "log" statements in access lists as the high traffic in
combination with the log statement can overwhelm the router. The
command show access-list can be used to determine the hit count against
individual access list entries. This data can be used in conjunction
with Sampled NetFlow to determine which specific worm variants are
attacking the network.

Network Ingress Inbound Filtering

    ! ZOTOB.(A-F)/BOZARI.(A,B)/WORM_RBOT.CBQ
    ! Block Initial Scanning 
    ! Note: Care must be taken when blocking TCP/445 to ensure that legitimate connections 
            are not impacted
    access-list 101 deny tcp any any eq 445
    !
    ! ZOTOB.(A-C) 
    ! Block Remote Shell Creation
    access-list 101 deny tcp any any eq 8888
    !
    ! ZOTOB.D
    ! Block Remote Shell Creation
    access-list 101 deny tcp any any eq 7778
    !
    ! ZOTOB.E/BOZORI.A
    ! Block Remote Shell Creation
    access-list 101 deny tcp any any eq 8594
    !
    ! ZOTOB.F/BOZORI.B
    ! Block Remote Shell Creation
    access-list 101 deny tcp any any eq 8563
    !
    ! WORM_RBOT.CBQ
    ! Block Remote Shell Creation
    access-list 101 deny tcp any any eq 7778
    !
    ! Permit other traffic here
    ! Or include other Transit ACL entries
    access-list 101 permit ip any any

Network Ingress Outbound Filtering

    !
    ZOTOB.(A-C)
    !
    ! Block Outbound FTP Requests to Attacking FTP Server (where HAHA.exe file exists) 
    while permitting legitimate connections
    
    access-list 110 permit tcp <trusted network address block> <trusted network block 
    wildcard> any eq 33333 established
    access-list 110 deny tcp any any eq 33333
    !
    ! Block Outbound IRC Attempts
    access-list 110 deny tcp any any eq 8080
    !
    ! ZOTOB.D
    ! Block Outbound IRC Attempts
    ! Note: This may block legitimate IRC connections
    !
    access-list 110 deny tcp any any eq 6667
    !
    ! Block Outbound FTP Requests to Attacking FTP Server (where HAHA.exe file exists) 
    while permitting legitimate connections
    access-list 110 permit tcp <trusted network address block> <trusted network block 
    wildcard> any eq 11173 established
    access-list 110 deny tcp any any eq 11173
    !
    ! WORM_RBOT.CBQ/ZOTOB.(E,F)/BOZORI.(A,B)
    
    ! Block Outbound TFTP Attempts
    access-list 110 permit udp <trusted network address block> <trusted network block 
    wildcard> <trusted TFTP servers> <trusted TFTP servers wildcard> eq 69
    access-list 110 deny udp any any eq 69
    !
    ! Block Outbound Propagation for ZOTOB.(A-F)/BOZARI.(A,B)/WORM_RBOT.CBQ
    !
    ! Note: Care must be taken when blocking TCP/445 to ensure that legitimate connections 
    are not impacted
    Access-list 110 deny tcp any any eq 445
    Access-list 110 deny tcp any any eq 7778
    Access-list 110 deny tcp any any eq 8888
    Access-list 110 deny tcp any any eq 8594
    !
    Access-list 110 deny tcp any any eq 8563
    !
    Access-list 110 deny tcp any any eq 7778
    !
    ! Permit other traffic here
    ! Or include other Transit ACL entries
    !
    access-list 110 permit ip any any
    !
    ! Apply the access-lists to the interface
    interface <interface>
    ip access-group 101 in
    ip access-group 110 out

Cisco Security Agent
+-------------------

Managed CSA

 1. In testing Managed CSA version 4.5 with default polices, the
    protected server did not become infected. There have been no
    reports of Managed CSA version 4.5 becoming infected.
 2. Managed CSA version 4.5 with default polices may become unstable
    after repeated attacks and reboot.  If Global Correlation is
    enabled, systems that attack several agents will be blocked when
    trying to make the initial network connection, mitigating
    widespread DoS situations.
 3. In testing Managed CSA version 4.0.3 with default polices, the
    protected server did not become infected. There have been no
    reports of Managed CSA version 4.0.3 becoming infected.
 4. Managed CSA version 4.0.3 with default polices may become unstable
    after repeated attacks and reboot.

CSA for Unity and UnityBridge

  * In testing CSA 4.0.3.728 version 1.1.5 for Cisco Unity 4.x, the
    protected server did not become infected but may become unstable
    and require a reboot to restore normal operation.

CSA for CallManager

 1. In testing CSA for Cisco CallManager version 2.0(1), the protected
    server did not become infected. There have been no reports of
    version 2.0(1) becoming infected. The protected server may become
    unstable after repeated attacks and require a reboot to restore
    normal operation.
 2. In testing CSA for Cisco CallManager version 1.1(10), the protected
    server was subject to buffer overflow but CSA blocked the
    subsequent actions of the exploit.

CSA for ICM and IPCC

 1. In testing CSA 4.0.3.728 version 1.0(6) for ICM 5.0 and 6.0
    servers, the protected server may become infected and may become
    unstable and require a reboot to restore normal operation.
 2. In testing CSA 4.5.1.616 version 2.0(0) for ICM 7.0 servers, the
    protected server did not become infected but may become unstable
    and require a reboot to restore normal operation.

CSA for Personal Assistant

  * Testing results are not available for this CSA version.

CSA for CVP, CVP VXML Server, and ISN

 1. In testing CSA 4.0.3.728 version 1.1(3) for ISN 2.0 and 2.1
    servers, the protected server may become infected and may become
    unstable and require a reboot to restore normal operation.
 2. In testing CSA 4.5.0.573 version 2.0(0) for CVP 3.0 and  CVP VXML
    servers, the protected server did not become infected but may
    become unstable and require a reboot to restore normal operation.

Status of This Notice: FINAL
============================

THIS ADVISORY IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF
MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE ADVISORY OR
MATERIALS LINKED FROM THE ADVISORY IS AT YOUR OWN RISK. CISCO RESERVES
THE RIGHT TO CHANGE OR UPDATE THIS NOTICE AT ANY TIME.

A stand-alone copy or paraphrase of the text of this security advisory
that omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.

Revision History
================
+----------------------------------------+
| Revision |                | Initial    |
| 1.0      | 2005-August-18 | public     |
|          |                | release.   |
+----------------------------------------+

Cisco Security Procedures
=========================

Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and registering
to receive security information from Cisco, is available on Cisco's
worldwide website at http://www.cisco.com/en/US/products/
products_security_vulnerability_policy.html. This includes instructions
for press inquiries regarding Cisco security notices. All Cisco
security advisories are available at http://www.cisco.com/go/psirt.


Related Information
===================

  * Cisco Security Advisories and Notices

- - -----------------------------------------------------------------------

All contents are Copyright C 1992-2005 Cisco Systems, Inc. All rights
reserved. Important Notices and Privacy Statement.

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (SunOS)

iD8DBQFDBPuNezGozzK2tZARArGHAJ0cOKWU6vgVqdPGtz+46/PGEoAFLwCfexNx
7fROnUx6OgKhBsdho6a2yJ8=
=x/wo
- -----END PGP SIGNATURE-----


- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via 
EMail to: uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 870 487 0748 Ext 4511
Fax: +44 (0) 870 487 0749

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 870 487 0748 and follow the prompts

- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of Cisco for the information 
contained in this Briefing. 
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQCVAwUBQwX5j4pao72zK539AQEIkAQAgNcJ644/3aMQtOUwFWhm4XPYfEN3mck3
C1LM5LMAHoSlCzuRoxuIk+0K5YzZbmL3x9+vx+YNUdzZSfcWoxKo/tVz6HbZDMQ8
BKGB2sOMvcPgHb0dXL15XCYqWtX246Tjm/sL86CR5j8wxL9zNqwrudd7gqE+/yPL
aL5wnbDVLUg=
=2ltG
-----END PGP SIGNATURE-----


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________