Ports for MSBlaster and variants
MSBlaster runs over port 135. If you are running Windows 2000, find out how to activate TCP/IP filtering.
I'm still on hold with Cox to find out about SecondWave. I will update this post when thay answer.
UPDATE: Here is the SANS page with the information on how MSBlaster works, including all the ports to close. (135-139, 445 and 593)
Quotes of interest:
The worm uses the RPC DCOM vulnerability to propagate. One it finds a vulnerable system, it will spawn a shell on port 4444 and use it to download the actual worm via tftp. The exploit itself is very close to 'dcom.c' and so far appears to use the "universal Win2k" offset only.
There are all the ports you need to block. Also, make sure your TFTP service is off, if possible.Infection sequence:
1. SOURCE sends packets to port 135 tcp with variation of dcom.c exploit to TARGET
2. this causes a remote shell on port 4444 at the TARGET
3. the SOURCE now sends the tftp get command to the TARGET, using the shell on port 4444,
4. the target will now connect to the tftp server at the SOURCE.So far we have found the following properties:
- Scans sequentially for machines with open port 135, starting at a presumably random IP address
- uses multiple TFTP servers to pull the binary
- adds a registry key to start itself after reboot
- infected machines will start a DDOS attack (port 80 synflood) against windowsupdate.com on August 16th.