RPC DCOM Exploit - Widespread use...

FYI...from SANS Internet Storm Center - 8/2/2003:

Widespread use of RPC DCOM Exploit
Updated August 2nd 2003 11:21 EDT
http://isc.sans.org/diary.html?date=2003-08-01
"...Currently, more than 1/4 of the sensors participating in the Internet Storm Center have detected scans for this vulnerability...
Recommendation:
- Patch your systems as fast as possible (re: http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-026.asp ).
- apply firewall rules to block at least port 135, 139 and 445. RPC may use other ports as well depending on configuration. Do not use these limited rules in lieu of patches.
- if possible, disable DCOM. (this may break some functionality). To do so, use 'dcomcnfg.exe'. For details see:
http://support.microsoft.com/default.aspx?scid=kb;en-us;825750..."

- Also this thread: https://www.wilderssecurity.com/showthread.php?t=11844

 

FYI...here they come, folks...'should be an interesting Monday in the workplace...

Attack bot exploits Windows flaw
http://news.com.com/2100-1009_3-5059263.html
August 2, 2003, 6:01 PM PT
"LAS VEGAS--Online vandals are using a program to compromise Windows servers and remotely control them through Internet relay chat (IRC) networks, system administrators said Saturday...The tool takes commands from an attacker through the IRC networks and can scan for and compromise computers vulnerable to the recently discovered flaw in Windows...Computer security company Symantec analyzed the files and determined that what was first thought to be a worm was actually an attack program...This bot compromises computers using a flaw that Microsoft warned the public about on July 16. The flaw is in the distributed component object model (DCOM) interface...The object, known as the remote procedure call (RPC) process, facilitates activities such as sharing files and allowing others to use the computer's printer. By sending too much data to the DCOM interface, an attacker can cause the system to grant full access to the computer... Hackers from the Chinese X-Focus security group publicly posted a program to several security lists designed to allow an intruder to use the vulnerability to break into Windows computers. The Windows flaw has been characterized by some security experts as the most widespread ever found in Windows. In the past week, security researchers and hackers have been refining the exploit code..."

FYI...yet another update on this (Geez! 'Can't type fast enough!) from the Internet Storm Center:
Same URL as before (now updated):
http://isc.sans.org/diary.html?date=2003-08-01
"...-- UPDATE ---
A trojan horse / irc bot has been found in the wild which uses this vulnerability to 'recruit' systems:
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.irc.cirebot.html ..."

 

FYI...updt from the Internet Storm Center:

RPC DCOM Update: sdbot variant
http://isc.sans.org/diary.html?date=2003-08-05
Updated August 5th 2003 07:31 EDT
"Honeypots captured a number of attempts to install 'sdbot' variants via the RPC DCOM vulnerability. In each case, 'dcom.c' was used to break in and issue a tftp command to download the remainder of sdbot. Sdbot is a very common 'IRC bot'. It allows remote control of infected machines via IRC and provides a large set of functions like keystroke loggers, DDOS tools, and tools to scan and break into other machines. In order to protect your systems against this threat, patch systems against the RPC vulnerability.
Possible firewall rules:
- block inbound port 135
- outbound/inbound port 69 (tftp)
- outbound 6667 (irc)
Note: in particular the IRC port is easily changed to a different port. TFTP should probably only be blocked at the perimeter of a private network (home network / small company), not by an ISP."

 

Berkley gets hit, now Stanford...

Berkeley braces for hacker attack
http://www.trivalleyherald.com/cda/article/print/0,1674,86%257E10669%257E1552750,00.html
August 05, 2003 - "...Security Officer Craig Lant said 50 to 100 computers on the Berkeley campus already have been successfully attacked by hackers exploiting a recently discovered flaw in the Microsoft Windows operating system. 'There may be more. We won't know until we shut down,' he said. Lant estimated that more than half of the 40,000 computers on the Berkeley campus use some form of Windows. 'We're getting close to 1,000 scans a day from outside -- many of them looking for Windows machines to attack,'...It is early in what amounts to a very serious war between security experts and outlaw hackers."

Hacker attack damages 2,000 computers at Stanford
http://www.bayarea.com/mld/mercurynews/news/local/6479603.htm?template=contentModules/printstory.jsp
Aug. 07, 2003
"...Cedric Bennett, Stanford's director of information security services, said unknown hackers had exploited a newly discovered vulnerability in Microsoft's Windows operating system. About 10 percent of Stanford's 20,000 desktop computers that run Windows were affected...The attack placed a mysterious bit of computer coding on each of the infected machines, which Bennett said the hackers could later activate. The machines were not otherwise disabled. 'We really have no idea what their purpose is,'' he said. 'I would call this a stealth attack.'...''

 

FYI...update from the Internet Storm Center:

RPC DCOM Update: sdbot variant
http://isc.sans.org/diary.html?date=2003-08-09
Updated August 9th 2003 00:13 EDT
"If you didn't patch and you're rooted by anything, then Rebuild.
As the information about file hiding in the e-mail post to Unisog below shows,
for critical systems, you cannot rely on any vendors "cleaning tools" in a situation like this because;
- The tools are not going to find everything from all of the variants and:
- You're never going to be able to afford the forensic expense necessary to ensure all hidden files on your system are found.
So byte the bullet, rebuild and patch...All machines we have found to be exploited are running Windows 2000 & 2003 Server..."
(For complete detail, use the link posted above).

 

FYI...from the Internet Storm Center:

RPC DCOM worm
Updated August 11th 2003 16:09 EDT
http://isc.sans.org/diary.html?date=2003-08-11
"This RPC DCOM worm started spreading early afternoon (EDT, shortly after midnight of 8/12 UTC). At this point, it is spreading rapidly...Latest update: The worm may launch a syn flood against windowsupdate.com on the 16th (unconfirmed). The worm uses the RPC DCOM vulnerability to propagate. Once it finds a vulnerable system, it will spawn a shell and use it to download the actual worm via tftp. The name of the binary is msblast.exe. It is packed with UPX and will self extract..."
(For complete detail, use the posted URL above).
* Suggest patch be installed ASAP, and firewall ports blocked if possible.

 

FYI...

Symantec/NAV LiveUpdate August 11, 2003 now available
- covers the "msblast.exe" worm mentioned in previous post:
http://www.symantec.com/avcenter/defs.download.html

- To quote a wise moderator here, "Go get 'em folks!".

- Also found a good reference defining the registry key created by the worm here (see "Brief Description"):
http://www.f-prot.com/virusinfo/descriptions/msblastA.html

 

Hi AplusWebMaster,

Just wanted to let you know that I (and a lot of other people according to the views of this topic) agree with LowWaterMark's opinion of this thread. With something that is as big an issue as this is proving to be, it is indeed a very valuable asset to have someone taking the time to try to keep people up to speed. To bad the majority of computer users do not keep up with this kind of thing, instead of the minority who do actually try to keep up with security issues of all types.

Besides, I needed to say hi back at you and didn't want to do that in the update thread. Don't want anyone to wear out their scissors prematurely.

 

'Glad to have had the opportunity to be of service...'Just sorry it had to be on such an ugly thing as this...

 

FYI...update from the Internet Storm Center:

RPC DCOM WORM (MSBLASTER)
http://isc.sans.org/diary.html?date=2003-08-11
Updated August 12th 2003 02:24 EDT
"...
- Executive Summary:
A worm has started spreading early afternoon EDT (evening UTC Time) and is expected to continue spreading rapidly. This worms exploits the Microsoft Windows DCOM RPC Vulnerability announced July 16, 2003. The SANS Institute, and Incidents.org recommends the following Action Items:

* Close port 135/tcp (and if possible 135-139, 445 and 593)
* Monitor TCP Port 4444 and UDP Port 69 (tftp) which are used by the worm for activity related to this worm.
* Ensure that all available patches have been applied, especially the patches reported in Microsoft Security Bulletin MS03-026.
* This bulletin is available at
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
* Infected machines are recommended to be pulled from the network pending a complete rebuild of the system.

- Technical Details:
Names and Aliases: W32.Blaster.Worm (symantec),W32/Lovsan.worm (McAfee), WORM_MSBLAST.A (Trend Micro),Win32.Posa.Worm (CA),Lovsan (F-secure), MSBLASTER,Win32.Poza.
The name of the binary is msblast.exe. It is packed with UPX and will self extract...

- Infection sequence:
1. SOURCE sends packets to port 135 tcp with variation of dcom.c exploit to TARGET
2. this causes a remote shell on port 4444 at the TARGET
3. the SOURCE now sends the tftp get command to the TARGET, using the shell on port 4444,
4. the target will now connect to the tftp server at the SOURCE.

So far we have found the following properties:
- Scans sequentially for machines with open port 135, starting at a presumably random IP address
- uses multiple TFTP servers to pull the binary
- adds a registry key to start itself after reboot

- Name of registry key:
SOFTWARE\Microsoft\Windows\CurrentVersion\Run, name: 'windows auto update' ..."

(For more detail, reference the link posted above).

 

Removal tool f/MSBLAST.EXE worm available:

"...Based on the number of submissions received from customers and based on information from the Symantec's Deepsight Threat Management System, Symantec Security Response has upgraded this threat to a Category 4 from a Category 3 threat..."
Symantec has developed a removal tool for the MSBLAST.EXE worm:
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

(For complete detail, use the link posted above).

 

newby question - does this apply to people using irc?

 

This only applies if your running a operating system with a NT Kernel, and your not running a properly configured firewall.

IRC has no direct link to this, but part of the worm does act as a trojan so if you are on irc while infected they could take control over your computer. You don't even have to be on IRC, just some random scans.

 

FYI...update from the Internet Storm Center:

http://isc.sans.org/diary.html?date=2003-08-11
Updated August 12th 2003 11:26 EDT
"...
Removal and Eradication:
- Once you are infected, we highly recommend a complete rebuild of the site. As there have been a number of irc bots using the exploit for a few weeks now, it is possible that your system was already infected with one of the prior exploits. Do not connect an unpatched machine to a network.
- If you can not do this and/or the computer resides on a protected or non-Internet connected network, then several Anti-Virus Vendors have supplied tools to assist in removing the worm. However, these tools can not clean-up damage from other RPC DCOM malware such as the recent sdbot irc bots..."

(For complete detail, use the link provided above).

 

Hi guys!

I am running on a totally obselete OS aka Win98se, therefore there are no patches for this threat??

There is no mention of it in the MS Bulletin.

I have ZA Free firewall set at its highest "stealth" setting. I have recorded hits by RPC on Port 135, all of which were blocked. I checked all the other ports listed above with a filter. No hits on any of them (except Port 137 by Netbios Nameservice).

Any ideas or suggestions?? I will be upgrading to XP in a few months. In the meantime, what can I do?

TIA from Larry

 

You very likely don't even have port 135 listeing, but 9x does have DCOM, however the exploit is only for NT systems anyway. Here is a program to see which ports you have listening.
TCP View (Yes it does work on 9x, but might not show which application is listening)

Just keep running your firewall, and don't use a internet connection without a firewall properly configured. When you upgrade to XP, you can enable the ICF(Interent Connection Firewall) which is a basic inbound firewall which will protect you until you configure another firewall program which will allow for more custom configurations.

 

ah i left an important word outta my last post; mean "only" on irc cause I don't use it.. anyway ffs checking windows update even though my sygate seems properly configured

 

Hi BlitzenZeus!

Seems I have the wrong RPC thread. My apologies. Thanks for the info and the free TCPview.


Best regards from Larry

 

FYI...updates:

- Microsoft INFO...
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/virus/alerts/msblaster.asp
"PSS Security Response Team Alert - New Worm: W32.Blaster.worm
SEVERITY: CRITICAL
DATE: Updated August 12, 2003
PRODUCTS AFFECTED: Windows XP, Windows 2000, Windows Server 2003, Windows NT 4.0, NT 4.0 Terminal Services Edition...
Date discovered: August 11, 2003. Customers who had previously applied the security patch MS03-026 are protected. To determine if the virus is present on your machine see the technical details...
IMPACT OF ATTACK:
Spread through open RPC ports. Customer's machine gets re-booted or the file "msblast.exe" exists on customer's system..."

(For complete detail, use the link posted above).
---------------------------------------

- Other notes:
Increase in Port 53 probes:
DNS. Hackers/crackers may be attempting to do zone transfers (TCP), to spoof DNS (UDP), or even hide other traffic since port 53 is frequently neither filtered nor logged by firewalls.

 

New variant on same theme (seemingly uglier by the minute):
W32.Blaster.B.Worm
"Discovered on: August 13, 2003
- See this post:
https://www.wilderssecurity.com/showthread.php?t=12335;start=msg79691#msg79691

 

FYI...from the Internet Storm Center:

Blaster Worm Update
Updated August 14th 2003 08:30 EDT
http://isc.sans.org/diary.html?date=2003-08-14
"- Summary
At this point, the Internet Storm Center is tracking in excess of 150,000 machines infected with the Blaster worm. The total number of infected machines is suspected to be significantly higher.
-Variants
As of yesterday (Aug. 13th), anti virus vendors found two variants of blaster. At this point, neither variant behaves dramatically different and neither variant is as wide spread as the original msblaster version. However, note that these variants use different file names and registry key entries
- Cleanup
Cleanup of infected machines is proceeding slowly. We strongly recommend a complete rebuild of infected machines. The RPC DCOM vulnerability has been used by widespread attack tools for over two weeks before blaster was released. Current virus removal tools will only remove the blaster worm and a few versions of the tools used prior to blaster. Even if you remove the exploit code, you may still be left with backdoors installed by one of the massrooter exploits.
- Infrastructure Impact
At this point, no wide spread internet connectivity issues are associated to blaster. However, on Saturday, blaster infected machines will launch a DDOS attack against Microsoft update side. As a result, networks with large numbers of infected hosts may experience problems..."

 

There is updated information from Symantec on the worm and its removal procedures - see this thread:
https://www.wilderssecurity.com/showthread.php?t=12335;start=msg80141#msg80141

 

Multiple e-mails have been received from Microsoft (latest sent: Fri 8/15/2003 6:02 AM)
-Subject- Actions for the Blaster Worm - Special Edition:

- Begins:
"It is very important that you check the Security site regularly
for the most recent news: http://go.microsoft.com/?linkid=220931 ..."

 

In the info i got this morning from MS it said the win9X series are not vulnerable and can do with only a firewall well configured as ever?
In an earlier email (think from Kaspersky) was advised to block all incoming and outbound traffic for 69, 135, 445, 4444 (i did both TCP and UDP) and i don't know if it would be a good idea to block outbound traffic for 53 for that spoofing as you posted above?