RPC DCOM Worm On The Loose

GPez writes "The first of I'm sure many RPC DCOM worms affecting Windows is on its way, according to the Internet Storm Center. Patch those systems!" According to the site, "The worm uses the RPC DCOM vulnerability [affects Win2k through Server 2003] to propagate. Once it finds a vulnerable system, it will spawn a shell on port 4444 and use it to download the actual worm via tftp."

Linux

[Anonymous Coward]

If you have Linux, then just ignore this article.

Re:I have already patched my entire network.

[Anonymous Coward]

Your fire wall is all very well unitl someone inside your network dials up on a modem or connects an infected laptop. Then you're screwed.

Re:I have already patched my entire network.

[Anonymous Coward]

I'm afraid you have a false sense of security. A firewall is only part of the solution.

A complete solution includes patching your systems and deploying IDS systems. Still, this is only part of a complete security solution.

Firewalls *may* not protect you here

[venom600]

Everybody keeps posting that they have this or that port blocked on their firewall, so they're safe. Not so. All it takes is one person inside your network to open the wrong file attachment, or one laptop that went outside the network and then came back in to infect your internal network.

Re:Great

[ciroknight]

Yes it will work, I know from experience. My community here in berea has been pretty slammed by this worm, and I've been telling everyone to just firewall off all the ports they dont use. It seems the virus can only connect on ports 135/445 though, so still no worries here. I've been running zonealarm, a great firewall for windows users, to help solve my problem.

Re:Firewalls *may* not protect you here

[venom600]

This still doesn't protect you from a 'user' clicking on a file attachment that they should not have and infecting the local box. If your local firewall is limiting outbound traffic as well, then great. At least you won't spread the disease.

Honestly though, if you've taken the time to put firewall rules in place on each individual box, why not just patch each one while you're at it?

Egress Filtering

[ThatDamnMurphyGuy]

I've said it before, and I'll say it again.

While there is no excuse for not updating your systems, some people can't do so because of business policy reasons (non-tested patches against business critical systems).

EVERYONE with a server on the internet should also have Egress filtering in place. 486 mahcines are cheap. Unix/Linux firewalls are free. On the off chance you do get the M$ IS$ Worm of the week, at least your server can't initiate an outgoing connection to download more code and move on to the next system.

Re:I have already patched my entire network.

[Eberlin]

I have a theory about that -- maybe unix admins are built around the concept of getting the job done while MS admins are built around the concept of diplomacy for when things blow up.

I've seen MS-based sysadmins click through warnings and error messages like it's all acceptable. Then when things go boom, they come up with something like "the system is down for routine maintenance." And management takes it at face value because the servers go down more times than (insert crude comment here)...well, you get the picture.

There are plumbers and there are diplomats. I wouldn't be surprised if MCSE's have to pass a test on spin-doctoring.

Re:On the way?

[Sethb]

If any Windows shops actually get hit hard by this, the Sysadmins need to be reprimanded or fired. My Co-Worker and I manage about 375 PCs at a University which has no firewall, though the NetBIOS ports are blocked at the border router.

You should have had auto-updates turned on for your boxes and/or been using SUS server to push these kind of updates out. We had autoupdates on, and then when the free scanner tool from eeye.com came out last week, we used that to scan the rest of our machines to identify any that didn't get the patch yet (not everyone has bene migrated into our domain yet, and there are some rogue NT 4 boxes around still).

As a result, we had everything reasonbly secure last Monday, and AFAIK there are no vulnerable machines on any of our subnets, according to my scans.

So, uh, what were you other Windows admins doing when you should have been doing your job?

Re:This is just sick.

[The Bungi]

That fix has been there for almost a month. So... shut up, please. There's nothing worse than going off on a "OMG, M$ suxx is teh gahyest!!1!!" rant when you're just plain wrong.

Good

[imsabbel]

I really like the fact that the worm crashed my xp. Because i noticed at once something is wrong. And it keep crashing 1-5min after login into the net, so there war little chance for anyone to really use the exploit (thx to dynamic ip).

Cant imagine how much more packets would be flying around if all those crashing machines would be spamming the worm right now....

firewall = good

[mmuskratt]

if you read /., don't run a firewall, and then complain about M$, all i have to say is, "phtttbht." linux needs patching, unix needs patching, M$ needs patching...but this worm would not propagate with a properly configured firewall in place, making the security patch a little less critical.

the fact that people are getting hit with this worm indicates that there is simply not enough education about computer security out there, or that there is too much laziness from both consumers and software licensing companies.

this worm is not an issue to people with the correct closed ports...

Re:users being hit hard

[Keeper]

I think it's pretty irresponsible of them not to allow the autoupdate really...

That's like stealing a car, bring it back to the car dealership to get a warantee issue fixed, and then acting all miffed when they call the cops on you.

If you steal something, don't expect the company you stole from to treat you like a customer.

Re:I have already patched my entire network.

[SCHecklerX]

Yup, that firewall is going to do all kinds of good when a sales droid connects their (company owned) laptop to your private network after having had it connected to the raw Internet via dialup or broadband, or after they received mail from their personal ISP and, of course, ran every attachment under the sun.

Firewall != security.

Re:users being hit hard

[Keeper]

No it isn't. Because the dealership would still call the cops and bust you, and the dumb theif would still be wondering "wtf"? As a result the smart theif would still be driving around in a dangerous vehicle (though in reality they'd probably ditch it and steal something else).

A thief is a thief. They're responsible for their own actions. You can make all of the arguments you want about how software should be free, or how overpriced it is, or whatever -- but at the end of the day you've still got a person who decided to steal it instead of pay for it.

One of the consequences of that action is that they now have a machine they can't patch, which poses a risk to all of the other unpatched machines in existance. I feel no pitty for the thief, and very little pitty for the person who didn't keep their system up to date (which takes no effort with the way windows update works these days).

Re:Great

[PigeonGB]

I use GNU/Linux to solve my problem. B-)

Re:On the way?

[Loki_1929]

"My Co-Worker and I manage about 375 PCs at a University which has no firewall,"
"the Sysadmins need to be ... fired."

"You should have had auto-updates turned on for your boxes"
"the Sysadmins need to be ... fired."

"We had autoupdates on,"
"the Sysadmins need to be ... fired."

Reasonable boarder security, strict firewall rules, roll-over security, implementing patchs and updates after they've been tested within a "sandbox" or other non-production machine, and constant security/threat analysis - these are the building blocks to a secure and operational infrastructure; not turning on "auto-update" for all your windows boxes. That's absolutely ridiculous. Next time a faulty patch comes down the line, it's going to take down some, most, or even all of your machines. I can remember Microsoft security patches causing anything from network connection problems to out-right system corruption requiring repair/reinstallation of the OS. Be very careful throwing stones at other admins when your own procedures are just plain laughable.

"So, uh, what were you other Windows admins doing when you should have been doing your job?"

Where was I? Reviewing the procedures I have in place to ensure that this type of vulnerablity never touches anything that would be vulnerable to it, and ensuring that all critical systems are buffered in case of internal infection through user stupidity. Where was I? Doing my job, correctly.

Re:On the way?

[Sethb]

The lack of firewall on our campus is out of my hands, that's above me, at the Network Services level. We're one of the three public universities in the state, and none of them have firewalls. Believe me, we've asked for it, and have been repeatedly told that it's a matter of policy for us to be "open". I'm not saying I agree with that policy, but we have a distributed support model, and I have no control over it. So why should I be fired for that?

As for auto-updates, ideally you're going to want to use SUS, (which I also mentioned in my reply, and you ignored in an attempt to make me look dumb) but the reality is a lot of Universities and small-businesses don't even have a Domain in place for their users, much less something as sophisticated as SUS or SMS. I'd much rather take my chance on some patch causing some minor problems, than have machines sit for YEARS without any patches being applied, as is the case without auto-update. Use SUS for machines in a domain, where you can actually start applying group policy, but if you've got a machine stuck in some dark, damp, grad student office in the basement, that you maybe will see once every 2-3 years, at least try to get Auto-Update turned on.

As for AutoUpdates breaking things, sure, it could happen. But I'd rather suffer a random broken application than be rooted. I'd much rather have machines booted off the network from a borked net driver than being used for a DDoS attack.

Please provide for me an example of Microsoft patch provided in the Critical Updates section of Windows Update that has rendered 100% of systems inoperable or required a reinstalltion of the OS at any time in the last 18 months.

And, I was referring to the Sysadmins who hadn't done ANYTHING, and there are several. I asked my wife if they'd done anything at the Ad Agency she works at. They haven't. There are a large number of posts on Slashdot from people running Windows who didn't even know that the vulnerability existed before today. Those are the people I take issue with, people who said "Oh, the firewall will protect us" or "Oh, I'll run WindowsUpdate the next time I happen to be at one of those machines" or "I don't feel like installing those patches that the system tray is telling me to install right now".

Re:Great

[letxa2000]

Well, it's happening. I know a major university in Mexico has gotten hit. My sister-in-law was noting major instability in her system until she disconnected it from the network (in a moment of brillance, considering she's not a computer wizard) and rebooted. She reported it worked fine without the network connected, but with the network connected all kinds of instability.

A friend of mine in San Antonio--also not a computer wizard--who works from home over a cable modem also was hit early in the day. Her computer was rebooting every 5 minutes or so. She couldn't even stay online long enough to get an IM conversation--she eventually called me on the phone and asked what I thought. I hadn't heard about the virus yet so I told her that her Windows had either gone unstable and she'd probably have to reinstall Windows, or she had been hit by a virus and also might have to reinstall Windows.

Then I read about this. So I don't know exactly who is or isn't affected, nor if there's some other way the worm can get loosed in a local network (I assume the university in Mexico has a firewall!), but it's definitely causing problems for many mortals. :)

I am happily running Linux behind a wirewall, though, so I just get to watch and grin at the hidden message left by the virus writer. "Billy gates why do you let this happen? Stop making money and fix your software." :)

Can businesses afford to deploy Linux with the SCO "threat"? My question is: Cant they afford NOT to? :)

Re:Great

[Bartmoss]

It will work until some idiotic user connetcs his company-owned notebook computer to your network - since it's unpatched, he got infected last night at home.

Re:firewall = good

[wik]

Sure. How about people who bring their laptops in and plug them into the wired network? Okay, let's DMZ them. Now, how do they get to the corporate network?

If your answer is "they don't", then you've effectively taken away the reason for having a network in the first place. If your answer is VPN, then you've left a gaping tunnel from the outside, through your firewall.

My point is not that firewalls are only one piece of the security plan, but they cannot solve everything.