RPC DCOM Worm On The Loose 604
GPez writes "The first of I'm sure many RPC DCOM worms affecting Windows is on its way, according to the Internet Storm Center. Patch those systems!" According to the site, "The worm uses the RPC DCOM vulnerability [affects Win2k through Server 2003] to propagate. Once it finds a vulnerable system, it will spawn a shell on port 4444 and use it to download the actual worm via tftp."
Port 4444 (Score:1, Interesting)
this vunerability... (Score:5, Interesting)
It's quick to crash the machine (apparently) as the remote becomes unusable (pingable though).
It's actually pretty nasty from what I have seen... I just wonder how effective the worm will be when the machine becomes unresponsive after a few commands?
Perhaps it won't spread as fast as others because of this problem? I suppose we can hope.
Re:users being hit hard (Score:5, Interesting)
Agreed (Score:2, Interesting)
Anti SCO T-Shirt [anti-tshirts.com]. $1 donated to OSI Fund on each shirt.
SP3? (Score:4, Interesting)
Re:I have already patched my entire network. (Score:3, Interesting)
He was monkeying around on his RH8 box, was having network issues and setup the box as DMZ on the firewall. Later he rebooted to Win2k (on the same system, setup for the same IP). His entire network got hit with Slammer because of this. It took him the better part of a week to fix all of his boxes afterwards.
As others have said, a firewall is only part of the solution. Shutting down non-essential services/daemons, keeping up to date on patches, and in general knowing what the hell you're doing are other parts of the solution.
Slashdot saves my girlfriend! (Score:5, Interesting)
This is just sick. (Score:1, Interesting)
I have WinXP SP1 installed, with all the updates and critical security fixes installed. I just go look here and I see that there are 21 extra updates I should install. All of them are remote exploits as well.
I will say that I am surprised, I thought I had been staying up-to-date. I don't do Windows server administration, so I didn't know about these. I Windows for my desktop, naturally. But I really don't understand why they don't go ahead and put this crap on Windows Update? Are they afraid of the bad press? Everyone and their goldfish knows that MS is insecure anyway, they may as well put it there.
Bleh. Why didn't
freedce - DCE RPC for Linux (Score:5, Interesting)
this one is nice too..... (Score:1, Interesting)
it is worth reading.......
Re:I have already patched my entire network. (Score:3, Interesting)
Saved by a penguin (Score:1, Interesting)
What happens to your computer if you get this worm? My friends Xp box just went flaky, when you boot it up it says it has some kind of RPC problem then shuts down after some 30 seconds.
I asked another friend of mine if you could just put the recovery cd in reinstall the OS, but he wasn't willing to take a chance hosing his data.
Anyway I'm headed up to his place later today with knoppix in hand to burn him some cd's of his data so he can do a reinstall. He is freaking out since all of his invoices are on that computer and supposed to go out tommorrow. Gotta love that knoppix!
Re:Egress Filtering (Score:4, Interesting)
Re:Worse (Score:3, Interesting)
No, but slashdot sometimes blocks us because some corporate loser does something stupid. Then I have to change which proxy I use....
Andyway, due to the virus, I am really glad I am not working today, but I have had to send the msblast.exe to our virus reporting team, etc.
Re:Increase in TCP 135 Activity (Score:3, Interesting)
Re:users being hit hard (Score:2, Interesting)
Our Fix for out Cable ISP (Score:3, Interesting)
Step 2. Unplug Cable Modem.
Step 3. Start up PC
Step 4. Click Start -> Settings -> Control Panel
Step 5. Double Click Network Connections
Step 6. Right Click the Local Area Connection used to access Internet. Example: Local Area Connection 1
Step 7. Select Properties
Step 8. Click the Advanced Tab
Step 9. Enable the Windows XP Firewall
Step 10. Click OK, Close out of open windows.
Step 11. Plug in the Cable Modem.
Step 12. Ensure Block Sync is established.
Step 13. Open Internet Explorer
Step 14. Go to the following URL: http://www.microsoft.com/technet/default.asp
Ste
Step 16. Scroll Down Page about half way to Patch Availability
Step 17. Click Windows XP 32 bit Edition
Step 18. Click Download in the upper right of the screen.
Step 19. Save the file to the desktop
Step 20. Run the downloaded file.
Step 21. The patch will install and prompt the customer to reboot.
Step 22. Once the patch is installed and the computer rebooted, the Windows XP firewall can be disabled
Re:I have already patched my entire network. (Score:2, Interesting)
Yes yes, I was once a smarmy know-it-all just like you, smugly thumbing my nose as the poor suckers who didn't know about complex technology like "firewalls" and whatnot to protect themselves from evil worms. Then my computer-illiterate (now ex-) girlfriend downloaded an attachment from her hotmail account and ran it manually... and that was the end of that.
So why did it *ever* listen to 445 by default? (Score:3, Interesting)
"Uh, WTF is SVCHOST.EXE, and why the fuck does it always bind itself to 445, and how can I make it stop doing that? I don't know what it's listening for, but I know that for what I'm using this box for, I don't need it, so why can't I disable the offending process?"
- Me, the first time I played with a W2K box.
"So SVCHOST does too much stuff to just kill it, but how can I at least stop it from binding to 445? I know I'm not doing anything on that port, and therefore don't want any process listening for data sent to it. Period."
- Me, after 5 minutes of trivial research.
"Crap, it looks like there's no way to stop SVCHOST from listening to 445. Guess I'd better install my favorite cheap-azz third-party software firewall and block it there. Once I've done so, I don't give a damn if SVCHOST still listens to 445, because unless there's a buffer 'sploit in the firewall software itself, SVCHOST won't get any of the traffic anyways."
- Me, after 5 more minutes.
"I knew this was gonna happen."
- Me, when I read about the DCOM hole last month.
Security is a process, not a product. The process is "Everything is forbidden except what is permitted. Run no services other than the bare minimum required to get the box to bring up a GUI. Run no services that listen to any network traffic unless explicitly started by the user."
Insecurity is a product, not a process. The product is "DCOM should be on by default because pointy-haired bosses won't be able to do $NEW_OFFICE_SUITE_FEATURE without it, nobody buys the OS for anything other than running Office and Outleak."
Repeat ad nauseam with IIS on/enabled by default (CodeRed), the ActiveX/scripting settings for MSIE (Drive-by downloads), the out-of-the-box UPnP vulnerability (port 1900), popup "spam" (port 135), etc.
Basically, every time M$ has the choice between security (Built shiny thing. Disable by default and have applications respond with an error message telling users how to turn shiny thing on if and only if the shiny thing is required by some user action), and stupidity (Oooooh, shiny thing! Enable by default and assume there are no bugs in the code anywhere!), Bill and friends have chosen stupidity.
Re:users being hit hard (Score:3, Interesting)
Bug/Feature?? (Score:4, Interesting)
Re:users being hit hard (Score:2, Interesting)
I think it's pretty irresponsible of them not to allow the autoupdate really...the problem is they've created a monopoly in the home OS market, so people will pirate it, and they have a seriously flawed product, so there's no way around having a large number of flaws floating around in the uninformed general public.
Disclaimer: I do not have a pirated copy of XP. I have a licenced version because my university made a deal with microsoft and it was free, but I use my powerbook for anything serious. Even with the autoupdate patching my system every week I still don't trust that box for anything more important than games.
Re:I have already patched my entire network. (Score:5, Interesting)
Oh, I know that, and you know that, but it's funny to watch people trying to install root-kits, or add new users. You want to shake them, and ask them - what are you doing - you're root already.. :) .bash_history | grep \: | grep ftp
But once they realise they can't install their IRC bots or floodping people, they get bored.
Oh, and why do people try and ftp to their own servers from that box?
grep \@
Doh.
Re:I saw it happen LIVE! (Score:1, Interesting)
Its always more convenient to blame Msft than to properly administer a system. Seriously, how difficult is windowsupdate?
I always love these attacks (Score:3, Interesting)
I'm only KIDDING, jeez!
Block TCP 4444 and TFTP = UDP 69 at Routers (Score:4, Interesting)
That's not generic advice for the DCOM bug - for that you'll need to catch whichever of the MS ports are being abused this week. But it's guesswork advice for this particular instantiation of a worm that's exploiting it so you can at least slow down this one and isolate damage, and work on patching the actual holes in Windows so that you can prevent next week's worm that uses the same bug but some other inter-worm communication path from getting in.
At least on the couple of machines I've looked at, TCP 4444 isn't used for anything (there's a UDP 4444 used for Kerberos 4-to-5 conversion or something.) TFTP gets used for things like uploading operating system versions to diskless PCs and routers, and still isn't something you should be accepting from the outside world, and for the most part (YMMV) is only used by administrators who are better off stomping worms first and upgrading routerware later. The Microsoft ports are used by all kinds of Microsoft applications - you almost certainly should be blocking them to and from the outside world, but whether to block them inside your internal nets, and where, is a decision you'll need to make based on how much of which MS network products you're actually using. (e.g. you don't want to kill all your thin-client PCs by killing off their mounts of the file servers - but you also don't want them infecting each other.)
Windoze Auto update doesn't necessarily work! (Score:3, Interesting)
-----------------
Message: 16
Date: Wed, 30 Jul 2003 17:09:14 -0500
From: "Schmehl, Paul L" (email address removed)
To:
Subject: [Full-Disclosure] Patching networks redux
For all those experts who have mastered patching your networks, please ignore this post.
For the rest of you, testing has shown that some patch management tools are incorrectly reporting that MS03-026 is installed when it's not (notably Windows Update and Update Expert, among others.) The accuracy of the tool depends on how they check for the patch level. If they check the registry (like Windows Update and Update Expert do) they will *incorrectly* report that MS03-026 has been installed when if fact the files have not been updated. If they do MD5 checksums (like Hfnetchk or MBSA), they will correctly report the patch level.
The Retina tool from eEye (and I would assume the IIS commandline tool as well) is correctly reporting what *is* patched and what is *not* patched, so you need to rely on those to give you accurate information. You could actually have users going to Windows Update and finding no patches available when in fact they are still vulnerable. You could also have users for whom you've pushed out the patch who have overwritten the files with older versions, yet your tools are reporting them as patched.
Of course the experts never have these problems, but for the mere mortals, caveat emptor.
Paul Schmehl (email address removed)
Adjunct Information Security Officer
The University of Texas at Dallas
-----------------
http://www.ntbugtraq.com/def
MS03-026 - are you patched? Windows Update isn't sure!
Content-Type:
text/plain; charset="iso-8859-1"
FYI, it is worth reminding people that some patch checking tools don't do a complete check. Windows Update doesn't check files, and it would seem that other products have problems also.
Some tools only check for the presence of a registry key indicating that a hotfix was applied. Other tools, such as Shavlik's HFNetchk and MBSA (and others) actually check file details, including a checksum, to verify that the files in play are actually the right versions.
I was speaking with Jeff.t.Parker @ hp.com about this issue. His observations confirm this (see below). If patched files are reverted to previous versions, for whatever reason, Windows Update and (at least in this case) Update Expert (and possibly other such tools) will incorrectly assert you have the patch applied when in fact you don't.
He wrote in to advise that Update Expert (v6.0 build 6069) is giving erroneous results at least in some cases. After applying SP4 concurrently with MS03-026 (using Update Expert), Jeff noticed some interesting results. The resulting versions of the files contained in MS03-026 on some machines were;
5.0.2195.6692 ole32.dll 5.0.2195.6701 rpcrt4.dll 5.0.2195.6702 rpcss.dll
This led to Windows Update and Update Expert both reporting that the systems had MS03-026 applied (wrong). MBSA and eEye's Retina both said the systems *did not* have MS03-026 applied (right).
While this may be a problem with the way Update Expert deploys Service Pack + Hotfix combinations, it also demonstrates the problem Windows Update has by not being able to examine file details (relying only on registry entries).
How many systems are out there now who believe they have MS03-026 applied, can't get it offered to them from Windows Update, but in fact don't have it applied at all??
Cheers, Russ - NTBugtraq Editor
-----------------------
Re:users being hit hard (Score:2, Interesting)
pay attention, son... (Score:3, Interesting)
spam popups every day; port 135 wide open, DCOM blazing away
Post-SP3:
no popups; port 135 still wide open, but not much there because DCOM is now DISABLED.
Like I said: it's just a "junk box" I setup the other day because the power supply died in my "good" server box. I haven't installed the googleplex of win2k patches because I don't think it's worth it - I'm only using it temporarily and if it gets hit I'll reinstall the OS (or stick a freesco floppy in the drive and reboot). This is just something I noticed when I read today's "warning" and went into that machine to disable the offending service.
DSL Users beware... (Score:5, Interesting)
She complained that her computer was shutting down all day - get this, I don't have any ports enabled on my router - its closed tighter than duck's ass.
So, I'm sitting there, and she decides to turn her machine back on - a few minutes later....BAM...my whole DSL network goes down.
So, not making the cause and effect connection, I call my local phone company. They are able to ping my DSL modem. So they go through the motions, and get me to hook up my XP machine to the network directly through the DSL modem...friggin' brilliant. I hook it up, and
I then check my linksys router - everything on it is reset to the defaults...everything. No ppoe settings, no password [its set to the default] - nada, nothing, zip.
I reset everything, and up comes my network - thats when I browse on over to
I also look for the registry entry to restart the worm - but don't find it (so far, so good). I delete the scratch file ok, but the msblast.exe file will not delete (the system says the wheel user isn't authorized - what kind of Mickey-Mouse operating system is this!!?)
I want to know:
1. how to clean this up?
2. how the hell did this thing ZAP my Linksys with all the ports disabled?
3. where the hell can I get my $99 back for this bogus operating system?
Re:Stanford and Cal hit hard by RPC exploit! (Score:2, Interesting)
I suppose all it takes is a single infected laptop connected behind the router to render port blocking moot, though... At least it gave administrators of the various department networks a chance to patch their systems and mitigate damage.
Re:On the way? (Score:5, Interesting)
Patches? Well the user should take care of that, right? After all, they've got Internet Explorer, they can surely remember to visit WindowsUpdate and get patches on their own.
Oh, AntiVirus definitions? Well, our software doesn't update those automatically, you've got to click the icon and push update every month or so, but the users can do that.
None of the above is hyperbole, and were actually the standard practices as recently as 18 months ago.
Heck, doing testing? That'd require a SECOND computer for each technician! That'd cost money! We can't afford to but TWO computers for one person, we're already splurging on 1 IT person per 500 computers! Oh, and we gave you 1 student who's slightly above minimum wage too. What more do you want?
Notepad: kills bugs dead (Score:4, Interesting)
Anyway, the one thing I found that killed them both is Notepad. Just open up the executable in Notepad, type a few random characters here and there, erase some things, mess up the file header, and then save right over the virus! They're never expecting that. Make sure to kill the virus processes first, of course, or else you'll get the infamous "access violation". (In the case of msconfig32.exe, you must use the command-line tools 'tasklist' and 'taskkill') The viruses might restore themselves if you remove them from the registry, or delete the file, but they're not expecting you to corrupt the executable. If Windows, in its infinite stupidity, tries to run the virus again, it will fail harmlessly.
P.S. I know, I know, you're wondering why I'm running an unpatched XP install on my desktop. Well, I just reinstalled, and only have dialup, and I'm going back to college in a month where there's super-broadband. Downloading 30+ MB (conservative estimate) of service packs, patches, hotfixes, and updates over dialup (not even 56k, more like 28.8) seems pointless. Besides, it's interesting seeing actual virus infections happen and fixing them myself. If anything goes horribly wrong, I have my XP cd right here to reinstall again. I'll be reinstalling and patching when I get back to a real internet connection.
It seems that it had caused a worldwide panic! (Score:2, Interesting)
I am a university student in China mainland, we connect to the internet via firewall of our university. in the recent days, many computers in local network were attacked by hackers using RPC vulnerability. PCs which were attacked reboot without any reason. Some displayed "scvhost.exe runtime error! The computer is going to shutdown within 60 seconds..."
Someone told to run Dcomcnfg.exe, and disable "Windows Distributed Component Object Model " would be help. I was wondering why? and if that really works. For I have installed the patch for Windows XP, so I can't check it myself.
ps: It is the first time to post reply on slashdot.org.
The worm breaks local programs too (Score:1, Interesting)
In case you get hit by this: what our program was doing was creating some classes in one (MTA) thread, using CoMarshalInterThreadInterfaceInStream to ship them over to another (STA) thread that used CoGetInterfaceAndReleaseStream to unwrap them. And suddenly CoGetInterfaceAndReleaseStream was returning null pointers!
So now I've designed a new message into our program to deal with the case when that should-never-be-NULL pointer is NULL: "The DCOM feature of Windows is not working properly. This problem may have been caused by a virus: please check your system". I hope this strikes the right balance between informing and alarming the user...
Media wises up about viruses (Score:2, Interesting)