Slashdot Mirror
RPC DCOM Worm On The Loose
GPez writes "The first of I'm sure many RPC DCOM worms affecting Windows is on its way, according to the Internet Storm Center. Patch those systems!" According to the site, "The worm uses the RPC DCOM vulnerability [affects Win2k through Server 2003] to propagate. Once it finds a vulnerable system, it will spawn a shell on port 4444 and use it to download the actual worm via tftp."
I'm afraid you have a false sense of security. A firewall is only part of the solution.
A complete solution includes patching your systems and deploying IDS systems. Still, this is only part of a complete security solution.
Everybody keeps posting that they have this or that port blocked on their firewall, so they're safe. Not so. All it takes is one person inside your network to open the wrong file attachment, or one laptop that went outside the network and then came back in to infect your internal network.
Yes it will work, I know from experience. My community here in berea has been pretty slammed by this worm, and I've been telling everyone to just firewall off all the ports they dont use. It seems the virus can only connect on ports 135/445 though, so still no worries here. I've been running zonealarm, a great firewall for windows users, to help solve my problem.
"Victory means exit strategy, and it's important for the President to explain to us what the exit strategy is." G.W.Bush
I've said it before, and I'll say it again.
While there is no excuse for not updating your systems, some people can't do so because of business policy reasons (non-tested patches against business critical systems).
EVERYONE with a server on the internet should also have Egress filtering in place. 486 mahcines are cheap. Unix/Linux firewalls are free. On the off chance you do get the M$ IS$ Worm of the week, at least your server can't initiate an outgoing connection to download more code and move on to the next system.
I have a theory about that -- maybe unix admins are built around the concept of getting the job done while MS admins are built around the concept of diplomacy for when things blow up.
I've seen MS-based sysadmins click through warnings and error messages like it's all acceptable. Then when things go boom, they come up with something like "the system is down for routine maintenance." And management takes it at face value because the servers go down more times than (insert crude comment here)...well, you get the picture.
There are plumbers and there are diplomats. I wouldn't be surprised if MCSE's have to pass a test on spin-doctoring.
If any Windows shops actually get hit hard by this, the Sysadmins need to be reprimanded or fired. My Co-Worker and I manage about 375 PCs at a University which has no firewall, though the NetBIOS ports are blocked at the border router.
You should have had auto-updates turned on for your boxes and/or been using SUS server to push these kind of updates out. We had autoupdates on, and then when the free scanner tool from eeye.com came out last week, we used that to scan the rest of our machines to identify any that didn't get the patch yet (not everyone has bene migrated into our domain yet, and there are some rogue NT 4 boxes around still).
As a result, we had everything reasonbly secure last Monday, and AFAIK there are no vulnerable machines on any of our subnets, according to my scans.
So, uh, what were you other Windows admins doing when you should have been doing your job?
When in danger or in doubt, run in circles, scream and shout. --Robert A. Heinlein
That fix has been there for almost a month. So... shut up, please. There's nothing worse than going off on a "OMG, M$ suxx is teh gahyest!!1!!" rant when you're just plain wrong.
if you read /., don't run a firewall, and then complain about M$, all i have to say is, "phtttbht." linux needs patching, unix needs patching, M$ needs patching...but this worm would not propagate with a properly configured firewall in place, making the security patch a little less critical.
the fact that people are getting hit with this worm indicates that there is simply not enough education about computer security out there, or that there is too much laziness from both consumers and software licensing companies.
this worm is not an issue to people with the correct closed ports...
man rtfm
I think it's pretty irresponsible of them not to allow the autoupdate really...
That's like stealing a car, bring it back to the car dealership to get a warantee issue fixed, and then acting all miffed when they call the cops on you.
If you steal something, don't expect the company you stole from to treat you like a customer.
Firewall != security.
I use GNU/Linux to solve my problem. B-)
I have 3656.9 Bogomips. How many Bogomips do you have?
"My Co-Worker and I manage about 375 PCs at a University which has no firewall," ... fired."
... fired."
... fired."
"the Sysadmins need to be
"You should have had auto-updates turned on for your boxes"
"the Sysadmins need to be
"We had autoupdates on,"
"the Sysadmins need to be
Reasonable boarder security, strict firewall rules, roll-over security, implementing patchs and updates after they've been tested within a "sandbox" or other non-production machine, and constant security/threat analysis - these are the building blocks to a secure and operational infrastructure; not turning on "auto-update" for all your windows boxes. That's absolutely ridiculous. Next time a faulty patch comes down the line, it's going to take down some, most, or even all of your machines. I can remember Microsoft security patches causing anything from network connection problems to out-right system corruption requiring repair/reinstallation of the OS. Be very careful throwing stones at other admins when your own procedures are just plain laughable.
"So, uh, what were you other Windows admins doing when you should have been doing your job?"
Where was I? Reviewing the procedures I have in place to ensure that this type of vulnerablity never touches anything that would be vulnerable to it, and ensuring that all critical systems are buffered in case of internal infection through user stupidity. Where was I? Doing my job, correctly.
-- "Government is the great fiction through which everybody endeavors to live at the expense of everybody else."
A friend of mine in San Antonio--also not a computer wizard--who works from home over a cable modem also was hit early in the day. Her computer was rebooting every 5 minutes or so. She couldn't even stay online long enough to get an IM conversation--she eventually called me on the phone and asked what I thought. I hadn't heard about the virus yet so I told her that her Windows had either gone unstable and she'd probably have to reinstall Windows, or she had been hit by a virus and also might have to reinstall Windows.
Then I read about this. So I don't know exactly who is or isn't affected, nor if there's some other way the worm can get loosed in a local network (I assume the university in Mexico has a firewall!), but it's definitely causing problems for many mortals. :)
I am happily running Linux behind a wirewall, though, so I just get to watch and grin at the hidden message left by the virus writer. "Billy gates why do you let this happen? Stop making money and fix your software." :)
Can businesses afford to deploy Linux with the SCO "threat"? My question is: Cant they afford NOT to? :)
It will work until some idiotic user connetcs his company-owned notebook computer to your network - since it's unpatched, he got infected last night at home.