RPC DCOM Worm On The Loose

GPez writes "The first of I'm sure many RPC DCOM worms affecting Windows is on its way, according to the Internet Storm Center. Patch those systems!" According to the site, "The worm uses the RPC DCOM vulnerability [affects Win2k through Server 2003] to propagate. Once it finds a vulnerable system, it will spawn a shell on port 4444 and use it to download the actual worm via tftp."

this vunerability...

[garcia]

if you use this vunerability against someone (usually people that hit your web server with /default.ida) you get access to a C:\ prompt. You can look around, run format, etc.

It's quick to crash the machine (apparently) as the remote becomes unusable (pingable though).

It's actually pretty nasty from what I have seen... I just wonder how effective the worm will be when the machine becomes unresponsive after a few commands?

Perhaps it won't spread as fast as others because of this problem? I suppose we can hope.

Re:users being hit hard

[Sorthum]

Are the calls mostly centered around actual problems, or is it users doing their famous "I heard about the RPC bug, and now my computer won't boot!" routine? When Code Red came out, for instance, we saw everything from bad disks to dialup issues being blamed on it, solely because people didn't listen to anything past "the world is calling" chicken-littleisms.

SP3?

[poptones]

Are there really that many win2k systems not even running SP3? That's not the only fix, but I have a box here that has had zero patches except SP3 and DCOM is disabled by default - which pretty much makes this "buffer overflow" a non issue. Doesn't XP also install (by default) DCOM disabled? So where is all this traffic coming from? People too nervous to install SP3? People too stubborn to stop using NT4?

Slashdot saves my girlfriend!

[brandonY]

My girlfriend called me not 20 minutes before this article went up asking what RPC was and why it was shutting her computer down whenever she got on the Internet. A quick glance at this article's headline followed by a thorough read of symmantec's removal instructions led to me calling her back and another day saved! Thanks, Slashdot! Thanks, Symmantec Security Response Team!

freedce - DCE RPC for Linux

[hey]

Sure there's a bug now. But Microsoft picking DCE RPC for DCOM was a nice thing for the open source community since its a documented protocol. There's a project supporting it on Linux: freedce. I have used freedce to communicate between Linux and Windows. It's nice.

Re:Egress Filtering

[ThatDamnMurphyGuy]

Then again, why on earth expose these to the internet? (135, 139, or 445). Or course, internal virii catching employees are just as dangerous to your servers as the external bad guys.

Our Fix for out Cable ISP

[ironicsky]

Step 1. Shut down PC
Step 2. Unplug Cable Modem.
Step 3. Start up PC
Step 4. Click Start -> Settings -> Control Panel
Step 5. Double Click Network Connections
Step 6. Right Click the Local Area Connection used to access Internet. Example: Local Area Connection 1
Step 7. Select Properties
Step 8. Click the Advanced Tab
Step 9. Enable the Windows XP Firewall
Step 10. Click OK, Close out of open windows.
Step 11. Plug in the Cable Modem.
Step 12. Ensure Block Sync is established.
Step 13. Open Internet Explorer
Step 14. Go to the following URL: http://www.microsoft.com/technet/default.asp
Step 15. Click the Link toward the middle of the page titled: Action: Read Security Bulletin MS03-026 and Install the Security Patch Immediately
Step 16. Scroll Down Page about half way to Patch Availability
Step 17. Click Windows XP 32 bit Edition
Step 18. Click Download in the upper right of the screen.
Step 19. Save the file to the desktop
Step 20. Run the downloaded file.
Step 21. The patch will install and prompt the customer to reboot.
Step 22. Once the patch is installed and the computer rebooted, the Windows XP firewall can be disabled

Bug/Feature??

[RonnyJ]

A lot of people seem to think the executable is bugged, crashing the RPC service and causing Windows to shutdown. Seems like a good payload to me. In my example, my computer shut down within a few minutes. This makes it exceedingly hard for people to find information and download a patch to fix it, yet at the same time, the trojan is scanning and infecting others while you're trying to fix it. I was struggling to download the patch on modem, took about 5 shutdowns until I had it. Also, at this moment, the main cable provider in the UK seems swamped with this problem, and I don't think it'll go away fast.

Re:I have already patched my entire network.

[caluml]

Selinux root isn't the same as normal root.

Oh, I know that, and you know that, but it's funny to watch people trying to install root-kits, or add new users. You want to shake them, and ask them - what are you doing - you're root already.. :)
But once they realise they can't install their IRC bots or floodping people, they get bored.
Oh, and why do people try and ftp to their own servers from that box?
grep \@ .bash_history | grep \: | grep ftp
Doh.

Block TCP 4444 and TFTP = UDP 69 at Routers

[billstewart]

Blocking the various Microsoft ports will help prevent infections, but you should also block 4444 (the port the worm uses to communicate with other worms and the WormMaster) and (if it won't disrupt too much of your other activities, which it shouldn't) block tftp (which the worm uses to download attack code after getting infected.)

That's not generic advice for the DCOM bug - for that you'll need to catch whichever of the MS ports are being abused this week. But it's guesswork advice for this particular instantiation of a worm that's exploiting it so you can at least slow down this one and isolate damage, and work on patching the actual holes in Windows so that you can prevent next week's worm that uses the same bug but some other inter-worm communication path from getting in.

At least on the couple of machines I've looked at, TCP 4444 isn't used for anything (there's a UDP 4444 used for Kerberos 4-to-5 conversion or something.) TFTP gets used for things like uploading operating system versions to diskless PCs and routers, and still isn't something you should be accepting from the outside world, and for the most part (YMMV) is only used by administrators who are better off stomping worms first and upgrading routerware later. The Microsoft ports are used by all kinds of Microsoft applications - you almost certainly should be blocking them to and from the outside world, but whether to block them inside your internal nets, and where, is a decision you'll need to make based on how much of which MS network products you're actually using. (e.g. you don't want to kill all your thin-client PCs by killing off their mounts of the file servers - but you also don't want them infecting each other.)

Windoze Auto update doesn't necessarily work!

I feel sorry for anyone depending on Windoze Update. Like many M$ products it's broken, at least part of the time. I'm pasting below a couple of posts from NT BugTraq and Full-Disclosure last month discussing this:
-----------------
Message: 16
Date: Wed, 30 Jul 2003 17:09:14 -0500
From: "Schmehl, Paul L" (email address removed)
To:
Subject: [Full-Disclosure] Patching networks redux

For all those experts who have mastered patching your networks, please ignore this post.

For the rest of you, testing has shown that some patch management tools are incorrectly reporting that MS03-026 is installed when it's not (notably Windows Update and Update Expert, among others.) The accuracy of the tool depends on how they check for the patch level. If they check the registry (like Windows Update and Update Expert do) they will *incorrectly* report that MS03-026 has been installed when if fact the files have not been updated. If they do MD5 checksums (like Hfnetchk or MBSA), they will correctly report the patch level.

The Retina tool from eEye (and I would assume the IIS commandline tool as well) is correctly reporting what *is* patched and what is *not* patched, so you need to rely on those to give you accurate information. You could actually have users going to Windows Update and finding no patches available when in fact they are still vulnerable. You could also have users for whom you've pushed out the patch who have overwritten the files with older versions, yet your tools are reporting them as patched.

Of course the experts never have these problems, but for the mere mortals, caveat emptor.

Paul Schmehl (email address removed)
Adjunct Information Security Officer
The University of Texas at Dallas

-----------------
http://www.ntbugtraq.com/defa ult.asp?pid=36&sid=1& A2=ind0307&L=ntbugtraq&F=P&S=&P=92 18

MS03-026 - are you patched? Windows Update isn't sure!

Content-Type:
text/plain; charset="iso-8859-1"

FYI, it is worth reminding people that some patch checking tools don't do a complete check. Windows Update doesn't check files, and it would seem that other products have problems also.

Some tools only check for the presence of a registry key indicating that a hotfix was applied. Other tools, such as Shavlik's HFNetchk and MBSA (and others) actually check file details, including a checksum, to verify that the files in play are actually the right versions.

I was speaking with Jeff.t.Parker @ hp.com about this issue. His observations confirm this (see below). If patched files are reverted to previous versions, for whatever reason, Windows Update and (at least in this case) Update Expert (and possibly other such tools) will incorrectly assert you have the patch applied when in fact you don't.

He wrote in to advise that Update Expert (v6.0 build 6069) is giving erroneous results at least in some cases. After applying SP4 concurrently with MS03-026 (using Update Expert), Jeff noticed some interesting results. The resulting versions of the files contained in MS03-026 on some machines were;

5.0.2195.6692 ole32.dll 5.0.2195.6701 rpcrt4.dll 5.0.2195.6702 rpcss.dll

This led to Windows Update and Update Expert both reporting that the systems had MS03-026 applied (wrong). MBSA and eEye's Retina both said the systems *did not* have MS03-026 applied (right).

While this may be a problem with the way Update Expert deploys Service Pack + Hotfix combinations, it also demonstrates the problem Windows Update has by not being able to examine file details (relying only on registry entries).

How many systems are out there now who believe they have MS03-026 applied, can't get it offered to them from Windows Update, but in fact don't have it applied at all??

Cheers, Russ - NTBugtraq Editor

-----------------------

DSL Users beware...

[Lodragandraoidh]

Just bought my wife a new XP machine - because she has been having issues with the crappy linux boxes I have given her [300mhz should be fast enough for anyone...](all of my machines are Linux - daughter has an old win98 and a linux box on kvm).

She complained that her computer was shutting down all day - get this, I don't have any ports enabled on my router - its closed tighter than duck's ass.

So, I'm sitting there, and she decides to turn her machine back on - a few minutes later....BAM...my whole DSL network goes down.

So, not making the cause and effect connection, I call my local phone company. They are able to ping my DSL modem. So they go through the motions, and get me to hook up my XP machine to the network directly through the DSL modem...friggin' brilliant. I hook it up, and ...BAM! again... This time its an 'RPC' call error - 'shutting system down' message. Crap. I shut the system down and pull it completely off the network.

I then check my linksys router - everything on it is reset to the defaults...everything. No ppoe settings, no password [its set to the default] - nada, nothing, zip.

I reset everything, and up comes my network - thats when I browse on over to /. and see this post about the worm. I do a little forensics and find the c:\winnt\system32\msblast.exe, and c:\winnt\system32\pre[a-Z*]\msblast.exe.23oiu4i734 - I assume the pftp scratch file. Son-of-a-bitch.

I also look for the registry entry to restart the worm - but don't find it (so far, so good). I delete the scratch file ok, but the msblast.exe file will not delete (the system says the wheel user isn't authorized - what kind of Mickey-Mouse operating system is this!!?)

I want to know:
1. how to clean this up?
2. how the hell did this thing ZAP my Linksys with all the ports disabled?
3. where the hell can I get my $99 back for this bogus operating system?

Re:On the way?

[Sethb]

You want to know what a real University setting is like? I've worked at 2 of the 3 state Universities here, and generally it's a mishmash of 20% Win95, 40% Win98, 20% Win2000, and 20% Windows XP machines, none of which authenticate to a domain, administered by someone who started working there as a student, but was kept on after graduation because they were cheap labor.

Patches? Well the user should take care of that, right? After all, they've got Internet Explorer, they can surely remember to visit WindowsUpdate and get patches on their own.

Oh, AntiVirus definitions? Well, our software doesn't update those automatically, you've got to click the icon and push update every month or so, but the users can do that.

None of the above is hyperbole, and were actually the standard practices as recently as 18 months ago.

Heck, doing testing? That'd require a SECOND computer for each technician! That'd cost money! We can't afford to but TWO computers for one person, we're already splurging on 1 IT person per 500 computers! Oh, and we gave you 1 student who's slightly above minimum wage too. What more do you want?

Notepad: kills bugs dead

[Spy+Hunter]

Actually, that's a different worm. I should know, I've been infected by both of these in the last week :-) I've been running an unpatched XP install on my desktop. I don't have any antivirus software installed (the only really successful worms are the ones that aren't stopped by antivirus software, what's the point?) so I have to defeat viruses myself in open combat ;-)

Anyway, the one thing I found that killed them both is Notepad. Just open up the executable in Notepad, type a few random characters here and there, erase some things, mess up the file header, and then save right over the virus! They're never expecting that. Make sure to kill the virus processes first, of course, or else you'll get the infamous "access violation". (In the case of msconfig32.exe, you must use the command-line tools 'tasklist' and 'taskkill') The viruses might restore themselves if you remove them from the registry, or delete the file, but they're not expecting you to corrupt the executable. If Windows, in its infinite stupidity, tries to run the virus again, it will fail harmlessly.

P.S. I know, I know, you're wondering why I'm running an unpatched XP install on my desktop. Well, I just reinstalled, and only have dialup, and I'm going back to college in a month where there's super-broadband. Downloading 30+ MB (conservative estimate) of service packs, patches, hotfixes, and updates over dialup (not even 56k, more like 28.8) seems pointless. Besides, it's interesting seeing actual virus infections happen and fixing them myself. If anything goes horribly wrong, I have my XP cd right here to reinstall again. I'll be reinstalling and patching when I get back to a real internet connection.