Slashdot Mirror
RPC DCOM Worm On The Loose
GPez writes "The first of I'm sure many RPC DCOM worms affecting Windows is on its way, according to the Internet Storm Center. Patch those systems!" According to the site, "The worm uses the RPC DCOM vulnerability [affects Win2k through Server 2003] to propagate. Once it finds a vulnerable system, it will spawn a shell on port 4444 and use it to download the actual worm via tftp."
if you use this vunerability against someone (usually people that hit your web server with /default.ida) you get access to a C:\ prompt. You can look around, run format, etc.
It's quick to crash the machine (apparently) as the remote becomes unusable (pingable though).
It's actually pretty nasty from what I have seen... I just wonder how effective the worm will be when the machine becomes unresponsive after a few commands?
Perhaps it won't spread as fast as others because of this problem? I suppose we can hope.
Are the calls mostly centered around actual problems, or is it users doing their famous "I heard about the RPC bug, and now my computer won't boot!" routine? When Code Red came out, for instance, we saw everything from bad disks to dialup issues being blamed on it, solely because people didn't listen to anything past "the world is calling" chicken-littleisms.
My girlfriend called me not 20 minutes before this article went up asking what RPC was and why it was shutting her computer down whenever she got on the Internet. A quick glance at this article's headline followed by a thorough read of symmantec's removal instructions led to me calling her back and another day saved! Thanks, Slashdot! Thanks, Symmantec Security Response Team!
Sure there's a bug now. But Microsoft picking DCE RPC for DCOM was a nice thing for the open source community since its a documented protocol. There's a project supporting it on Linux: freedce. I have used freedce to communicate between Linux and Windows. It's nice.
A lot of people seem to think the executable is bugged, crashing the RPC service and causing Windows to shutdown. Seems like a good payload to me. In my example, my computer shut down within a few minutes. This makes it exceedingly hard for people to find information and download a patch to fix it, yet at the same time, the trojan is scanning and infecting others while you're trying to fix it. I was struggling to download the patch on modem, took about 5 shutdowns until I had it. Also, at this moment, the main cable provider in the UK seems swamped with this problem, and I don't think it'll go away fast.
Oh, I know that, and you know that, but it's funny to watch people trying to install root-kits, or add new users. You want to shake them, and ask them - what are you doing - you're root already.. :) .bash_history | grep \: | grep ftp
But once they realise they can't install their IRC bots or floodping people, they get bored.
Oh, and why do people try and ftp to their own servers from that box?
grep \@
Doh.
Get your own free personal location tracker
Just bought my wife a new XP machine - because she has been having issues with the crappy linux boxes I have given her [300mhz should be fast enough for anyone...](all of my machines are Linux - daughter has an old win98 and a linux box on kvm).
...BAM! again... This time its an 'RPC' call error - 'shutting system down' message. Crap. I shut the system down and pull it completely off the network.
/. and see this post about the worm. I do a little forensics and find the c:\winnt\system32\msblast.exe, and c:\winnt\system32\pre[a-Z*]\msblast.exe.23oiu4i734 - I assume the pftp scratch file. Son-of-a-bitch.
She complained that her computer was shutting down all day - get this, I don't have any ports enabled on my router - its closed tighter than duck's ass.
So, I'm sitting there, and she decides to turn her machine back on - a few minutes later....BAM...my whole DSL network goes down.
So, not making the cause and effect connection, I call my local phone company. They are able to ping my DSL modem. So they go through the motions, and get me to hook up my XP machine to the network directly through the DSL modem...friggin' brilliant. I hook it up, and
I then check my linksys router - everything on it is reset to the defaults...everything. No ppoe settings, no password [its set to the default] - nada, nothing, zip.
I reset everything, and up comes my network - thats when I browse on over to
I also look for the registry entry to restart the worm - but don't find it (so far, so good). I delete the scratch file ok, but the msblast.exe file will not delete (the system says the wheel user isn't authorized - what kind of Mickey-Mouse operating system is this!!?)
I want to know:
1. how to clean this up?
2. how the hell did this thing ZAP my Linksys with all the ports disabled?
3. where the hell can I get my $99 back for this bogus operating system?
Lodragan Draoidh
The more you explain it, the more I don't understand it. - Mark Twain
You want to know what a real University setting is like? I've worked at 2 of the 3 state Universities here, and generally it's a mishmash of 20% Win95, 40% Win98, 20% Win2000, and 20% Windows XP machines, none of which authenticate to a domain, administered by someone who started working there as a student, but was kept on after graduation because they were cheap labor.
Patches? Well the user should take care of that, right? After all, they've got Internet Explorer, they can surely remember to visit WindowsUpdate and get patches on their own.
Oh, AntiVirus definitions? Well, our software doesn't update those automatically, you've got to click the icon and push update every month or so, but the users can do that.
None of the above is hyperbole, and were actually the standard practices as recently as 18 months ago.
Heck, doing testing? That'd require a SECOND computer for each technician! That'd cost money! We can't afford to but TWO computers for one person, we're already splurging on 1 IT person per 500 computers! Oh, and we gave you 1 student who's slightly above minimum wage too. What more do you want?
When in danger or in doubt, run in circles, scream and shout. --Robert A. Heinlein