Slashdot Mirror

← Back to Stories (view on slashdot.org)

RPC DCOM Cleanup Worm Appears

Posted by simoniker on from the someone-with-twisted-sense-of-humor dept.

UnderAttack writes "This morning, the SANS Internet Storm Center posted a note about an increase in ICMP traffic, including a quick initial analysis. As it turns out, yet another worm, this time the W32/Nachi.worm, is going around taking advantage of the RPC DCOM vulnerability. The twist this time: the worm will actually clean up machines. It tries to download the correct patches from Windows Update and remove the Blaster worm."

6 of 758 comments (clear)

  1. Re:Speaking of which... by jmanning · · Score: 5, Informative

    This article might answer your question.
    Basically, No. Nothing happened.

  2. Re:Speaking of which... by Flabby+Boohoo · · Score: 4, Informative

    No, Microsoft killed the windowsupdate.com domain.

  3. Re:So cool! by KingDaveRa · · Score: 4, Informative

    Very true.

    But, notice that this worm self un-installs at a certain date. Its quite a way away, but even so. The fact it opens port 707 sounds a bit worrying though.

  4. This happened to Linux first by DotWarner · · Score: 3, Informative

    The Cheese worm did this on compromised Linux systems a few years back. The antivirus industry, in accordance with Linux sysadmins everywhere, added detection for the worm. A virus is a virus, and any unauthorized access to a computer is a Bad Thing.

  5. Re:Scanning my users by cptgrudge · · Score: 5, Informative
    If I would make a guess, it's most likely this. Pretty slick; it allows you to scan IP subnets.

    For those Windows sysadmins that don't know, you can use SUS (free from Microsoft) on a local server to distribute updates via Automatic Updates. The clients need to be configured, through Group Policy (or manually, if you wish), to use your server instead of Micosoft's, but it can scale quite easily to enterprise level.

    It needs IIS to run, but it runs the IIS Lockdown Tool at the same time.

    --
    Qualitas edurus commercium, nullus penitus net rimor, nullus deus beneficium
  6. Re:that's cute by Romeozulu · · Score: 3, Informative

    >>Seems to me it's been years since anyone could get even close to root access by hacking Linux.

    About a year ago I installed RedHat 7.2. It was my first Linux install and after getting it up and running, I spent about an hour playing around with it before downloading all the patches (there were *a lot*). In that short time, a venerability in wu-ftp was exploited and my machine compromised.

    Call my stupid (and I'm sure you will), but for a "boxed, off the shelve" consumer product, that doesn't sound too secure to me. There might not be a lot of holes in the kernal, but there are quite a few in all the tools that ship with it.

    Granted, any expert would not have been caught by this, but if the goal is Linux in the home, this can't happen anymore that it can in Windows.

    Ron