Educause Security Discussion mailing list archives
Re: DShield and Symantec report MSBlast in wild
From: Phil Rodrigues <Phil.Rodrigues () UCONN EDU>
Date: Wed, 13 Aug 2003 14:46:26 -0400
Hi all, Two students here (Keith Bessette and Lina Pezzella) have tweaked Nessus plugin #11808 to more return more accurate info about RPC-DCOM vulnerabilities, especially when scanning Windows 95/98/ME computers (that Nessus previously reported as "vulnerable"). It now returns the same basic info as v1.04 of EEye's tool. Find it at: http://hogwash.uits.uconn.edu/msrpc.nasl We have developed a webpage to help support staff respond to the Stealther.Trojan compromises, MS Blast infections, and RPC-DCOM vulnerabilities in our network. It may be useful to other schools: http://www.security.uconn.edu/rpc_procedure.html We have noticed that a large number of our Windows 2000 hosts seems to have had TCP 135 close when RPC crashed after the worm tried unsuccessfully to use the Win XP offset to compromise them. Since these hosts no longer have TCP 135 open they do not appear as "Vulnerable" to our scanners, and thus we are passing over them in our sweeps. However, the guess is they will be vulnerable after they reboot and therefore are still at risk of being infected. Anyone have a solution to this? Phil ======================================= Philip A. Rodrigues Network Analyst, UITS University of Connecticut email: phil.rodrigues () uconn edu phone: 860.486.3743 fax: 860.486.6580 web: http://www.security.uconn.edu ======================================= Phil Rodrigues <Phil.Rodrigues () uconn edu> Sent by: The EDUCAUSE Security Discussion Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> 08/11/2003 04:18 PM Please respond to The EDUCAUSE Security Discussion Group Listserv To: SECURITY () LISTSERV EDUCAUSE EDU cc: Subject: [SECURITY] DShield and Symantec report MSBlast in wild DShield and Symantec have reported that a worm exploting RPC-DCOM TCP 135 has been released in the wild: http://isc.sans.org/ http://tms.symantec.com Craig Baltes of LURHQ corp reported this on the DShield list: =========================================================== Here's more on the new Windows RPC/DCOM worm. This one seems pretty simple so far. It does most of what you may have seen on isc.sans.org: - exploits via port 135/RPC. - downloads binary (msblast.exe) via tftp. - adds a registry key to re-start after reboot AND: - On the 16th, syn-floods (with spoofed sources) windowsupdate.com. -- Craig Baltes GCIA, CCSE Senior Information Security Analyst LURHQ corp. www.lurhq.com craig () lurhq com =========================================================== Good luck! Phil ======================================= Philip A. Rodrigues Network Analyst, UITS University of Connecticut email: phil.rodrigues () uconn edu phone: 860.486.3743 fax: 860.486.6580 web: http://www.security.uconn.edu ======================================= ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- DShield and Symantec report MSBlast in wild Phil Rodrigues (Aug 11)
- <Possible follow-ups>
- Re: DShield and Symantec report MSBlast in wild Marty Hoag (Aug 12)
- Re: DShield and Symantec report MSBlast in wild Jim Moore (Aug 12)
- Re: DShield and Symantec report MSBlast in wild Phil Rodrigues (Aug 13)
- Re: DShield and Symantec report MSBlast in wild Marty Hoag (Aug 13)
- Re: DShield and Symantec report MSBlast in wild Doug Sandford (Aug 13)
- Re: DShield and Symantec report MSBlast in wild Michelle Mueller (Aug 14)