Full Disclosure mailing list archives
RE: RE: Probable new MS DCOM RPC worm for Windo ws
From: "Ferris, Robin" <R.Ferris () napier ac uk>
Date: Fri, 26 Sep 2003 09:32:43 +0100
I have seen at least 1-5% of machines at this site that report that they are patched: either through "add remove programs" or "msiexec patch.exe -l" which lists the patches installed. Run the eeye scanner against it and lo and behold it's not actually patched. So some more evidence into the bowl. RF -----Original Message----- From: Exibar [mailto:exibar () thelair com] Sent: 25 September 2003 22:08 To: derek () cynicism com; pauls () utdallas edu Cc: full-disclosure () lists netsys com; incidents () securityfocus com Subject: Re: [Full-disclosure] RE: Probable new MS DCOM RPC worm for Windows I've seen the same thing but BEFORE MS03-039 came out. I've had reports from users stating that their network port had been turned off a number of times and they're getting sick of it. To quiet them down I'd add their network port to an exclude list that wouldn't show up in the IDS (Snort) for automatic Network port shutoff after the threshold is reached. My gut feeling is that Microsoft, in their haste to get MS03-026 out in time for people to get their systems patched, used the 80/20 rule. By that I mean that they were only able to patch 80% of the conditions for exploitation. I think that's what Paul (and others) have seen. Machines patched for 026 but still able to be infected under certain, fairly rare circumstances. Microsoft took care of these remaining conditional holes with MS03-039. but, my theory is just that, a theory. and there very well could be a variant of Welchi out there. But, I would think that there would be more infections or infection attempts that we are seeing now. IMHO Exibar ----- Original Message ----- From: "Derek Vadala" <derek () cynicism com> To: <pauls () utdallas edu> Cc: <full-disclosure () lists netsys com>; <incidents () securityfocus com> Sent: Thursday, September 25, 2003 3:44 PM Subject: [Full-disclosure] RE: Probable new MS DCOM RPC worm for Windows
I'm thinking that there *has* to be a variant of Nachi/Welchia in the wild. We have machines that were patched for MS03-026 (verified by scanning with multiple scanners) but not patched for MS03-039 (ditto) and they have been infected by something that triggers my Nachi rule in snort. This should *not* be possible with the "original" Nachi/Welchia, so my assumption is that either something new has been released or the worm has mutated somehow. Mind you, this is anecdotal and a very small incidence (only three machines so far), but it still bears watching IMHO. I've been surprised to not see any discussion on the lists about a new variant. Perhaps no one is looking? Paul Schmehl (pauls () utdallas edu)We've seen the same thing over here. I've had a handful of machines (perhaps 15-20 out of 2500) here that were reported to be patched against MS03-026 yet became infected with Welchia. These machines were not patched against MS03-039. One possibility is that the systems were already infected with Welchia at the time they were patched against MS03-026. I know of at least one or two cases here where the technical support person assigned to fix a particular system didn't appropriately follow the removal procedures and left a patched, but infected, system. I have to assume this is happening without notice in other cases, since there haven't been reports of a variant, and the number of systems in this situation is rather low. So I'm betting user error, though I find it hard to believe there isn't another variant making the rounds. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: RE: Probable new MS DCOM RPC worm for Windo ws Ferris, Robin (Sep 26)
- Re: RE: Probable new MS DCOM RPC worm for Windo ws Gary Flynn (Sep 26)