Educause Security Discussion mailing list archives
Re: MS RPC exploits - Scanner-based, worms, etc - Information Sharing??
From: "H. Morrow Long" <morrow.long () YALE EDU>
Date: Sat, 9 Aug 2003 00:01:49 -0400
Jim, A number of universities in New England have experienced outbreaks of the "Stealther" Trojan this past week and have been cleaning up. These attacks came in despite the NetBIOS ports being blocked at the campus network perimeter (E.g. connection router to the Internet). In many cases it was thought that a compromised machine internally was used to initiate Stealther + WinShell attacks/compromise/infection, in others VPN connections from home users are thought to be the vector. We've (UCONN, URI, Yale, etc.) talked about the situation a bit on the NOXSEC-L () list umass edu list (Northern Crossing Network Security). From hundreds to thousands of PCs were affected in some cases. Remediating machines on such a scale is not trivial nor fun. Norton and McAfee only recognized Stealther on August 6 and came out with more complete descriptions of Stealther.B yesterday so many of us had had to come up with our own manual disinfection procedures as well as more automated tools for fixing... See: http://www.security.uconn.edu/winshell_recovery.html http://www.yale.edu/its/security/stealther/ H. Morrow Long, CISSP Director of Information Security Yale University, ITS Jim Moore wrote:
Many people saw the article in The Chronicle of Higher Education "Network Administrators on Campuses Scramble to Fix 'Critical' Security Flaw in Windows" By FLORENCE OLSEN (http://chronicle.com/daily/2003/08/2003080801t.htm) What are people doing about it? Beyond the information available at CERT, and Symantec (Backdoor.IRC.Cirebot), and at the Internet Storm Center (which describes some snort rules to monitor DCOM traffic). A command line exploit code for the RPC DCOM problems has been published at http://oc192.netfirms.com/, and is simple to compile and execute, but is manual. The Full-Disclosure list also had a lot of discussion and a scanner based attack tool that would walk an IP range. Most of what we have seen is an exploit of RPC DCOM, then a backdoor installation, then a patching of the RPC DCOM vulnerability, leaving only the backdoor. We are starting to see variants that drop an FTP server instead of a command prompt backdoor. It has been reported that virus detection will pick up the "stealther" version, and even clean it. It has been reported that the "stealther" version will remove the registry keys for the operation of virus detection to operate properly. Is anyone able to share information? Jim -- -- Jim Moore, CISSP, IAM Information Security Officer Rochester Institute of Technology 13 Lomb Memorial Drive Rochester, NY 14623-5603 Telephone: (585)475-5406 Fax: (585)475-7950 PGP (jimmoore () mail rit edu): 9C33 0328 CD59 B602 82B8 8521 0DC9 963C D0C0 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- MS RPC exploits - Scanner-based, worms, etc - Information Sharing?? Jim Moore (Aug 08)
- <Possible follow-ups>
- Re: MS RPC exploits - Scanner-based, worms, etc - Information Sharing?? H. Morrow Long (Aug 08)
- Re: MS RPC exploits - Scanner-based, worms, etc - Information Sharing?? H. Morrow Long (Aug 11)
- Re: MS RPC exploits - Scanner-based, worms, etc - Information Sharing?? Ariel Silverstone (Aug 11)
- Re: MS RPC exploits - Scanner-based, worms, etc - Information Sharing?? Angel L Cruz (Aug 11)