Educause Security Discussion mailing list archives

Re: MS RPC exploits - Scanner-based, worms, etc - Information Sharing??

From: "H. Morrow Long" <morrow.long () YALE EDU>
Date: Sat, 9 Aug 2003 00:01:49 -0400

Jim,

A number of universities in New England have experienced outbreaks
of the "Stealther" Trojan this past week and have been cleaning up.

These attacks came in despite the NetBIOS ports being blocked at the
campus network perimeter (E.g. connection router to the Internet).

In many cases it was thought that a compromised machine internally
was used to initiate Stealther + WinShell attacks/compromise/infection,
in others VPN connections from home users are thought to be the vector.

We've (UCONN, URI, Yale, etc.) talked about the situation a bit on
the NOXSEC-L () list umass edu list (Northern Crossing Network Security).

From hundreds to thousands of PCs were affected in some cases.
Remediating machines on such a scale is not trivial nor fun.

Norton and McAfee only recognized Stealther on August 6 and came
out with more complete descriptions of Stealther.B yesterday so
many of us had had to come up with our own manual disinfection
procedures as well as more automated tools for fixing...

See:
       http://www.security.uconn.edu/winshell_recovery.html
       http://www.yale.edu/its/security/stealther/

H. Morrow Long, CISSP
Director of Information Security
Yale University, ITS



Jim Moore wrote:

Many people saw the article in The Chronicle of Higher Education
"Network Administrators on Campuses Scramble to Fix 'Critical' Security
Flaw in Windows"
By FLORENCE OLSEN
(http://chronicle.com/daily/2003/08/2003080801t.htm)

What are people doing about it?

Beyond the information available at CERT, and Symantec
(Backdoor.IRC.Cirebot), and at the Internet Storm Center (which
describes some snort rules to monitor DCOM traffic).

A command line exploit code for the RPC DCOM problems has been published
at  http://oc192.netfirms.com/, and is simple to compile and execute,
but is manual.  The Full-Disclosure list also had a lot of discussion
and a scanner based attack tool that would walk an IP range.

Most of what we have seen is an exploit of RPC DCOM, then a backdoor
installation, then a patching of the RPC DCOM vulnerability, leaving
only the backdoor.  We are starting to see variants that drop an FTP
server instead of a command prompt backdoor.

It has been reported that virus detection will pick up the "stealther"
version, and even clean it.  It has been reported that the "stealther"
version will remove the registry keys for the operation of virus
detection to operate properly.

Is anyone able to share information?

Jim


--
--
Jim Moore, CISSP, IAM
Information Security Officer
Rochester Institute of Technology
13 Lomb Memorial Drive
Rochester, NY 14623-5603
Telephone: (585)475-5406
Fax:       (585)475-7950

PGP (jimmoore () mail rit edu): 9C33 0328 CD59 B602 82B8 8521 0DC9 963C D0C0

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.


**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

MS RPC exploits - Scanner-based, worms, etc - Information Sharing?? Jim Moore (Aug 08)
- <Possible follow-ups>
- Re: MS RPC exploits - Scanner-based, worms, etc - Information Sharing?? H. Morrow Long (Aug 08)
- Re: MS RPC exploits - Scanner-based, worms, etc - Information Sharing?? H. Morrow Long (Aug 11)
- Re: MS RPC exploits - Scanner-based, worms, etc - Information Sharing?? Ariel Silverstone (Aug 11)
- Re: MS RPC exploits - Scanner-based, worms, etc - Information Sharing?? Angel L Cruz (Aug 11)