Re: MS RPC exploits - Scanner-based, worms, etc - Information Sharing??

[Angel L Cruz <cruz () AUSTIN UTEXAS EDU>]

Colleagues:

We activated our CERT, communicated with campus technology leaders, and
escalated response based on best intelligence at our disposal.

Specifically we have:

- Scanned for vulnerables using NESSUS plug-ins 11709 (to see RPC
active) and 11808 (to see RPC exploitable);
- Sent out the troops (department tech staff) to patch systems, and kept
them informed of their status (how many we showed they still had to
repair);
- Identified and scanned for ports being used for RogueFTP and similar
insertions into compromised machines (a specific pattern was seen here);
- Blocked compromised machines at various network points (required they
be rebuilt to get back on the network);
- Implemented NetBIOS filters at the border (we saw active sweep scans
on one of our class B's) and identified workarounds for users (ongoing);
- Blocked vulnerable machines at various network points until they were
patched (attention getter);
- Identified false positives (Windows 98/ME; some Cisco devices and
HP-UX) and false negatives (breached machines with RPC patched and DCOM
disabled - courtesy of your favorite intruder group);
- Wrestled with blocks of DHCP address machines (MAC blocks may not be
effective depending on network equipment and configurations);
- Communicated to the campus (especially effective was an FAQ type,
layman's term problem description and user guide);
- Kept tabs with technical staff until we had containment;
- Recommended auto-update to all, and re-emphasized anti-virus updating
(we have a license for Big Fix, a product that IMHO works very well for
both OS and AV update notification);
- Monitored IRC traffic to identify .edu bots and continue to send out
many notices to .edu security folks.

I cannot emphasize enough the value of clear and controlled
communications with the campus community and event escalation based on
best intelligence at your disposal.

If you have not, I recommend you consider how to handle (triage/contact)
returning residential students, laptop carrying students, and faculty
who may have vulnerable and/or breached machines - could be a problem.


This event has made it clear to me that we need to engage in dialog re:
how to better manage the technology environment to reduce this patch
madness (sneaker net and user level patching does not scale well).

Thanks.

Mr. Angel L. Cruz, BS
Director & University ISO
ITS - Information Security Office
The University of Texas at Austin
1 University Station, #G0900
Austin, Texas 78712-0557
(512) 475-9462
cruz () austin utexas edu
 
++++++++++++++++++++++++++++++++++++++++++++
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error please notify the
system manager. If you are not the named addressee you should not
distribute or copy this e-mail. Please notify the sender immediately if
you have received this e-mail by mistake and delete this e-mail from
your system. If you are not the intended recipient you are notified that
disclosing, copying, distributing or taking any action in reliance on
the contents of this information is prohibited.
++++++++++++++++++++++++++++++++++++++++++++



-----Original Message-----
From: Jim Moore [mailto:jhmfa () RIT EDU] 
Sent: Friday, August 08, 2003 6:52 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] MS RPC exploits - Scanner-based, worms, etc -
Information Sharing??

Many people saw the article in The Chronicle of Higher Education
"Network Administrators on Campuses Scramble to Fix 'Critical' Security
Flaw in Windows"
By FLORENCE OLSEN
(http://chronicle.com/daily/2003/08/2003080801t.htm)

What are people doing about it?

Beyond the information available at CERT, and Symantec
(Backdoor.IRC.Cirebot), and at the Internet Storm Center (which
describes some snort rules to monitor DCOM traffic).

A command line exploit code for the RPC DCOM problems has been published
at  http://oc192.netfirms.com/, and is simple to compile and execute,
but is manual.  The Full-Disclosure list also had a lot of discussion
and a scanner based attack tool that would walk an IP range.

Most of what we have seen is an exploit of RPC DCOM, then a backdoor
installation, then a patching of the RPC DCOM vulnerability, leaving
only the backdoor.  We are starting to see variants that drop an FTP
server instead of a command prompt backdoor.

It has been reported that virus detection will pick up the "stealther"
version, and even clean it.  It has been reported that the "stealther"
version will remove the registry keys for the operation of virus
detection to operate properly.

Is anyone able to share information?

Jim


--
--
Jim Moore, CISSP, IAM
Information Security Officer
Rochester Institute of Technology
13 Lomb Memorial Drive
Rochester, NY 14623-5603
Telephone: (585)475-5406
Fax:       (585)475-7950

PGP (jimmoore () mail rit edu): 9C33 0328 CD59 B602 82B8 8521 0DC9 963C
D0C0

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.