Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Authorities eye MSBlaster suspect

From: Jeremiah Cornelius <jeremiah () nur net>
Date: Fri, 29 Aug 2003 09:42:32 -0700
morning_wood wrote:


It seems to me that it is each admins responsiblity, if
they were affected ( infected ) not the coder. if this were the case the
LastStage(of)Delerium would be the blamed party for developing and releasing the
exploit, but alas.. they are not of USA orgin.
LSD presumably developed an exploit internally - never released anything but a high-level white paper on the vulnerability in concurrent time with the MS KB and patch.
It was the Chinese group that released the first exploit. Followed with an improved version in precompiled form from various sources. - Donnie, you were one of the first posters of the .exe to this list I think!
A pretty complete timeline of the public life of this vulnerability until the first worm: 

** 2003 Evolution of DCOM-RPC Exploit * *
For 16 days before the MSBlaster worm made its debut, semi-skilled attackers were 
already able to use this vulnerability at will.

*Timeline:*
** *July 16* 

Microsoft Security Bulletin MS03-026
MS Announces bulletin and availability of patches for vulnerability discovered by LSD, 
a Security Research group in Poland.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/M <http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp>S03-026.asp <http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp>
LSD makes public announcement of vulnerability, after withholding disclosure on agreement with Microsoft. The group witholds their exploit code, due to the serious implications of this as an exploit. A whitepaper on the vulnerability is publicly 
released this day.

http://lsd-pl.net/special.html
Announcement of the DCOM-RPC vulnerability is widely distributed in the security and 
blackhat communities, including the Full-Disclosure mailing list.

*July 17*
Official CERT advisory CA-2003-16 is published, formalizing the issue as CERT VU#568148. 

http://www.cert.org/advisories/CA-2003-16.html
The Mitre Corp CVE is updated to include this vulnerability as CVE candidate CAN-2003-0352. 


Network Associates makes their first published bulletin on DCOM-RPC

http://vil.nai.com/vil/content/v_100499.htm

Symantec provides an advisory

http://www.symantec.co.uk/avcenter/security/Content/8205.html


*July 18 - 24*
Discussion of possible methods for exploiting DCOM-RPC vulnerability circulates on numerous public discussion boards and mailing lists. Initial non-functional proof-of-concept code appears by various authors on the Full Disclosure mailing list. 

*July 21*
Early, working exploits are publicly leaked by various parties, and circulate on mailing lists. 

http://lists.netsys.com/pipermail/full-disclosure/2003-July/006851.html

*July 25*
A working exploit for DCOM-RPC is published for general availability by Xfocus Team, a "grayhat" research group in the People's Republic of China. Analysis of the exploit with working code is published on their site. 

http://www.cert.org/advisories/CA-2003-16.html
The Xfocus exploit is refined by HD Moore of the Metasploit Project - as dcom.c This is the first exploit to give an attacker a working, remote command shell with escalated privileges against multiple versions of Windows. Code is published. 

http://www.metasploit.com/tools/dcom.c

http://news.com.com/2100-1002_3-5055759.html?tag=fd_top

http://lists.netsys.com/pipermail/full-disclosure/2003-July/007092.html

*July 26*
Compiled, 'ready to run' versions of the Metasploit dcom.c code are made available on the Internet. 

http://lists.netsys.com/pipermail/full-disclosure/2003-July/007103.html

http://illmob.org/rpc/

*July 31*
Stanford University has several networks penetrated by hostile attackers, probably making use of the Metasploit version of this exploit. Approximately 2000 individual computers were compromised. 

http://securecomputing.stanford.edu/alerts/windows-rpc-update-5aug2003.html
Concurrent attacks, of similar severity and breadth are announced by MIT and UC Berkeley. CERT adds an advisory based on exploit and denial-of-service activity. 

http://www.cert.org/advisories/CA-2003-19.html

*August 11*
MSBlaster (W32/Lovesan.worm) makes its first public appearance, adding unaided - self-replicating exploitation of vulnerable hosts. 

http://www.trusecure.com/knowledge/hypeorhot/2003/tsa03011.shtml
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html
http://vil.nai.com/vil/content/v_100547.htm

--
Jeremiah Cornelius, CISSP, CCNA, MCSE
farm9.com Security
"Administration for Windows networks is similar to maintaining a 12-year old GM Truck. Brand new, W2K+3 already has 190K miles of wear." 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: