Worm Exploits RPC Flaw in Windows

[InfoSec News <isn () c4i org>]

http://www.eweek.com/article2/0,3959,1216303,00.asp

By Dennis Fisher
August 11, 2003 

A worm that exploits the recently discovered RPC DCOM vulnerability in 
Windows began spreading rapidly on the Internet Monday afternoon. The 
worm is targeting TCP port 135 and is causing some large spikes in 
traffic, but has yet to cause any real latency or network outages, 
experts said. 

The name of the binary containing the worm is "msblast.exe," and it is 
packed with the UPX compression utility. It is self-extracting and is 
11KB once it is unpacked, according to information posted on the 
Dshield.org site run by the SANS Institute. Once the worm locates a 
vulnerable machine, it spawns a shell on TCP port 4444 and uses that 
to download the worm itself through TFTP. 

SANS' preliminary analysis of the worm, including a list of some of 
the TFTP servers the worm downloads from, is available here [1]. 

Once the worm is resident on a machine, it immediately begins scanning 
the Internet for other vulnerable targets. One post on a security 
mailing list said the worm begins scanning at IP address 192.168.0.1. 
It also dumps a key in the registry to start itself after a reboot. 

A text string in the worm's code reads: "I just want to say LOVE YOU 
SAN!! Billy gates why do you make this possible? Stop making money and 
fix your software!!" 

Experts who have seen copies of the worm say it works on some versions 
Windows 2000 and XP and that they are trying to confirm its 
effectiveness on other versions. 

"We've gotten a bunch of different confirmations of this worm, and 
we've talked to network operators who say they've seen customer 
machines going up and down," said Dan Ingevaldson, engineering manager 
for the X-Force research team at Internet Security Systems Inc. in 
Atlanta. "This looks like the first attempt at automatically 
exploiting the DCOM problem." 

Ingevaldson added that ISS has seen a 10-fold increase this afternoon 
in the number of scans of port 135 on the machines the company 
monitors for its managed security clients. 

ISS officials also said that the new worm is programmed to launch a 
denial-of-service attack against the Windows Update Web site on the 
16th of each month. Windows Update is an automated service through 
which Microsoft customers can automatically retrueve security patches 
and other software updates. A successful DoS attack against the site 
would not prevent users from accessing patches, however, as those 
files can still be downloaded manually from other Microsoft sites. 
Each instance of the MS Blast worm, as it's being called, attacks 
either Windows 2000 or Windows XP machines, not both. Twenty percent 
of the instances will attack Windows 2000 and 80 percent will look for 
Windows XP boxes, ISS said. 

The flaw that the worm exploits is found in a portion of the Remote 
Procedure Call (RPC) protocol that handles message exchanges over 
TCP/IP. The vulnerability, which arises because of incorrect handling 
of error messages, affects a particular Distributed Component Object 
Model interface with RPC and is found in every current version of 
Windows. 

The best way to avoid the worm is to patch Windows. Microsoft Corp., 
of Redmond, Wash., issued in July a patch for the vulnerability, which 
exists in NT 4.0, 2000, XP and Windows Server 2003. 

[1] http://isc.sans.org/diary.html?date=2003-08-11

 

-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.