Date: Wed, 13 Aug 2003 16:21:40 -0300 From: Dexter J <lamealameadingdongnopsamlamelame.org> Subject: Re: OT - Windows port 135 virus alert
Salutations: 'nuther Bob wrote: > > On Wed, 13 Aug 2003 11:10:44 -0300, Dexter J > <lamealameadingdongnopsamlamelame.org> wrote: > > >The problem is that it is svchost based worm and thusly it has free range > >around all network ports regardless of settings on any individual machine.. > >It morphs and while port 135 is main entry point - once it's in the works - > >not the only one and it probes out on all. > > Dexter: > > You seem well versed in this virus... does it enter only on > port 135? In other words, if you have port 135 blocked, are you > immune to it ? > > Bob TCP port 4444 TCP port 135 (DCOM) UDP port 69 (TFTP) However - once in board and operational it may well leak along any ports controlled or called by svchost/RPC.. I've been a bit lucky actually - I'm up on it because of my thin server prototype build (below) is specifically designed to operate without an active firewall in place - I have customized the services, registry and apps model so that it is natively secure or nobbled so that if it does get breached - it kind of flops around and calls for help a couple of times instead of doing anything dangerous.. I had been noticing persistent traffic on port 135 here for a while and put down a related project I've been working on and started investigating this early last week.. Sure enough - came across the buffer overflow alert tucked away on MicroSoft's site (prior to this public exploit it wasn't noted as being very 'critical') after a long research pass about RPC services.. I patched it and several other things on the weekend - fixed some stuff the patches broke and have been sitting pretty through the storm.. The the long term issue, however, isn't blocking particular ports - the problem is securing svchost, RPC and general system services outright (which has been my focus) as there are literally dozens of minor and major services wired into RPC across all OS's - print spooler and COM+ and clipboard for example on W32.. A brother propeller head of mine had voiced some concerns regarding RPC security a couple of months ago and I took measures to 'dumb down' RPC services on my model enough so that my server still functions fine - but - was able to avoid the security breach by the script kiddies attempting to exploit the buffer overflow last month and then the literal wave of automated attempts that started up on the 11th and have been coming in since.. While applying the patch is a requirement to avoid exploit - the patch itself does nothing to relieve the greater problem open RPC services (auto update and other 'self healing' type solutions for example) on both windows and linux (Redhat itself being the victim of a minor RPC exploit itself recently).. Interestingly - while this round has gone a long way to increasing my confidence regarding my prototype - I think we are witnessing a very important start point in regards the next round of i-net evolution as it may well foster the premise that ISP's have to take some measures to protect their broader customer node against this sort of automated exploit.. Currently - the exploit simply is being used to trigger a DoS attempt on MicroSoft node - however - there is no reason at all it won't be modified to address it's own ISP DNS host or any recorded DNS host in a given users cache or e-mail system.. A really ripping RPC exploit would then allow for a Distributed DoS attack where no one node was being targeted - but all nodes where being overrun with traffic so that the network effectively gridlocked.. Anyway - putting aside the 'violet horizon' silliness - around here the worm round appears to have started at a single machine that had dual ISP accounts in a lonely place called Truro - his/her machined got infected on one network - when he/she logged into the other account - the machine then began probing and infecting machines on our node.. Within about 6 hours the machine had probed the entire range and infected hundreds of machines - which in turn started rattling doors across several other nodes.. At least that is the word - my ISP HR folks don't bother to look at my resume when I send it in - so I am just passing along what I have heard.. Both the local ISP's put out a warning note to their credit and things have calmed down quickly since.. I still say CNN/MSNBC and whoever is advising them is wrong though - it should read "not an e-mail driven worm - as yet".. -- J Dexter - webmaster - http://www.dexterdyne.org/ all tunes - no cookies no subscription no weather no ads no news no phone in - RealAudio 8+ Required - all the Time Radio Free Dexterdyne Top Tune o'be-do-da-day Colin James - Cadillac Baby http://www.dexterdyne.org/888/066.RAM
 |
 |
 |
 |
 |
