O.K. Without posting too much detail for the visiting uber skiddies, I ran into a client that managed to get their tcp stack COMPLETELY HOSED. I think it was one of phishphreek80's users because they stated that they didn't do anything - http://www.antionline.com/showthread...r=1#post833514
Anyway, while looking for the media to re install it hit me. If ISA uses winsock, shouldn't it stand to reason that the XP firewall would also. I know reason and Microsoft is an oxymoron, like Military Intelligence. But Hey - IT WORKED.
"Netsh winsock reset" At the command reset the firewall to it's default settings. For those of you that used to program and/or dink with the winsock.dll will realize the flaw here.
Another banner moment for Microsoft's development team!
The malware used to corrupt the stack in the first place looks like it was designed to open ports on the firewall but the code was missing a command and subsequently hosed the stack. I fixed the code and reset my home firewall, from work, to allow all traffic.
There is a system log detailing the change, but nothing in the firewall detail logs.
April 7th, 2005, 05:26 PM
Was this done on a login account that was using administrative rights? If so, well then it isn't an exploit or "banner moment" by any means. It would be no different than going in an manually changing the firewall settings. Chances are they are not running in a limited account (like they should be) and thus installed software that required admin-level access to damage the machine.
The firewall exploit and maleware are not anyone's fault but the user running in admin-level mode rather than what they should be in, limited mode.
April 7th, 2005, 06:01 PM
I'm not sure what account was running during the initial infection, however, the Netsh command was ran using a limited account.
My point about winsock.dll and Wsock32.dll is this.
Think of a DCOM protocol stack in terms of the Open Systems Interconnection (OSI) seven-layer model.
DCOM is not really an independent network protocol layered on top of the RPC protocol. Instead, DCOM merges with the RPC header and data, using the fields of the RPC structures for its own devices. The DCOM network protocol is often called Object RPC or ORPC to emphasize the close relationship between RPC and the DCOM protocol at the network level. ORPC highly leverages the functionality of the OSF DCE RPC network protocol. For example, the authentication, authorization, and message integrity/encryption features of RPC are present in ORPC.
Now think about this. I create a connection from box a to box b via ssh. I want to connect box b to box c. I use telnet to connect to c from b.
April 7th, 2005, 08:13 PM
Very interesting. Do you think that the firewall could be completely disabled via calls to DCOM, rather than just reset?