August 15th, 2003, 10:19 AM
My DCOM Solver
I created a new.exe based on the code from the msblast.exe worm.
My code downloads and runs the patch from microsoft and seals the hole/exploit.
It deletes the blast virus and its 3 known variants.
I set it loose on my network here at 9:00 last night and all the machines were patched within 20 minutes. (250 off)
It did slow the network to a grinding halt but the log file it was reporting back to did show its path and I'm satisfied that I maintained a level of control over its path and it didn't make it into the wild. (Nearly crapped myself when I thought it had.)
Its a great way to seal the exploit on your network.
I am throwing together a scanner type tool to search for the exploit and a single non replicating tool to send and patch p.cs.
If anyone wants to lend me a hand I would be greatfull.
August 15th, 2003, 10:53 AM
Nice mark, can i have that new.exe
August 15th, 2003, 11:09 AM
I don't want it to find its way into the wild. It would be a major DOS attack.
MSBLAST is <10k the patch is 1200k ish.
How about I give you the code and you compile it then if it leaks out of your network I don't get my ass kicked and sent to jail like some alt 2300 script kiddie.
August 15th, 2003, 11:14 AM
I would be happy with the code too.
August 15th, 2003, 11:17 AM
What languages / compilers do you have ?
August 15th, 2003, 10:08 PM
Put the microsoft patches for all affected OS'ses in your startup-script. Don't worry about running the wrong patch on a wrong operating system to much: the win2k, nt4 and win2003 patches just quit with an errormessage if you run them on the wrong OS.
We ran the w2k patch on all about 300 computers, after which we started McAfee Stinger. After 24 hours, only 30 unpatched machines were left.
I wish to express my gratitude to the people of Italy. Thank you for inventing pizza.
August 16th, 2003, 12:52 PM
Well if you have an AD environment, you can push out the correct patch and removal tool via scripting and group policy. I pushed it out to 7500+ machines inside of 4 hours. The only issues that we have left are those machines that are not part of AD and they were easily tagged as vulnerable using Nessus and the MSRPC_DCOM NASL. (NASL ID 11808).
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden