August 18th, 2003, 06:14 PM
There's a new worm using the RPC DCOM exploit - see http://vil.nai.com/vil/content/v_100559.htm
This one has a twist though.. it patches the infected PC with the MS patch 823980 and then deletes the MSBlast worm from the PC.
August 18th, 2003, 06:26 PM
August 18th, 2003, 06:30 PM
Makes sense to me.
I've considered that this to be a good solution to the problem...
It wasn't Mark's that got into the wild was it?
IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com
August 18th, 2003, 07:03 PM
The initial analysis also says that it appears to be self removing after 1st Jan.
However, we've now replaced probes to port 135 on my firewall with ping requests! It's gonna be a very noisy few months at this rate
August 18th, 2003, 07:05 PM
I was just wondering if there are more instances of this, I always wondered why I never heard of reformed virus/worm writers writing "retroviruses" sortof, virus-like programs that, like a virus, search for computers on a network that are vulnerable to a certain exploit, use it to copy themselves onto that computer, but instead of using the inside access to DDoS another machine or wreak havok on the host network, it patches the flaw from the inside and destroys itself. Why don't cops and software companies do this? what about infosec companies like symantec? who knows more about viruses than symantec? they could totally pull it off, so why don't they?
:q :q! :wq :w :w! :wq! :quit :quit! :help help helpquit quit quithelp :quitplease :quitnow :leave :**** ^X^C ^C ^D ^Z ^Q QUITDAMMIT ^[:wq GCS,M);d@;p;c++;l++;u ++ ;e+ ;m++(---) ;s+/+ ;n- ;h* ;f+(--) ;!g ;w+(-) ;t- ;r+(-) ;y+(**)
August 18th, 2003, 07:17 PM
Well, one reason not to let it onto your corporate network can be found by having a quick look at your firewall logs.
At the moment I'm getting in excess of one ping every 4 seconds from my subnet and several very close ones. There must be a shedload of ICMP traffic hammering away through my ISP right now. Imagine what would happen on a large network? Nasty.
On the other hand, a decent firewall should keep it at bay, and this will also likely fix most of the vulnerable PCs on the public internet.
My guesstimate on the ping pattern is that this is looking at working a range of maybe 2048 IP addresses centered around the infected PC. It's not quite the local subnet, but very close. This could mean some ISPs or corporate networks suffering under ICMP storms.
In other words, it's a mixed bag. I think it unintentionally comes with a payload which could cause problems on some networks.. on the other hand, those networks were probably struggling with MSBlast anyway.
August 18th, 2003, 08:07 PM
Well as someone who had a lot of problems because of he MS DCOM/RPC patch I for one think that this virus should be considered malware and detected by antivirus vendors.
Who is more trustworthy then all of the gurus or Buddha’s?
August 18th, 2003, 08:11 PM
Looks like most AV vendors have already updated their signatures or are working on it.
I've *never* seen this much activity on my firewall before though. I'm making a bet that the Internet Storm Center - http://isc.incidents.org/ - will upgrade this to a yellow because of the risk on an ICMP/Ping storm.
August 18th, 2003, 09:00 PM
This reminds me of one about 3-4 years ago........cannot remember the name?...what we are looking at is a form of "reverse social engineering", plus, if the other crap is there...his doesn't work?
help me you memory men
There are NO "good" bad guys
August 18th, 2003, 09:40 PM
I'm not sure there's much social engineering involved.. I'm pretty certain this is somebody trying to be a "white hat" but there's a couple of major flaws in this anti-worm..
Firstly, 1st January 2004 is waaaay too long. It would pick up most of the infected PCs if allowed to run for a couple of days. This appears to be a much more effective infector than MSBlast.
Secondly, the rate of infection is very high, and the scanning rate is very hight too. Because of the high level of effectiveness, this is causing a large number of infected hosts scanning very quickly. Indeed, on the first day, I'm getting twice as much firewall activity from Nachi as I am from MSBlast.
Those of you with long memories will remember the first Internet Worm back in 1988. Because you can never test something like this in the wild, it's difficult to know how to "throttle" the spread of the worm. Back in '88, the worm spread much more quickly and agressively than anticipates, and I'm afraid that with the infection rate of *this* worm, we may end up with something out of control. If it was just for a couple of days it wouldn't be so bad, but we're looking at a time period of four-and-a-half months of endless repetitive pinging.
In other words.. I think the anti-worm is a little buggy. A slower spread rate and shorter infection period would be nice. As to whether this is a *good* thing or not is hard to say. It'll clean up MSBlast pretty quickly. The damage it will do on the way is something I guess we'll find out.