[Full-Disclosure] DCOM Worm?

[Carl Sager]

Aha!  The worm is using the 2k offsets and corrupts
the DCOM RPC service on XP, which makes the OS
automatically shut down after 1 minute.  Patch up or
use a firewall (or well, just tell any ignorant end
users to do so) and you'll be good!

__
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] attacks shutting down windows machines?

[vogt]

Hi there -

We are currently receiving a considerable volume of customer reports where
windows
machines (XP usually, as its residential customers) are seemingly shut down
remotely. Nothing evil seems to happen, just a regular system shutdown.

Anyone else seen this? Is someone using the latest exploit to have some
harmless fun?


best regards / mit freundlichen Gruessen,

Tom Vogt
Hansenet Webfarm Security 
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] aside: worm vs. worm?

[Arian J. Evans]

Andrew,

# Would anyone consider releasing a patching
# worm on their own network if they knew it wouldn't spread to 
# the rest of the internet or is there a downside to this notion which I'm 
# not realizing?

A worm is a worm is a worm is a worm.

I am most certainly not a big fan of software I can't control,
executing in an arbitrary manner on hosts I hope to control...

I understand what you mean, and where you are going, but
if that is what you want, then I think Microsoft SMS, Shavlik,
Pedestal, and others have highly effective solutions w/out
releasing code that can potentially run in an arbitrary manner...

My $0.01 USD, deprecated for current market value,

Arian J. Evans
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] buffer overflow in Indiatimes Messenger

[Gaurav Kumar]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

+-+
+ Gaurav Kumar ([EMAIL PROTECTED])  
   +  
+presents
+
+   Buffer Overflow In Indiatimes Messenger  
 +
+-+

OVERVIEW

Indiatimes Messenger is a popular Instant Messenger that allows you
to 
- -Instantly connect to Indiatimes, Yahoo, MSN, ICQ and AOL 
- -Chat in 11 indian languages
- -Send SMS and many more.

Problem.

On entering a very large username (abt 1500 characters) the messenger
core executable MMCLIENT.EXE crashes.

Vulnerable Version
The latest version 4.0 is vulnerable.

Vendor Reponse
Vendor contacted. Still waiting for response.
 --
Author: Gaurav Kumar ([EMAIL PROTECTED])

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Gaurav Kumar
Chief Information Security Analyst

E2 Labs Information Security Pvt. Ltd.
Road no. 3 , Banjara Hills
Hyderbad-34
AP
India

[EMAIL PROTECTED]
www.e2-labs.com

PGP public key at-
http://mycgiserver.com/~ethicalhackers/pgp.txt

Phone(s)-
Mobile  +91 40 31068650
Tele/Fax   +91 40 23555942 (ext-24)
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

-BEGIN PGP SIGNATURE-
Version: PGPfreeware 7.0.3 for non-commercial use 

iQA/AwUBPzFZGP7pOx+pP+hiEQKkZgCfRYzj/A4spzNFJSXzJTEOKjDvN6sAoPWj
pfzyXu3IT3GOif5MYcWZ15BI
=Si5o
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] aside: worm vs. worm?

[Darren Reed]

In some mail from Andrew J Homan, sie said:
> 
> It seems that between the time dcom.c first starting popping up around the
> internet and today, there was ample time for someone to write and release a
> worm designed to patch infected systems and remove any sign of itself. 
> Given that on the 16th of this month windowsupdate.com will be DDOSed, does
> anyone else see this as an opportunity for a war of worms with
> windowsupdate.com at stake?  Would anyone consider releasing a patching
> worm on their own network if they knew it wouldn't spread to the rest of
> the internet or is there a downside to this notion which I'm not realizing?

You know, if the DDoS was targetted at someone innocent, I might be
more sympathetic towards the problem of a web site being DDoS'd.

But it's Microsoft's own web site that is being targeted and it is
through their own bug that it is being made possible.  As much as
they would like to point the finger at others for making the code
available to do it, if their software didn't have the bug, it would
not be possible it all.  Hrm, I don't really want to start _THAT_
discussion again, but I don't think you will find much, if any,
sympathy for Microsoft being targetted by this worm.  They're a
large, rich, monopoly of a company.  Do they really deserve any
nice sympathy at all ?  I suspect I'm not alone in these feelings.

Darren
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] DCOM Worm?

[morning_wood]

could be a missed attempt at an auto rooter ( dcom ) and its auto rooting
the local box on reboot..
just my thought


Donnie Werner
http://e2-labs.com


- Original Message - 
From: "Carl Sager" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, August 11, 2003 12:51 PM
Subject: [Full-Disclosure] DCOM Worm?


>I'm working as a technician and have had 3 people
> from the local area call within the last hour about a
> problem with having their computer shut down after
> giving a one minute warning.  This only happens when
> they have an internet connection - if they boot up
> with a network cable plugged in, even if they don't
> have a browser or any other apps open, it'll shut
> down.  It looks like they're all running NT/2k/XP as
> well - is this a DCOM worm?
>
> __
> Do you Yahoo!?
> Yahoo! SiteBuilder - Free, easy-to-use web site design software
> http://sitebuilder.yahoo.com
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] DCOM Worm released

[Dennis Opacki]

Can anyone confirm whether the tftp transfers appear to be solely from the
hosts listed in the initial sans.org note (which now appear to have been
taken down), or is the transfer done from the infecting host?

TIA,

-Dennis

On Mon, 11 Aug 2003, Joey wrote:

> They found a worm, but since it uses tftp servers that
> can be taken down and since tftp is slow, it shouldnt
> have much of an effect.
>
> "Scans sequentially for machines with open port 135,
> starting at a presumably random IP address" - very
> stupid way to spread!
>
> http://isc.sans.org/diary.html?date=2003-08-11
>
> __
> Do you Yahoo!?
> Yahoo! SiteBuilder - Free, easy-to-use web site design software
> http://sitebuilder.yahoo.com
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] Symantec has released an MSBLast removal tool.

[Scott Fendley]

It looks like CA also has released a removal tool.  The SANS Diary at 
http://isc.sans.org/diary.html?date=2003-08-11

Here is the excerpt from that URL:

Once you are infected, we highly recommend a complete rebuild of the site. 
As there have been a number of irc bots using the exploit for a few weeks 
now, it is possible that your system was already infected with one of the 
prior exploits. Do not connect an unpatched machine to a network.

If you can not do this and/or the computer resides on a protected or 
non-Internet connected network, then several Anti-Virus Venders have 
supplied tools to assist in removing the worm. However, these tools can not 
clean-up damage from other RPC DCOM malware such as the recent sdbot irc 
bots. This method of cleaning your system is _not_ recommended, but the 
URLs are presented below for completeness.

http://www.sarc.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html 

http://www3.ca.com/Files/VirusInformationAndPrevention/ClnPoza.zip

At 01:29 AM 8/12/2003 -0400, gml wrote:

Its about damned time, I guess I can stop writing mine now.



-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of ViLLaN
Sent: Monday, August 11, 2003 11:06 PM
To: '[EMAIL PROTECTED]'
Subject: [Full-Disclosure] Symantec has released an MSBLast removal tool.



Hey Guys,



Symantec has just released a removal tool for MSBLAST.



Cheers,

Garth S


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] DCOM

[Jason Coombs]

Is this what you're seeing?

6 66.859375 BEFC2500 XEROX 00 MSRPC c/o RPC Bind: UUID
01A0---C000-0046  call 0x7F  assoc grp 0x0  xmit 0x16D0
recv 0x16D0 67.30.174.214 WIN2KDEV IP
Frame: Base frame properties
Frame: Time of capture = 8/11/2003 9:25:11.405
Frame: Time delta from previous physical frame: 8687500 microseconds
Frame: Frame number: 6
Frame: Total frame length: 126 bytes
Frame: Capture frame length: 126 bytes
Frame: Frame data: Number of data bytes remaining = 126 (0x007E)
ETHERNET: ETYPE = 0x0800 : Protocol = IP:  DOD Internet Protocol
ETHERNET: Destination address : 0500
ETHERNET: ...0 = Individual address
ETHERNET: ..0. = Universally administered address
ETHERNET: Source address : BEFC2500
ETHERNET: ...0 = No routing information present
ETHERNET: ..1. = Locally administered address
ETHERNET: Frame Length : 126 (0x007E)
ETHERNET: Ethernet Type : 0x0800 (IP:  DOD Internet Protocol)
ETHERNET: Ethernet Data: Number of data bytes remaining = 112 (0x0070)
IP: ID = 0x1C04; Proto = TCP; Len: 112
IP: Version = 4 (0x4)
IP: Header Length = 20 (0x14)
IP: Precedence = Routine
IP: Type of Service = Normal Service
IP: Total Length = 112 (0x70)
IP: Identification = 7172 (0x1C04)
IP: Flags Summary = 2 (0x2)
IP: ...0 = Last fragment in datagram
IP: ..1. = Cannot fragment datagram
IP: Fragment Offset = 0 (0x0) bytes
IP: Time to Live = 125 (0x7D)
IP: Protocol = TCP - Transmission Control
IP: Checksum = 0x0138
IP: Source Address = 67.30.174.214
IP: Destination Address = 67.30.171.57
IP: Data: Number of data bytes remaining = 92 (0x005C)
TCP: .AP..., len:   72, seq:3551092873-3551092945, ack: 188699400, win: 8160,
src: 3843  dst:  135
TCP: Source Port = 0x0F03
TCP: Destination Port = Location Service
TCP: Sequence Number = 3551092873 (0xD3A96089)
TCP: Acknowledgement Number = 188699400 (0xB3F5308)
TCP: Data Offset = 20 (0x14)
TCP: Reserved = 0 (0x)
TCP: Flags = 0x18 : .AP...
TCP: ..0. = No urgent data
TCP: ...1 = Acknowledgement field significant
TCP: 1... = Push function
TCP: .0.. = No Reset
TCP: ..0. = No Synchronize
TCP: ...0 = No Fin
TCP: Window = 8160 (0x1FE0)
TCP: Checksum = 0xC46A
TCP: Urgent Pointer = 0 (0x0)
TCP: Data: Number of data bytes remaining = 72 (0x0048)
MSRPC: c/o RPC Bind: UUID 01A0---C000-0046  call
0x7F  assoc grp 0x0  xmit 0x16D0  recv 0x16D0
MSRPC: Version = 5 (0x5)
MSRPC: Version (Minor) = 0 (0x0)
MSRPC: Packet Type = Bind
MSRPC: Flags 1 = 3 (0x3)
MSRPC: ...1 = Reserved -or- First fragment (AES/DC)
MSRPC: ..1. = Last fragment -or- Cancel pending
MSRPC: .0.. = Not a fragment -or- No cancel pending (AES/DC)
MSRPC: 0... = Receiver to repond with a fack PDU -or- Reserved
(AES/DC)
MSRPC: ...0 = Not used -or- Does not support concurrent
multiplexing (AES/DC)
MSRPC: ..0. = Not for an idempotent request -or- Did not execute
guaranteed call (Fault PDU only) (AES/DC)
MSRPC: .0.. = Not for a broadcast request -or- 'Maybe' call
semantics not requested (AES/DC)
MSRPC: 0... = Reserved -or- No object UUID specified in the
optional object field (AES/DC)
MSRPC: Packed Data Representation
MSRPC: Fragment Length = 72 (0x48)
MSRPC: Authentication Length = 0 (0x0)
MSRPC: Call Identifier = 127 (0x7F)
MSRPC: Max Trans Frag Size = 5840 (0x16D0)
MSRPC: Max Recv Frag Size = 5840 (0x16D0)
MSRPC: Assoc Group Identifier = 0 (0x0)
MSRPC: Presentation Context List
MSRPC: Number of Context Elements = 1 (0x1)
MSRPC: Presentation Context Identifier = 1 (0x1)
MSRPC: Number of Transfer Syntaxs = 1 (0x1)
MSRPC: Abstract Interface UUID = 01A0---C000-0046
MSRPC: Abstract Interface Version = 0 (0x0)
MSRPC: Transfer Interface UUID = 8A885D04-1CEB-11C9-9FE8-08002B104860
MSRPC: Transfer Interface Version = 2 (0x2)
0:  00 00 05 00 00 00 BE FC 20 00 05 00 08 00 45 00   ..¾ü .E.
00010:  00 70 1C 04 40 00 7D 06 01 38 43 1E AE D6 43 1E   [EMAIL PROTECTED]
00020:  AB 39 0F 03 00 87 D3 A9 60 89 0B 3F 53 08 50 18   «9...?Ó©`?.?S.P.
00030:  1F E0 C4 6A 00 00 05 00 0B 03 10 00 00 00 48 00   .àÄj..H.
00040:  00 00 7F 00 00 00 D0 16 D0 16 00 00 00 00 01 00   .....Ð.Ð...
00050:  00 00 01 00 01 00 A0 01 00 00 00 00 00 00 C0 00   .. ...À.
00060:  00 00 00 00 00 46 00 00 00 00 04 5D 88 8A EB 1C   .F.]??ë.
00070:  C9 11 9F E8 08 00 2B 10 48 60 02 00 00 00 É.?è..+.H`

7 66.859375 XEROX 00 BEFC2500 MSRPC c/o RPC Bind Ack: call 0x7F
assoc grp 0x90D9  xmit 0x16D0  recv 0x16D0 WIN2KDEV 67.30.174.214 IP
Frame: Base 

RE: [Full-Disclosure] Symantec has released an MSBLast removal tool.

[gml]

Title: Message









It’s about damned time, I guess I can
stop writing mine now.

 

-Original Message-
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of ViLLaN
Sent: Monday, August 11, 2003
11:06 PM
To: '[EMAIL PROTECTED]'
Subject: [Full-Disclosure]
Symantec has released an MSBLast removal tool.

 



Hey Guys,





 





Symantec has just released a removal
tool for MSBLAST. 





 





Cheers,





Garth S

RE: [Full-Disclosure] Microsoft Internet Explorer about:blank Cross Site Scripting

[Richard M. Smith]

Huh?  How is this a XSS bug?  How is the about: URL added to a Web page?

Richard

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Lorenzo
Hernandez Garcia-Hierro
Sent: Monday, August 11, 2003 1:13 PM
To: [EMAIL PROTECTED]
Subject: [Full-Disclosure] Microsoft Internet Explorer about:blank Cross
Site Scripting


Microsoft Internet Explorer about:blank Cross Site Scripting
--
PRODUCT: Internet Explorer
VENDOR: Microsoft 
VULNERABLE VERSIONS:

   - 6.0.2600.x <- without SP1
   - 5.0.x
   - 4.x
   - 3.x
   - And older versions possible affected too.

NO VULNERABLE VERSIONS

- ?
-

Description:

Microsoft Internet Explorer is one of the best web browsers , used by 
millions of people around the world.
It is not the most secure web browser but is easy to use , quickly and 
good looking design.

-
|SECURITY HOLES FOUND and PROOFS OF CONCEPT:|
-

I encountered a Cross Site Scripting vulnerability when you pass 
crafted about:blank pages.

-
| ABOUT:XSS ;-) |
-

When you pass a specially crafted url to the Internet Explorer 
about:blank url you can
conduct a Cross Site Scripting Attack with a very simple technic :

about:blank%20[ CROSS SITE SCRIPTING ATTACK]

examples:

about:blank%20alert('8-D uhh !');

about:blank%20

about:blank%20XSS is behind you...

With this you can get ( steal ) cookies from the victim's browser and 
perform another
attacks against the victim system.

-
| IMPORTANT |
|  NOTES|
-

1.- The SP1 for MS Internet Explorer contains XSS protection for url 
objects and you can't run this.
2.- This vulnerability is not related with the hole called about:// 
urls vulnerability .
3.- This vulnerability only concerns the about:blank url .

---
| CONTACT |
---

Lorenzo Hernandez Garcia-Hierro
--- Computer Security Analyzer ---
--Nova Projects Professional Coding--
PGP: Keyfingerprint
B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2
ID: 0x9C38E1D7
**
www.novappc.com
security.novappc.com
www.lorenzohgh.com
__

NSRG-20-7

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd)

[morning_wood]

all i can say about all this is...
 i fucking told ya so.

morning_wood
http://nothackers.org 
[EMAIL PROTECTED]


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] ISS Security Brief: "MS Blast" MSRPC DCOM Worm Propagation (fwd)

[Mike]

That's only good if you're at home and they would also need to be savy
enough to know how to configure it properly

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Richard
Stevens
Sent: Tuesday, 12 August 2003 11:15 p.m.
To: Chris Garrett; [EMAIL PROTECTED]
Subject: RE: [Full-Disclosure] ISS Security Brief: "MS Blast" MSRPC DCOM
Worm Propagation (fwd)


I must be missing something here... xp home & pro both have a "click and
forget" firewall?
 
why arent people using it?
 

-Original Message- 
From: Chris Garrett [mailto:[EMAIL PROTECTED] 
Sent: Tue 12/08/2003 05:59 
To: [EMAIL PROTECTED] 
Cc: 
Subject: Re: [Full-Disclosure] ISS Security Brief: "MS Blast"
MSRPC DCOM Worm Propagation (fwd)



I had a friend infected with the worm earlier today, at about
17:00EST. He was
running Windows XP Home edition. He called me because his
computer had been
rebooting "spontaneously," and whenever he would go to google to
search for a
strange binary he saw [msblast.exe], he either found nothing or
was mysterious
redirected to some strange website. At least, I believe that was
his
description. I hadn't seen any reports of MSBlast on FD before
this point, but I
was almost certain it was a worm of some sort using the DCOM RPC
exploit. I had
him check the registry, remove the keys, and delete .*msblast.*.
I also had him
disable DCOM, since I doubted he was using anything that
utilized it, then
directed him to the MS03-26 patch. This was all based on a guess
that it he was
infected by something DCOM related [makes sense given the
massive publicity and
severity of this vulnerability]. I wasn't certain if any other
files were
corrupted at the time, but those simple measures seemed to do
the job. Imagine
my surprise when 10 minutes later, I receive and FD email
reporting the release
of a worm identified by an msblast binary.

My friend also reported to me that /somehow/ his Norton
Auto-Protect had been
disabled. Now, I don't know if that was the worm [as I've not
seen any analyses
thusfar to suggest that the worm does that], or if it was
something he had
disabled, accidentally, at some point.

In short, XP is affected, as well. And I would imagine his
computer kept
rebooting because other systems within the class B range he was
on were
constantly probing his system and trying the 2K offset, and not
because of the
worm that had already infected his system [which was my
original, incorrect,
impression, before the analyses put out by ISC, XFocus, and
Norton].

Christopher Garrett III
Inixoma, Incorporated

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] DCOM Worm/scanner/autorooter !!!

[Joey]

So you are saying that the infected target also scans
other computers for the dcom vulnerability? if so then
it would be considered a worm.

--- Stephen <[EMAIL PROTECTED]> wrote:
> 
> Hello here,
> 
> a new worm is on the wild, it uses the exploit
> released by k-otik (48 targets - 
> http://www.k-otik.com/exploits/07.30.dcom48.c.php)
> 
> look this shit :
> 
> /* RPC DCOM WORM v 2.2  - 
>  * This code is in relation to a specific DDOS IRCD
> botnet project.
>  * You may edit the code, and define which ftp to
> login
>  * and which .exeutable file to recieve and run.
>  * I use spybot, very convienent
>  * -
>  * So basicly script kids and brazilian children,
> this
> is useless to you
>  * 
> 
> So PATCH PATCH PATCH and block the ports 135 - 139
> -445 - 593
> 
> Regards.
> 
> Stephen - Germany

__
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: [normal] RE: Windows Dcom Worm planned DDoS

[martin f krafft]

also sprach opticfiber <[EMAIL PROTECTED]> [2003.08.12.1513 +0200]:
> By using this setup the ddos can be spread out over several
> forwarding hosts and not even touch the main site.

Why on earth would you want to help protect Micro$oft's service?
Either they can deal with their crap themselves, or you should be
using proper software. I'll probably make sure to infect a couple of
computers on Saturday just for the sake of DoS'ing their site.

-- 
martin;  (greetings from the heart of the sun.)
  \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED]
 
invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver!
 
love your enemies; they'll go crazy
trying to figure out what you're up to.


pgp0.pgp
Description: PGP signature