Re: RPC errors

[Sean Donelan]

On Mon, 11 Aug 2003, Jack Bates wrote:
> I'm showing signs of an RPC sweep across one of my networks that's
> killing some XP machines (only XP confirmed). How wide spread is this at
> this time. Also, does anyone know if this is just generating a DOS
> symptom or if I should be looking for backdoors in these client systems?

http://isc.sans.org/diary.html?date=2003-08-11
The worm uses the RPC DCOM vulnerability to propagate. One it finds a
vulnerable system, it will spawn a shell and use it to download the actual
worm via tftp.

The name of the binary is msblast.exe. It is packed with UPX and will self
extract. The size of the binary is about 11kByte unpacked, and 6kBytes
packed:

RE: RPC errors

[Mike Damm]

According to Symantec it doesn't know if the system has already been
infected until it is running on the target machine, at which point the RPC
crash is imminent. It shouldn't re-infect, but further attempts from other
infected hosts will cause random reboots. 

On the plus side this one will be much easier to clean up than CodeRed,
Nimda, etc. Random J. Clueless might actually look for patches if his box is
rebooting on a regular basis.

-Mike

---
Michael Damm, MIS Department, Irwin Research & Development
V: 509.457.5080 x298 F: 509.577.0301 E: [EMAIL PROTECTED]


-Original Message-
From: Drew Weaver [mailto:[EMAIL PROTECTED] 
Sent: Monday, August 11, 2003 2:53 PM
To: 'Mike Damm'
Cc: '[EMAIL PROTECTED]'
Subject: RE: RPC errors

Its bloody gorgeous too, my girlfriend's pc rebooted like 9 times,
apparently the worm doesn't check to see if its already infected.

-Original Message-
From: Mike Damm [mailto:[EMAIL PROTECTED] 
Sent: Monday, August 11, 2003 5:27 PM
To: 'Jack Bates'; NANOG
Subject: RE: RPC errors


The DCOM exploit that is floating around crashes the Windows RPC service
when the attacker closes the connection to your system after a successful
attack. Best bet is to assume any occurrence of crashing RPC services to be
signs of a compromised system until proven otherwise.

http://www.cert.org/advisories/CA-2003-19.html

-Mike

---
Michael Damm, MIS Department, Irwin Research & Development
V: 509.457.5080 x298 F: 509.577.0301 E: [EMAIL PROTECTED]


-Original Message-
From: Jack Bates [mailto:[EMAIL PROTECTED] 
Sent: Monday, August 11, 2003 1:12 PM
To: NANOG
Subject: RPC errors


I'm showing signs of an RPC sweep across one of my networks that's 
killing some XP machines (only XP confirmed). How wide spread is this at 
this time. Also, does anyone know if this is just generating a DOS 
symptom or if I should be looking for backdoors in these client systems?

-Jack

Re: RPC errors

[Jack Bates]

Sean Donelan wrote:

http://isc.sans.org/diary.html?date=2003-08-11
The worm uses the RPC DCOM vulnerability to propagate. One it finds a
vulnerable system, it will spawn a shell and use it to download the actual
worm via tftp.
The name of the binary is msblast.exe. It is packed with UPX and will self
extract. The size of the binary is about 11kByte unpacked, and 6kBytes
packed:
That shows what I'm seeing. 10% of all outbound packets are tcp/135. 
Currently blocked both directions at edges in my network until further 
notice. Keeping an eye on other ports, but this is the only one causing 
any amount of load to draw concern.

-Jack

RE: RPC errors

[Sean Crandall]

This worm is amazing.  I have only had filters in place for about 4.5 hours
and I am already approaching 100 million matches for the deny tcp/135 across
my network.  Of that, only one customer has said that they needed 135 open
for legimate use (probably more, but I have only heard from the one).

Sean P. Crandall
VP Engineering Operations
MegaPath Networks Inc.
Pleasanton, CA  
(925) 201-2530
 



> -Original Message-
> From: McBurnett, Jim [mailto:[EMAIL PROTECTED]
> Sent: Monday, August 11, 2003 7:45 PM
> To: John Palmer; [EMAIL PROTECTED]
> Subject: RE: RPC errors
> 
> 
> 
> over 24 hours.. started block suday afternoon...
> deny tcp any any eq 445 log (256936 matches)
> deny udp any any eq 445 log (1 match)
> deny tcp any any eq 135 (6984433 matches)
> deny udp any any eq 135 (147654 matches)
> deny udp any any eq netbios-ss
> deny tcp any any eq 139 log (378289 matches) 
> 
> -Original Message-
> From: John Palmer [mailto:[EMAIL PROTECTED]
> Sent: Monday, August 11, 2003 8:28 PM
> To: [EMAIL PROTECTED]
> Subject: Re: RPC errors
> 
> 
> 
> 
> 45 seconds:
> 
> deny tcp any any eq 135 (5445 matches)
> deny tcp any any eq 137
> deny tcp any any eq 138
> deny tcp any any eq 139
> deny tcp any any eq 445 (207 matches)
> 
> - Original Message - 
> From: "Randy Bush" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Monday, August 11, 2003 18:52
> Subject: Re: RPC errors
> 
> 
> > 
> > must be fun out there on the net today.  one minute of counter
> > accumulation
> > 
> > deny tcp any any eq 135 (5721 matches)
> > deny tcp any any eq 137
> > deny tcp any any eq 138
> > deny tcp any any eq 139 (17 matches)
> > deny tcp any any eq 445 (1137 matches)
> > 
> > randy
> > 
> > 
> > 
> 

Re: RPC errors

[Dominic J. Eidson]

On Tue, 12 Aug 2003, Dominic J. Eidson wrote:

> Has anyone seen/heard of this virus propagating through email in any way?

Thank you for all the responses, being in the middle of the fray fried my
brain a fair bit.

Possible vectors described so far: VPN, dialup, roving laptops - all of
which it could have been.

Again, thank you all.


 - d.

-- 
Dominic J. Eidson
"Baruk Khazad! Khazad ai-menu!" - Gimli
---
http://www.the-infinite.org/  http://www.the-infinite.org/~dominic/

Re: RPC errors

[Chris Reining]

On Mon, Aug 11, 2003 at 04:17:53PM -0400, Sean Donelan wrote:
> On Mon, 11 Aug 2003, Jack Bates wrote:
> > I'm showing signs of an RPC sweep across one of my networks that's
> > killing some XP machines (only XP confirmed). How wide spread is this at
> > this time. Also, does anyone know if this is just generating a DOS
> > symptom or if I should be looking for backdoors in these client systems?
> 
> http://isc.sans.org/diary.html?date=2003-08-11
> The worm uses the RPC DCOM vulnerability to propagate. One it finds a
> vulnerable system, it will spawn a shell and use it to download the actual
> worm via tftp.
> 
> The name of the binary is msblast.exe. It is packed with UPX and will self
> extract. The size of the binary is about 11kByte unpacked, and 6kBytes
> packed:

I have a copy of this worm at
  http://www.packetfu.org/malware/msblast.zip


pgp0.pgp
Description: PGP signature

RE: RPC errors

[Drew Weaver]

Its bloody gorgeous too, my girlfriend's pc rebooted like 9 times,
apparently the worm doesn't check to see if its already infected.

-Original Message-
From: Mike Damm [mailto:[EMAIL PROTECTED] 
Sent: Monday, August 11, 2003 5:27 PM
To: 'Jack Bates'; NANOG
Subject: RE: RPC errors


The DCOM exploit that is floating around crashes the Windows RPC service
when the attacker closes the connection to your system after a successful
attack. Best bet is to assume any occurrence of crashing RPC services to be
signs of a compromised system until proven otherwise.

http://www.cert.org/advisories/CA-2003-19.html

-Mike

---
Michael Damm, MIS Department, Irwin Research & Development
V: 509.457.5080 x298 F: 509.577.0301 E: [EMAIL PROTECTED]


-Original Message-
From: Jack Bates [mailto:[EMAIL PROTECTED] 
Sent: Monday, August 11, 2003 1:12 PM
To: NANOG
Subject: RPC errors


I'm showing signs of an RPC sweep across one of my networks that's 
killing some XP machines (only XP confirmed). How wide spread is this at 
this time. Also, does anyone know if this is just generating a DOS 
symptom or if I should be looking for backdoors in these client systems?

-Jack

Re: RPC errors

[Henry Linneweh]

This should help some for people who are worried
http://securityresponse.symantec.com/avcenter/FixBlast.exe
 
-Henry"Steven M. Bellovin" <[EMAIL PROTECTED]> wrote:

In message <[EMAIL PROTECTED]>, "Dominic J. Eidson" writes:>>On Mon, 11 Aug 2003, Jack Bates wrote:>>> Sean Donelan wrote: > http://isc.sans.org/diary.html?date=2003-08-11>> > The worm uses the RPC DCOM vulnerability to propagate. One it finds a>> > vulnerable system, it will spawn a shell and use it to download the actual>> > worm via tftp.>> >>> > The name of the binary is msblast.exe. It is packed with UPX and will self>> > extract. The size of the binary is about 11kByte unpacked, and 6kBytes>> > packed:>>Has anyone seen/heard of this virus propagating through email in any way?>>We appear to have been infected on a network that is very
 heavily>firewalled from the outside, and are trying to track down possibly entry>methods the worm might have had...A large number of networks have unknown and unauthorized back doors. If it's a decent-sized network and you haven't audited it, don't assume that the firewalling is effective. (My co-author on "Firewalls and Internet Security" book, Bill Cheswick, is CTO of a startup that maps intranets for just this reason.)--Steve Bellovin, http://www.research.att.com/~smb

Re: RPC errors

[william]

The following came through dshield which warns about new worm:
---
To: [EMAIL PROTECTED]
Subject: [Dshieldannounce] likely RPC worm captured. Moving to infocon 'yellow'

We received a copy of a binary that very much looks
like an RPC worm. Preliminary info:

- scans for port 135 as soon as it starts
  point)

more details will be posted at http://isc.sans.org as
they become available. Please submit code captures
and the like to '[EMAIL PROTECTED]'

--
SANS - Internet Storm Center
http://isc.sans.org

On Mon, 11 Aug 2003, Jack Bates wrote:

> 
> I'm showing signs of an RPC sweep across one of my networks that's 
> killing some XP machines (only XP confirmed). How wide spread is this at 
> this time. Also, does anyone know if this is just generating a DOS 
> symptom or if I should be looking for backdoors in these client systems?
> 
> -Jack

Re: RPC errors

[Jack Bates]

Jim Shankland wrote:
On the not so bright side, I'm getting a steady stream of port 135
SYNs from my fellow Comcast customers (i.e., presumably on my side
of Comcast's filters), which may mean the horses have mostly already
left the barn.
You'll see a lot of this. Establishing blocks in the local networks is 
more time consuming than it's worth. Blocks are usually only in place 
temporarily while other business practices are carried out; as any good 
neighbor tries not to harrass fellow networks. Once decontamination 
starts and users are fixed or suspended from service, blocks will 
usually be removed and the world goes back to normal.

My own network has a two week deadline, although I'm gunning for being 
done this week.

-Jack

RE: RPC errors

[McBurnett, Jim]

over 24 hours.. started block suday afternoon...
deny tcp any any eq 445 log (256936 matches)
deny udp any any eq 445 log (1 match)
deny tcp any any eq 135 (6984433 matches)
deny udp any any eq 135 (147654 matches)
deny udp any any eq netbios-ss
deny tcp any any eq 139 log (378289 matches) 

-Original Message-
From: John Palmer [mailto:[EMAIL PROTECTED]
Sent: Monday, August 11, 2003 8:28 PM
To: [EMAIL PROTECTED]
Subject: Re: RPC errors




45 seconds:

deny tcp any any eq 135 (5445 matches)
deny tcp any any eq 137
deny tcp any any eq 138
deny tcp any any eq 139
deny tcp any any eq 445 (207 matches)

- Original Message - 
From: "Randy Bush" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, August 11, 2003 18:52
Subject: Re: RPC errors


> 
> must be fun out there on the net today.  one minute of counter
> accumulation
> 
> deny tcp any any eq 135 (5721 matches)
> deny tcp any any eq 137
> deny tcp any any eq 138
> deny tcp any any eq 139 (17 matches)
> deny tcp any any eq 445 (1137 matches)
> 
> randy
> 
> 
> 

Re: RPC errors

[Jim Shankland]

On the bright side, when double-checking the firewall on my home cable
modem setup, it appears that Comcast here in the SF Bay Area has
started filtering out incoming port 135 SYN packets -- they get
dropped before they hit my firewall.  Thanks, Comcast!

On the not so bright side, I'm getting a steady stream of port 135
SYNs from my fellow Comcast customers (i.e., presumably on my side
of Comcast's filters), which may mean the horses have mostly already
left the barn.

Jim Shankland

RE: RPC errors

[Vachon, Scott]

>Has anyone seen/heard of this virus propagating through email in any way?
>We appear to have been infected on a network that is very heavily
>firewalled from the outside, and are trying to track down possibly entry
>methods the worm might have had...

I know of a few associates who have been infected (on home networks) but according to 
them (I have yet to verify) not via e-mail. These folks are running Windows XP Pro 
with Norton AV & Personal firewall. Microsoft update is running as well. Systems 
continuously reboot by RPC with a one minute countdown, even when disconnected from 
the network. Again, I have yet to get hands-on to the systems to do more research. 
Hope that bit helps.

~S~

Disclaimer: My own two cents.
  
Learn more about Paymentech's payment processing services at www.paymentech.com
THIS MESSAGE IS CONFIDENTIAL.  This e-mail message and any attachments are proprietary 
and confidential information intended only for the use of the recipient(s) named 
above.  If you are not the intended recipient, you may not print, distribute, or copy 
this message or any attachments.  If you have received this communication in error, 
please notify the sender by return e-mail and delete this message and any attachments 
from your computer.

Re: RPC errors

[Steven M. Bellovin]

In message <[EMAIL PROTECTED]>, 
"Dominic J. Eidson" writes:
>
>On Mon, 11 Aug 2003, Jack Bates wrote:
>
>> Sean Donelan wrote:
>>
>> > http://isc.sans.org/diary.html?date=2003-08-11
>> > The worm uses the RPC DCOM vulnerability to propagate. One it finds a
>> > vulnerable system, it will spawn a shell and use it to download the actual
>> > worm via tftp.
>> >
>> > The name of the binary is msblast.exe. It is packed with UPX and will self
>> > extract. The size of the binary is about 11kByte unpacked, and 6kBytes
>> > packed:
>
>Has anyone seen/heard of this virus propagating through email in any way?
>
>We appear to have been infected on a network that is very heavily
>firewalled from the outside, and are trying to track down possibly entry
>methods the worm might have had...

A large number of networks have unknown and unauthorized back doors.  
If it's a decent-sized network and you haven't audited it, don't assume 
that the firewalling is effective.  (My co-author on "Firewalls and 
Internet Security" book, Bill Cheswick, is CTO of a startup that maps 
intranets for just this reason.)


--Steve Bellovin, http://www.research.att.com/~smb

RE: RPC errors

[Drew Weaver]

Its hitting our Dial-Up customers pretty hard, basically on client side they
see "Unexpected Remote Proceedure call, your computer needs to be rebooted"

Then that's it.

-Drew


-Original Message-
From: Jack Bates [mailto:[EMAIL PROTECTED] 
Sent: Monday, August 11, 2003 4:12 PM
To: NANOG
Subject: RPC errors


I'm showing signs of an RPC sweep across one of my networks that's 
killing some XP machines (only XP confirmed). How wide spread is this at 
this time. Also, does anyone know if this is just generating a DOS 
symptom or if I should be looking for backdoors in these client systems?

-Jack

Re: RPC errors and latest worm

[Kevin Loch]

- Original Message -
From: Scott Fendley <[EMAIL PROTECTED]>
Date: Monday, August 11, 2003 7:49 pm
Subject: Re: RPC errors and latest worm

> > " * Close port 135/tcp (and if possible 135-139, 445 and 
> 593) ".

Is there a Windows service that uses port 136, or was it included because
it's easier to type than "135, 137-139"? 

KL

RE: RPC errors

[Mike Damm]

The DCOM exploit that is floating around crashes the Windows RPC service
when the attacker closes the connection to your system after a successful
attack. Best bet is to assume any occurrence of crashing RPC services to be
signs of a compromised system until proven otherwise.

http://www.cert.org/advisories/CA-2003-19.html

-Mike

---
Michael Damm, MIS Department, Irwin Research & Development
V: 509.457.5080 x298 F: 509.577.0301 E: [EMAIL PROTECTED]


-Original Message-
From: Jack Bates [mailto:[EMAIL PROTECTED] 
Sent: Monday, August 11, 2003 1:12 PM
To: NANOG
Subject: RPC errors


I'm showing signs of an RPC sweep across one of my networks that's 
killing some XP machines (only XP confirmed). How wide spread is this at 
this time. Also, does anyone know if this is just generating a DOS 
symptom or if I should be looking for backdoors in these client systems?

-Jack

Re: RPC errors

[/m]

I left an 2k box open last night without firewall.  1 Hour following boot
time it was hit and manifested the svchost crashing.  I haven't had a chance
to dig deeper to see if any sort of infection is involved but I'm leaning
towards DOS.

/micah

- Original Message -
From: "Jack Bates" <[EMAIL PROTECTED]>
To: "NANOG" <[EMAIL PROTECTED]>
Sent: Monday, August 11, 2003 1:12 PM
Subject: RPC errors


>
> I'm showing signs of an RPC sweep across one of my networks that's
> killing some XP machines (only XP confirmed). How wide spread is this at
> this time. Also, does anyone know if this is just generating a DOS
> symptom or if I should be looking for backdoors in these client systems?
>
> -Jack
>
>

Re: RPC errors

[Crist Clark]

"Dominic J. Eidson" wrote:
> 
> On Mon, 11 Aug 2003, Jack Bates wrote:
> 
> > Sean Donelan wrote:
> >
> > > http://isc.sans.org/diary.html?date=2003-08-11
> > > The worm uses the RPC DCOM vulnerability to propagate. One it finds a
> > > vulnerable system, it will spawn a shell and use it to download the actual
> > > worm via tftp.
> > >
> > > The name of the binary is msblast.exe. It is packed with UPX and will self
> > > extract. The size of the binary is about 11kByte unpacked, and 6kBytes
> > > packed:
> 
> Has anyone seen/heard of this virus propagating through email in any way?
> 
> We appear to have been infected on a network that is very heavily
> firewalled from the outside, and are trying to track down possibly entry
> methods the worm might have had...

Haven't heard of that.

Dial-up?

VPN?

Notebook that goes home at night or on the road, attaches to Internet or
other hostile network, then comes in and connects up to your network the
next business day?
-- 
Crist J. Clark   [EMAIL PROTECTED]
Globalstar Communications(408) 933-4387

The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.
If the reader of this e-mail is not the intended recipient, or the
employee or agent responsible to deliver it to the intended recipient,
you are hereby notified that any review, dissemination, distribution or
copying of this communication is strictly prohibited.  If you have
received this e-mail in error, please contact [EMAIL PROTECTED]

RE: RPC errors

[Brennan_Murphy]

http://vil.nai.com/vil/content/v_100547.htm


-BM



-Original Message-
From: Chris Reining [mailto:[EMAIL PROTECTED] 
Sent: Monday, August 11, 2003 5:36 PM
To: Sean Donelan
Cc: Jack Bates; NANOG
Subject: Re: RPC errors


On Mon, Aug 11, 2003 at 04:17:53PM -0400, Sean Donelan wrote:
> On Mon, 11 Aug 2003, Jack Bates wrote:
> > I'm showing signs of an RPC sweep across one of my networks that's 
> > killing some XP machines (only XP confirmed). How wide spread is 
> > this at this time. Also, does anyone know if this is just generating

> > a DOS symptom or if I should be looking for backdoors in these 
> > client systems?
> 
> http://isc.sans.org/diary.html?date=2003-08-11
> The worm uses the RPC DCOM vulnerability to propagate. One it finds a 
> vulnerable system, it will spawn a shell and use it to download the 
> actual worm via tftp.
> 
> The name of the binary is msblast.exe. It is packed with UPX and will 
> self extract. The size of the binary is about 11kByte unpacked, and 
> 6kBytes
> packed:

I have a copy of this worm at
  http://www.packetfu.org/malware/msblast.zip

RE: RPC errors

[Mark Segal]

I just put an access list on one of our cores with some spare cpu cycles..
And 10% of the traffic looks like port 135 calls.  Anyone else see this?
Did I break anything legitimate?

Also I still some Slammer traffic..

Mark


--
Mark Segal 
Director, Network Planning
FCI Broadband 
Tel: 905-284-4070 
Fax: 416-987-4701 
http://www.fcibroadband.com

Futureway Communications Inc. is now FCI Broadband


-Original Message-
From: Mike Damm [mailto:[EMAIL PROTECTED] 
Sent: August 11, 2003 6:19 PM
To: 'Drew Weaver'
Cc: '[EMAIL PROTECTED]'
Subject: RE: RPC errors



According to Symantec it doesn't know if the system has already been
infected until it is running on the target machine, at which point the RPC
crash is imminent. It shouldn't re-infect, but further attempts from other
infected hosts will cause random reboots. 

On the plus side this one will be much easier to clean up than CodeRed,
Nimda, etc. Random J. Clueless might actually look for patches if his box is
rebooting on a regular basis.

-Mike

---
Michael Damm, MIS Department, Irwin Research & Development
V: 509.457.5080 x298 F: 509.577.0301 E: [EMAIL PROTECTED]


-Original Message-
From: Drew Weaver [mailto:[EMAIL PROTECTED] 
Sent: Monday, August 11, 2003 2:53 PM
To: 'Mike Damm'
Cc: '[EMAIL PROTECTED]'
Subject: RE: RPC errors

Its bloody gorgeous too, my girlfriend's pc rebooted like 9 times,
apparently the worm doesn't check to see if its already infected.

-Original Message-
From: Mike Damm [mailto:[EMAIL PROTECTED] 
Sent: Monday, August 11, 2003 5:27 PM
To: 'Jack Bates'; NANOG
Subject: RE: RPC errors


The DCOM exploit that is floating around crashes the Windows RPC service
when the attacker closes the connection to your system after a successful
attack. Best bet is to assume any occurrence of crashing RPC services to be
signs of a compromised system until proven otherwise.

http://www.cert.org/advisories/CA-2003-19.html

-Mike

---
Michael Damm, MIS Department, Irwin Research & Development
V: 509.457.5080 x298 F: 509.577.0301 E: [EMAIL PROTECTED]


-Original Message-
From: Jack Bates [mailto:[EMAIL PROTECTED] 
Sent: Monday, August 11, 2003 1:12 PM
To: NANOG
Subject: RPC errors


I'm showing signs of an RPC sweep across one of my networks that's 
killing some XP machines (only XP confirmed). How wide spread is this at 
this time. Also, does anyone know if this is just generating a DOS 
symptom or if I should be looking for backdoors in these client systems?

-Jack

RE: RPC errors

[Vachon, Scott]

addendum: These are broadband cable users. All PCs.

-Original Message-
Sent: Tuesday, August 12, 2003 1:57 PM
To: NANOG
Subject: RE: RPC errors


>Has anyone seen/heard of this virus propagating through email in any way?
>We appear to have been infected on a network that is very heavily
>firewalled from the outside, and are trying to track down possibly entry
>methods the worm might have had...

I know of a few associates who have been infected (on home networks) but according to 
them (I have yet to verify) not via e-mail. These folks are running Windows XP Pro 
with Norton AV & Personal firewall. Microsoft update is running as well. Systems 
continuously reboot by RPC with a one minute countdown, even when disconnected from 
the network. Again, I have yet to get hands-on to the systems to do more research. 
Hope that bit helps.

~S~

Disclaimer: My own two cents.
  
Learn more about Paymentech's payment processing services at www.paymentech.com
THIS MESSAGE IS CONFIDENTIAL.  This e-mail message and any attachments are proprietary 
and confidential information intended only for the use of the recipient(s) named 
above.  If you are not the intended recipient, you may not print, distribute, or copy 
this message or any attachments.  If you have received this communication in error, 
please notify the sender by return e-mail and delete this message and any attachments 
from your computer.

Re: RPC errors - DDoS on the 16th?

[Eric Kuhnke]

http://www.theinquirer.net/?article=10986

Has anyone else seen this claim?  Somebody at F-Secure thinks the worm will begin a 
DDoS against windowsupdate.microsoft.com on the 16th.

At 03:08 PM 8/12/2003 -0700, you wrote:
>This should help some for people who are worried
>http://securityresponse.symantec.com/avcenter/FixBlast.exe
> 
>-Henry
>
>"Steven M. Bellovin" <[EMAIL PROTECTED]> wrote:
>
>In message , 
>"Dominic J. Eidson" writes:
>>
>>On Mon, 11 Aug 2003, Jack Bates wrote:
>>
>>> Sean Donelan wrote:
>>>
>>> > http://isc.sans.org/diary.html?date=2003-08-11
>>> > The worm uses the RPC DCOM vulnerability to propagate. One it finds a
>>> > vulnerable system, it will spawn a shell and use it to download the actual
>>> > worm via tftp.
>>> >
>>> > The name of the binary is msblast.exe. It is packed with UPX and will self
>>> > extract. The size of the binary is about 11kByte unpacked, and 6kBytes
>>> > packed:
>>
>>Has anyone seen/heard of this virus propagating through email in any way?
>>
>>We appear to have been infected on a network that is very heavily
>>firewalled from the outside, and are trying to track down possibly entry
>>methods the worm might have had...
>
>A large number of networks have unknown and unauthorized back doors. 
>If it's a decent-sized network and you haven't audited it, don't assume 
>that the firewalling is effective. (My co-author on "Firewalls and 
>Internet Security" book, Bill Cheswick, is CTO of a startup that maps 
>intranets for just this reason.)
>
>
>--Steve Bellovin, http://www.research.att.com/~smb

Re: RPC errors and latest worm

[Stewart, William C (Bill), RTSLS]

According to http://isc.sans.org/diary.html?date=2003-08-11 ,
the worm uses the latest popular MS exploit ports, so 
"* Close port 135/tcp (and if possible 135-139, 445 and 593) ".

It also uses TCP port  and TFTP = UDP 69 to download its
attack code after getting the initial bootstrap infection.
So you probably want to be blocking TCP  and (if appropriate,
which it usually is, TFTP), and tracing any  activity and TFTPs
to detect attacks.

RE: RPC errors

[McBurnett, Jim]

Jack,
This is that RPC flaw in MicroSoft.
I noticed it too.. Got about 20K in 15 hours

Jim

-Original Message-
From: Jack Bates [mailto:[EMAIL PROTECTED]
Sent: Monday, August 11, 2003 4:12 PM
To: NANOG
Subject: RPC errors



I'm showing signs of an RPC sweep across one of my networks that's 
killing some XP machines (only XP confirmed). How wide spread is this at 
this time. Also, does anyone know if this is just generating a DOS 
symptom or if I should be looking for backdoors in these client systems?

-Jack

Re: RPC errors

[Michael Painter]

Forwarded from isp-tech:

Those of you having the issues of restarts, do the following:

Go to Control Panel, then Administrative Tools, then Services.  Under
Services find the Remote Procedure Call option, and right click then go to
Properties.
Under Properties, go to the Recovery Tab, and you'll see the "At first
failure..." "At Second Failure..." issue.  Change those to "Take No Action"
or "Restart The Service" instead of the the default "Reboot the Computer"
option, and you should be able to stay on for the patch.

--
Jon Catron
RNet Inc. - Technical Support
Systems Administrator
http://www.rnetinc.net/
(765) 342-3554
(888) 349-3080
--

Re: RPC errors

[Dominic J. Eidson]

On Mon, 11 Aug 2003, Jack Bates wrote:

> Sean Donelan wrote:
>
> > http://isc.sans.org/diary.html?date=2003-08-11
> > The worm uses the RPC DCOM vulnerability to propagate. One it finds a
> > vulnerable system, it will spawn a shell and use it to download the actual
> > worm via tftp.
> >
> > The name of the binary is msblast.exe. It is packed with UPX and will self
> > extract. The size of the binary is about 11kByte unpacked, and 6kBytes
> > packed:

Has anyone seen/heard of this virus propagating through email in any way?

We appear to have been infected on a network that is very heavily
firewalled from the outside, and are trying to track down possibly entry
methods the worm might have had...


 - d.

-- 
Dominic J. Eidson
"Baruk Khazad! Khazad ai-menu!" - Gimli
---
http://www.the-infinite.org/  http://www.the-infinite.org/~dominic/

RE: RPC errors

[Dan Hollis]

On Mon, 11 Aug 2003, Sean Crandall wrote:
> This worm is amazing.  I have only had filters in place for about 4.5 hours
> and I am already approaching 100 million matches for the deny tcp/135 across
> my network.  Of that, only one customer has said that they needed 135 open
> for legimate use (probably more, but I have only heard from the one).

Isnt this a perfect situation for a 135/tcp tarpit?

-Dan
-- 
[-] Omae no subete no kichi wa ore no mono da. [-]

Re: RPC errors

[John Palmer]

45 seconds:

deny tcp any any eq 135 (5445 matches)
deny tcp any any eq 137
deny tcp any any eq 138
deny tcp any any eq 139
deny tcp any any eq 445 (207 matches)

- Original Message - 
From: "Randy Bush" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, August 11, 2003 18:52
Subject: Re: RPC errors


> 
> must be fun out there on the net today.  one minute of counter
> accumulation
> 
> deny tcp any any eq 135 (5721 matches)
> deny tcp any any eq 137
> deny tcp any any eq 138
> deny tcp any any eq 139 (17 matches)
> deny tcp any any eq 445 (1137 matches)
> 
> randy
> 
> 
> 

RPC errors

[Jack Bates]

I'm showing signs of an RPC sweep across one of my networks that's 
killing some XP machines (only XP confirmed). How wide spread is this at 
this time. Also, does anyone know if this is just generating a DOS 
symptom or if I should be looking for backdoors in these client systems?

-Jack

RE: RPC errors

[Austad, Jay]

> We appear to have been infected on a network that is very heavily
> firewalled from the outside, and are trying to track down 
> possibly entry
> methods the worm might have had...

VPN or dialup?  Laptop user that got infected at home and brought his
machine into the office?

-jay

RE: RPC errors

[Brennan_Murphy]

does anyone know if the scanning is sequential once
a range is chosen or is it random within a range?

e.g.,
1.1.1.1
1.1.1.2
1.1.1.3
etc

or 

1.1.1.89
1.1.1.33
1.1.1.12
etc



-Original Message-
From: John Dvorak [mailto:[EMAIL PROTECTED] 
Sent: Monday, August 11, 2003 5:57 PM
To: NANOG
Subject: Re: RPC errors



On Mon, 11 Aug 2003 17:33:33 -0400
 Kevin Houle <[EMAIL PROTECTED]> wrote:
> 
> --On Monday, August 11, 2003 02:26:40 PM -0700 Mike Damm 
> <[EMAIL PROTECTED]> wrote:
> 
> >The DCOM exploit that is floating around crashes the Windows RPC 
> >service when the attacker closes the connection to your system after 
> >a successful attack. Best bet is to assume any occurrence of crashing

> >RPC services to be signs of a compromised system until proven 
> >otherwise.
> >
> >http://www.cert.org/advisories/CA-2003-19.html
> 
> That's good advice. Many of the known exploits cause the RPC service 
> to crash after the exploit is successful. I'll point out that not all 
> exploits cause the service failure. So, the absence of an RPC service 
> failure is likewise not an indicator that a vulnerable machine has 
> escaped compromise.
> 
> Kevin

Interestingly, we have clear examples of boxes which were not infected
but on which RPC services did crash.  This may suggest that the worm
also takes advantage of the unrelated RPC DOS vulnerability (2000 and
XP) which I believe MS has still not patched.

John

RE: RPC errors

[Bob German]

I've seen similar behavior.  I patch immediately and religiously, and on
two of my patched boxes I've seen unusual svchost crashes yesterday and
today.  But no infection, knock on wood.

Bob German
Sr Systems Engineer
Irides, LLC



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
John Dvorak
Sent: Monday, August 11, 2003 5:57 PM
To: NANOG
Subject: Re: RPC errors



On Mon, 11 Aug 2003 17:33:33 -0400
 Kevin Houle <[EMAIL PROTECTED]> wrote:
> 
> --On Monday, August 11, 2003 02:26:40 PM -0700 Mike Damm 
> <[EMAIL PROTECTED]> wrote:
> 
> >The DCOM exploit that is floating around crashes the Windows RPC 
> >service when the attacker closes the connection to your system after 
> >a successful attack. Best bet is to assume any occurrence of crashing

> >RPC services to be signs of a compromised system until proven 
> >otherwise.
> >
> >http://www.cert.org/advisories/CA-2003-19.html
> 
> That's good advice. Many of the known exploits cause the RPC service 
> to crash after the exploit is successful. I'll point out that not all 
> exploits cause the service failure. So, the absence of an RPC service 
> failure is likewise not an indicator that a vulnerable machine has 
> escaped compromise.
> 
> Kevin

Interestingly, we have clear examples of boxes which were not infected
but on which RPC services did crash.  This may suggest that the worm
also takes advantage of the unrelated RPC DOS vulnerability (2000 and
XP) which I believe MS has still not patched.

John

Re: RPC errors

[Randy Bush]

must be fun out there on the net today.  one minute of counter
accumulation

deny tcp any any eq 135 (5721 matches)
deny tcp any any eq 137
deny tcp any any eq 138
deny tcp any any eq 139 (17 matches)
deny tcp any any eq 445 (1137 matches)

randy

Re: RPC errors and latest worm

[Scott Fendley]

As of a few moments ago the Executive Summary included your information

Executive Summary:

A worm has started spreading early afternoon EDT (evening UTC Time) and
is expected to continue spreading rapidly. This worms exploits the
Microsoft Windows DCOM RPC Vulnerability announced July 16, 2003. The SANS
Institute, and Incidents.org recommends the following Action Items:

 * Close port 135/tcp (and if possible 135-139, 445 and 593)
 * Monitor TCP Port  and UDP Port 69 (tftp) which are used by the worm
for activity related to this worm.
 * Ensure that all available patches have been applied, especially the
patches reported in Microsoft Security Bulletin MS03-026.
 * This bulletin is available at
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
 * Infected machines are recommended to be pulled from the network pending
a complete rebuild of the system.


Scott Fendley
---
Scott Fendley   [EMAIL PROTECTED]
Systems/Security Analyst(479) 575-2022
University of Arkansas  (479) 575-4753 fax

On Mon, 11 Aug 2003, Stewart, William C (Bill), RTSLS wrote:

>
> According to http://isc.sans.org/diary.html?date=2003-08-11 ,
> the worm uses the latest popular MS exploit ports, so
> "  * Close port 135/tcp (and if possible 135-139, 445 and 593) ".
>
> It also uses TCP port  and TFTP = UDP 69 to download its
> attack code after getting the initial bootstrap infection.
> So you probably want to be blocking TCP  and (if appropriate,
> which it usually is, TFTP), and tracing any  activity and TFTPs
> to detect attacks.
>
>
>
>

Re: RPC errors

[Jack Bates]

Mark Segal wrote:
I just put an access list on one of our cores with some spare cpu cycles..
And 10% of the traffic looks like port 135 calls.  Anyone else see this?
Did I break anything legitimate?
There is legitimate use for 135, although normally it is not used in the 
wild much. From what I can see, the 10% traffic mark is about average 
and should mostly be infected systems. I've seen some tight-in network 
scans from one of my networks to the others (within the same /18). Still 
monitoring loads before I decide to crank in lists between networks to 
limit cross infection. Tomorrow starts the fun... EU contact.

I plan to open up inbound first and let user's get infected, tracking 
and purifying my network for about a week, perhaps two. Then I'll reopen 
the network for full traffic if it looks clean enough. Emergency "Good 
Neighbor" policy. :)

-Jack

RE: RPC errors

[Kevin Houle]

--On Monday, August 11, 2003 02:26:40 PM -0700 Mike Damm 
<[EMAIL PROTECTED]> wrote:

The DCOM exploit that is floating around crashes the Windows RPC service
when the attacker closes the connection to your system after a successful
attack. Best bet is to assume any occurrence of crashing RPC services to
be signs of a compromised system until proven otherwise.
http://www.cert.org/advisories/CA-2003-19.html
That's good advice. Many of the known exploits cause the RPC service
to crash after the exploit is successful. I'll point out that not all
exploits cause the service failure. So, the absence of an RPC service
failure is likewise not an indicator that a vulnerable machine has
escaped compromise.
Kevin

Re: RPC errors

[John Dvorak]

On Mon, 11 Aug 2003 17:33:33 -0400
 Kevin Houle <[EMAIL PROTECTED]> wrote:
> 
> --On Monday, August 11, 2003 02:26:40 PM -0700 Mike Damm
> <[EMAIL PROTECTED]> wrote:
> 
> >The DCOM exploit that is floating around crashes the Windows RPC service
> >when the attacker closes the connection to your system after a successful
> >attack. Best bet is to assume any occurrence of crashing RPC services to
> >be signs of a compromised system until proven otherwise.
> >
> >http://www.cert.org/advisories/CA-2003-19.html
> 
> That's good advice. Many of the known exploits cause the RPC service
> to crash after the exploit is successful. I'll point out that not all
> exploits cause the service failure. So, the absence of an RPC service
> failure is likewise not an indicator that a vulnerable machine has
> escaped compromise.
> 
> Kevin

Interestingly, we have clear examples of boxes which were not infected but on
which RPC services did crash.  This may suggest that the worm also takes
advantage of the unrelated RPC DOS vulnerability (2000 and XP) which I believe
MS has still not patched.

John

RE: RPC errors

[Rob Thomas]

Hi, Brennan.

] does anyone know if the scanning is sequential once
] a range is chosen or is it random within a range?

In all of my tests the scanning is sequential, e.g.
1.1.1.1, 1.1.1.2, 1.1.1.3, etc.

Thanks,
Rob.
-- 
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);