Jump to content
Ghost Recon.net Forums

Recommended Posts

I did a AV update at 10pm, same as everynight so goodness knows how I got this. According to that MS page, the problem was identified last month!

Share this post


Link to post
Share on other sites

Bear with me and I will get info to you guys on how to close up those ports. I just need a little bit of time to get it together here.

Share this post


Link to post
Share on other sites

What’s the scope of the vulnerability?

This is a buffer overrun vulnerability. An attacker who successfully exploited this vulnerability could gain complete control over a remote computer. This would give the attacker the ability to take any action on the server that they want. For example, and attacker could change Web pages, reformat the hard disk, or add new users to the local administrators group.

To carry out such an attack, an attacker would require the ability to send a malformed message to the RPC service and thereby cause the target machine to fail in such a way that arbitrary code could be executed.

What causes the vulnerability?

The vulnerability results because the Windows RPC service does not properly check message inputs under certain circumstances. This particular failure affects an underlying Distributed Component Object Model (DCOM) interface, which listens on RPC enabled ports. By sending a malformed RPC message, an attacker could cause the RPC service on a machine to fail in such a way that arbitrary code could be executed. interface with RPC on the remote machine to fail in such a way that arbitrary code could be executed.

What is DCOM?

The Distributed Component Object Model (DCOM) is a protocol that enables software components to communicate directly over a network. Previously called "Network OLE," DCOM is designed for use across multiple network transports, including Internet protocols such as HTTP. More information about DCOM can be found at the following website:

http://www.microsoft.com/com/tech/dcom.asp

What is RPC (Remote Procedure Call)?

Remote Procedure Call (RPC) is a protocol that a program can use to request a service from a program located on another computer in a network. RPC helps with interoperability because the program using RPC does not have to understand the network protocols that are supporting communication. In RPC, the requesting program is the client and the service-providing program is the server.

What's wrong with Microsoft’s implementation of Remote Procedure Call (RPC)?

There is a flaw in a part of RPC that deals with message exchange over TCP/IP. A failure results because of incorrect handling of malformed messages. This particular failure affects an underlying DCOM interface, which listens on TCP/IP port 135, and can be reached via ports 139 and 445. By sending a malformed RPC message, an attacker could cause the RPC service on a machine to fail in such a way that arbitrary code could be executed.

Is this a flaw in the RPC Endpoint Mapper?

No - The flaw actually occurs in a low level DCOM interface within the RPC process. The RPC endpoint mapper allows RPC clients to determine the port number currently assigned to a particular RPC service. An endpoint is a protocol port or named pipe on which the server application listens to for client remote procedure calls. Client/server applications can use either well-known or dynamic ports.

Security Bulletin MS03-010 also involved RPC yet you could not fix that vulnerability on Windows NT 4.0. How were you able to fix this vulnerability on Windows NT 4.0?

The flaw in this case lies in an underlying DCOM interface to RPC, and not the overall RPC implementation or the RPC Endpoint Mapper itself. As a result, it was possible to address this vulnerability in Windows NT 4.0 without needing to rearchitect significant portions of the Windows NT 4.0 operating system, as would have been required by a Windows NT 4.0 patch for security bulletin MS03-010.

What could this vulnerability enable an attacker to do?

An attacker who successfully exploited this vulnerability would be able to run code with Local System privileges on an affected system. The attacker would be able to take any action on the system, including installing programs, viewing changing or deleting data, or creating new accounts with full privileges.

How could an attacker exploit this vulnerability?

An attacker could seek to exploit this vulnerability by programming a machine that could communicate with a vulnerable server over RPC to send a specific kind of malformed RPC message. Receipt of such a message could cause the RPC service on the vulnerable machine to fail in such a way that it could execute arbitrary code.

Who could exploit the vulnerability?

Any user who could deliver a TCP request to an RPC interface to an affected computer could attempt to exploit the vulnerability. Because RPC requests are on by default in all versions of Windows, this in essence means that any user who could establish a connection with an affected computer could attempt to exploit the vulnerability.

It could also be possible to access the affected component through another vector, such as one that would involve logging onto the system interactively or by using another application similar that passed parameters to the vulnerable component either locally or remotely.

What does the patch do?

The patch corrects the vulnerability by altering the DCOM interface to properly check the information passed to it.

Workarounds

Are there any workarounds that can be used to block exploitation of this vulnerability while I am testing or evaluating the patch?

Yes. Although Microsoft urges all customers to apply the patch at the earliest possible opportunity, there are a number of workarounds that can be applied to help prevent the vector used to exploit this vulnerability in the interim.

It should be noted that these workarounds should be considered temporary measures as they just help block paths of attack rather than correcting the underlying vulnerability.

The following sections are intended to provide you with information to help protect your computer from attack. Each section describes the workarounds that you may want to use depending on your computer’s configuration.

Each section describes the workarounds available depending on your required level of functionality.

Block RPC interface ports at your firewall.

Port 135 is used to initiate an RPC connection with a remote computer. In addition, there are other RPC interface ports that could be used by an attacker to remotely exploit this vulnerability. Blocking the following ports at the firewall will help prevent systems behind that firewall from being attacked by attempts to exploit this vulnerability:

TCP/UDP Port 135

TCP/UDP Port 139

TCP/UDP Port 445

In addition, customers may have configured services or protocols that use RPC that might also be accessible from the Internet. Systems administrators are strongly encouraged to examine RPC ports that are exposed to the Internet and to either block these ports at their firewall, or apply the patch immediately.

Internet Connection Firewall.

If you are using the Internet Connection Firewall in Windows XP or Windows Server 2003 to protect your Internet connection, it will by default block inbound RPC traffic from the Internet.

Disable DCOM on all affected machines

When a computer is part of a network, the DCOM wire protocol enables COM objects on that computer to communicate with COM objects on other computers. You can disable DCOM for a particular computer to help protect against this vulnerability, but doing so will disable all communication between objects on that computer and objects on other computers.

If you disable DCOM on a remote computer, you will not be able to remotely access that computer afterwards to reenable DCOM. To reenable DCOM, you will need physical access to that computer.

To manually enable (or disable) DCOM for a computer:

1. Run Dcomcnfg.exe.

If you are running Windows XP or Windows Server 2003 perform these additional steps:

Click on the Component Services node under Console Root.

Open the Computers sub-folder.

For the local computer, right click on My Computer and choose Properties.

For a remote computer, right click on the Computers folder and choose New then Computer. Enter the computer name. Right click on that computer name and choose Properties.

2. Choose the Default Properties tab.

3. Select (or clear) the Enable Distributed COM on this Computer check box.

4. If you will be setting more properties for the machine, click the Apply button to enable (or disable) DCOM. Otherwise, click OK to apply the changes and exit Dcomcnfg.exe.

Patch availability

Download locations for this patch

Windows NT 4.0 Server

Windows NT 4.0 Terminal Server Edition

Windows 2000

Windows XP 32 bit Edition

Windows XP 64 bit Edition

Windows Server 2003 32 bit Edition

Windows Server 2003 64 bit Edition

Additional information about this patch

Installation platforms:

The Windows NT 4.0 patch can be installed on systems running Service Pack 6a.

The Windows NT 4.0, Terminal Server Edition patch can be installed on systems running Windows NT 4.0, Terminal Server Edition Service Pack 6.

The Windows 2000 patch can be installed on systems running Windows 2000 Service Pack 3, or Service Pack 4.

The patch for Windows XP can be installed on systems running Windows XP Gold or Service Pack 1.

The patch for Windows Server 2003 can be installed on systems running Windows Server 2003 Gold.

Inclusion in future service packs:

The fix for this issue will be included in Windows 2000 Service Pack 5, Windows XP Service Pack 2, and Windows Server 2003 Service Pack 1.

Reboot needed: Yes.

Patch can be uninstalled: Yes.

Superseded patches: None.

Verifying patch installation:

Windows NT 4.0:

To verify that the patch has been installed on the machine, confirm that all files listed in the file manifest in Knowledge Base article 823980 are present on the system.

Windows NT 4.0 Terminal Server Edition:

To verify that the patch has been installed on the machine, confirm that all files listed in the file manifest in Knowledge Base article 823980 are present on the system.

Windows 2000:

To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB823980.

To verify the individual files, use the date/time and version information provided in the file manifest in Knowledge Base article 823980 are present on the system.

Windows XP

If installed on Windows XP Gold:

To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\KB823980

To verify the individual files, use the date/time and version information provided in the file manifest in Knowledge Base article 823980 are present on the system.

If installed on Windows XP Service Pack 1:

To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\KB823980.

To verify the individual files, use the date/time and version information provided in the file manifest in Knowledge Base article 823980 are present on the system.

Windows Server 2003:

To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Window Server 2003\SP1\KB823980.

To verify the individual files, use the date/time and version information provided in the file manifest in Knowledge Base article 823980 are present on the system.

Caveats:

None

Localization:

Localized versions of this patch are available at the locations discussed in “Patch Availability”.

Obtaining other security patches:

Patches for other security issues are available from the following locations:

Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".

Patches for consumer platforms are available from the WindowsUpdate web site

Other information:

Acknowledgments

Microsoft thanks The Last Stage of Delirium Research Group for reporting this issue to us and working with us to protect customers.

Support:

Microsoft Knowledge Base article 823980 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.

Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

V1.0 (July 16, 2003): Bulletin Created.

V1.1 (July 18, 2003): Mitigating factors and Workaround section updated to reflect additional ports.

V1.2 (July 21, 2003): Added Windows XP gold patch verification registry key.

Share this post


Link to post
Share on other sites
As it was restarting, I went to the kitchen and grabbed a cola and a pancake. Next thing I know, I can hear the PC shutting down!

yeah...I climbed thru your window and flicked your reset button.

just for a laugh like...

Just to see you sweat for a bit.... ;)

Share this post


Link to post
Share on other sites
TCP/UDP Port 135

TCP/UDP Port 139

TCP/UDP Port 445

Egad. 75% of the access attempts on my computer go for UDP port 135.

ZoneAlarm rules!

Share this post


Link to post
Share on other sites

As McNamee said I think I was one of the first. I havent dled any mods but do have MSN 6 and am 56k. I cant find the file but to stop it happening to me I enabled the firewall that comes with my dial up software. Sheesh! Im glad it wasnt only me!

Share this post


Link to post
Share on other sites

I took my PC to my IT boys this morning,they've been running AVG for 5 hrs and zip!!,there was nothing in my registry keys,My guess is that because it's not connected to the net,the problem is not there for me,I've also done the patch thing!!!If this happens to me when I get it home,I'm going to take a sledgehammer to it and claim the insurance,by saying I feel down the stairs with it!!!! :lol:

Share this post


Link to post
Share on other sites

Damn, I have applied the MS patch and deleted the reg key. The msblast.exe was not in my windows folder.

Today, I still get msblast.exe trying to access the net through my firewall :angry:

I guess I'll need to read that huge post of phantm's afterall... :wall:

Share this post


Link to post
Share on other sites

This is one nasty little virus,and it doesn't seem to getting picked up by scans etc,it looks like it comes throught he firewall......regardless.

What possess clowns to do this stuff,jeeze the world already ###### up,never mind monging your PC!!!!

Edited by Pave Low

Share this post


Link to post
Share on other sites

Rocky, it should be under Windows/system32 (on WinXP system anyway). I went ahead and applied the patch and got everything up to date, but I didn't have a problem with the worm file to begin with. Wonder where it comes from.

Share this post


Link to post
Share on other sites
Rocky, it should be under Windows/system32 (on WinXP system anyway). I went ahead and applied the patch and got everything up to date, but I didn't have a problem with the worm file to begin with. Wonder where it comes from.

Probably some fool of a college student who thinks he's being wise.

Share this post


Link to post
Share on other sites
Rocky, it should be under Windows/system32 (on WinXP system anyway).

Yep, I see it now, but I can't delete it because windows says it is in use. If the symantec tool doesn't remove it I have to run it again in safe mode, which will be a new experience for me :rolleyes:

It is actually not working now since I applied the patch, my PC is not shutting down like it did before, but the msblast files are still here - hopefully this symantec remval tool will do the business - it scans the whole disk though, so it could take a while.... :(

Share this post


Link to post
Share on other sites

Yeah, I was reading about it on this security website. It said that it takes 20 seconds for it to get installed and start looking to copy itself. Phew. That's quick. 57,000 have it or so. They think it could go much higher since there are a LOT of windows computers out there. :(

Share this post


Link to post
Share on other sites

Rocky, can you kill it under the Processes tab and then delete it?

Share this post


Link to post
Share on other sites

Step 1: Ctrl + Alt + Delete; Go under processes and shut down "msblast.exe"

Step 2: Navigate to /Windows/system 32; scroll down untill you have found msblast and delete it; proceed to your trash can and delete it from there

Step 3: Delete the registry by going into regedit; navigate to:

HKEY_LOCAL_MACHINE | SOFTWARE | Mircrosoft | Windows | CurrentVersion

Click on Run. Delete msblast.

Step 4: Apply the patch found here.

Reboot.

This is how I removed it Rocky, hopefully it works for you too.

Share this post


Link to post
Share on other sites

Some Tech info on what the worm does:

Also Known As:  W32/Lovsan.worm [McAfee], Win32.Poza [CA], Lovsan [F-Secure], WORM_MSBLAST.A [Trend], W32/Blaster-A [sophos], W32/Blaster [Panda]

When W32.Blaster.Worm is executed, it does the following:

Creates a Mutex named "BILLY." If the mutex exists, the worm will exit.

Adds the value:

"windows auto update"="msblast.exe"

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the worm runs when you start Windows.

Calculates a random IP address, A.B.C.0, where A, B, and C are random values between 0 and 255.

NOTE: 40% of the time, if C > 20, a random value less than 20 will be subtracted from C.

Once the IP address is calculated, the worm will attempt to find and exploit a computer on the local subnet, based on A.B.C.0. The worm will then count up from 0, attempting to find and exploit other computers, based on the new IP.

Sends data on TCP port 135 that may exploit the DCOM RPC vulnerability.

NOTES:

This means the local subnet will become saturated with port 135 requests.

Due to the random nature of how the worm constructs the exploit data, this may cause computers to crash if it sends incorrect data.

While W32.Blaster.Worm cannot spread to Windows NT or Windows 2003 Server, unpatched computers running these operating systems may crash as the result of attempts by the worm to exploit them. However, if the worm is manually placed and executed on a computer that is running these operating systems, it can run and spread.

Creates a hidden Cmd.exe remote shell that will listen on TCP port 4444, allowing an attacker to issue remote commands on the infected system.

Listens on UDP port 69. When the worm receives a request from a computer it was able to connect to using the DCOM RPC exploit, it will send that computer Msblast.exe and tell it to execute the worm.

If the current month is after August, or if the current date is after the 15th, the worm will perform a DoS on Windows Update. The worm will activate the DoS attack on the 16th of this month, and continue until the end of the year.

The worm contains the following text, which is never displayed:

I just want to say LOVE YOU SAN!!

billy gates why do you make this possible ? Stop making money and fix your software!!

Fortunately(for me), my Router, Firewall and AV have spared my system from this fate.

Edited by Pave Low

Share this post


Link to post
Share on other sites

At least the creator has a sense of humor. <_<

Share this post


Link to post
Share on other sites

Thanks for the help guys, I believe it is gone but

*sigh*

Now I have a new problem... for a new post... :(

Share this post


Link to post
Share on other sites
Yeah well....I have something Id like to give the creator....

Stand in the queue please :D

Rocky I was terrified I may have sent you the damn thing with the PfP update. Hope not! I only discovered it yesterday. No one yet seems to know the carrier?

Jack :ph34r:

Share this post


Link to post
Share on other sites

It seems that they are sending it out to ISp's, and it is coming in from the ISP servers.

The reason it is killing machines is that it needs to get out again of the port it came in on, and if the port is blocked, or it cant get to a server, it shuts down the PC.

Ill find the link again and post it. Im trying to simplify the explanation a bit, and I might be missing the boat trying to break it down.

Here is an info link about it.

Share this post


Link to post
Share on other sites

I know my ISP got screwed up...... lost half my bandwith in the last two days.... :angry: ... luckily I wasn't hit... good ole zone Alarm :thumbsup:

Edited by NYR_32

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×