Patch your system NOW - Windows exploit running RAMPANT!
08-11-2003 | 05:57 PM
#1
Thread Starter
Pr0n King
iTrader: (3)
Joined: Nov 2002
Posts: 26,618
From: The Land of Rocks
Car Info: Turncoat Turbo
Patch your system NOW - Windows exploit running RAMPANT!
Hey All,
I'm just back in the office right now after running around since 7:30am stomping out a nasty exploit that has been around for a while (~1 month) but is really starting to propogate.
As SOP you should have your system patched to the latest security level, but if you are Windows NT+ (NT, 2k, XP) it is even more IMPERATIVE now that you must go to the Windows Update site and run through a thorough patch installation.
The DCOM/RPCS exploit has infected 4 of my non-contract clients across 3 islands. All because they were too cheap to buy a hardware firewall device and/or didn't update their Windows patch level on a regular basis.
Go here for more info:
http://securityresponse.symantec.com...tent/8205.html
Mimail (a worm) is floating around as well. Your administrator is NOT going to e-mail you telling you that your e-mail is expiring and that you need to run an attached bit of code to renew it. Don't be duped!
*ARGH*
__________________
Best Car Insurance | Auto Protection Today | FREE Trade-In Quote
I'm just back in the office right now after running around since 7:30am stomping out a nasty exploit that has been around for a while (~1 month) but is really starting to propogate.
As SOP you should have your system patched to the latest security level, but if you are Windows NT+ (NT, 2k, XP) it is even more IMPERATIVE now that you must go to the Windows Update site and run through a thorough patch installation.
The DCOM/RPCS exploit has infected 4 of my non-contract clients across 3 islands. All because they were too cheap to buy a hardware firewall device and/or didn't update their Windows patch level on a regular basis.
Go here for more info:
http://securityresponse.symantec.com...tent/8205.html
Mimail (a worm) is floating around as well. Your administrator is NOT going to e-mail you telling you that your e-mail is expiring and that you need to run an attached bit of code to renew it. Don't be duped!
*ARGH*
__________________
Best Car Insurance | Auto Protection Today | FREE Trade-In Quote
08-11-2003 | 05:58 PM
#2
Thread Starter
Pr0n King
iTrader: (3)
Joined: Nov 2002
Posts: 26,618
From: The Land of Rocks
Car Info: Turncoat Turbo
More infro from Symantec about a related trojan/exploit combo:
__________________
Best Car Insurance | Auto Protection Today | FREE Trade-In Quote
A Bugtraq user has already pointed out that a worm has been discovered in the wild that exploits the Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability (Bugtraq ID 8205) to infect host systems. Symantec has been tracking its activity and is currently conducting analysis/full disassembly of the malicious code, which has been named "Blaster". The results of our analysis are being made available to the public at the following location:
https://tms.symantec.com/members/Ana...t-DCOMworm.pdf
It is expected that this report will be updated frequently as more information is discovered. Readers are advised to download/refresh it throughout the day to ensure that any new information is not missed.
David Mirza Ahmad
Symantec
https://tms.symantec.com/members/Ana...t-DCOMworm.pdf
It is expected that this report will be updated frequently as more information is discovered. Readers are advised to download/refresh it throughout the day to ensure that any new information is not missed.
David Mirza Ahmad
Symantec
Best Car Insurance | Auto Protection Today | FREE Trade-In Quote
08-11-2003 | 06:01 PM
#3
Thread Starter
Pr0n King
iTrader: (3)
Joined: Nov 2002
Posts: 26,618
From: The Land of Rocks
Car Info: Turncoat Turbo
Information re: the Mimail worm:
http://securityresponse.symantec.com...mail.a@mm.html
__________________
Best Car Insurance | Auto Protection Today | FREE Trade-In Quote
http://securityresponse.symantec.com...mail.a@mm.html
W32.Mimail.A@mm is a worm that spreads by email and steals information from a user's machine. The email has the following characteristics:
Subject: your account [random string]
Attachment: message.zip
The threat captures information from certain windows on a user's desktop and emails it to specific mail addresses.
This threat takes advantage of known vulnerabilities: MS02-15 and MS03-14. A Microsoft patch is located at: http://www.microsoft.com/windows/ie/...4/default.asp.
We encourage system administrators to apply the Microsoft patch to prevent infection by this worm.
The worm is packed with UPX.
Subject: your account [random string]
Attachment: message.zip
The threat captures information from certain windows on a user's desktop and emails it to specific mail addresses.
This threat takes advantage of known vulnerabilities: MS02-15 and MS03-14. A Microsoft patch is located at: http://www.microsoft.com/windows/ie/...4/default.asp.
We encourage system administrators to apply the Microsoft patch to prevent infection by this worm.
The worm is packed with UPX.
Best Car Insurance | Auto Protection Today | FREE Trade-In Quote
08-11-2003 | 06:02 PM
#4
Thread Starter
Pr0n King
iTrader: (3)
Joined: Nov 2002
Posts: 26,618
From: The Land of Rocks
Car Info: Turncoat Turbo
P.S. DON'T get caught with your pants down!
P.P.S. If you do, I make house calls for $50/hr.
__________________
Best Car Insurance | Auto Protection Today | FREE Trade-In Quote
P.P.S. If you do, I make house calls for $50/hr.
__________________
Best Car Insurance | Auto Protection Today | FREE Trade-In Quote
08-11-2003 | 06:06 PM
#5
Registered User
iTrader: (1)
Joined: Nov 2002
Posts: 1,134
From: G35 Coupe (FOR SALE)
Car Info: G35 Coupe (FOR SALE)
Thanks for the heads up.
Very easy to mis-quote, but I'd rather not. 
Originally posted by IS2Scooby
P.S. DON'T get caught with your pants down!
P.P.S. If you do, I make house calls for $50/hr.
P.S. DON'T get caught with your pants down!
P.P.S. If you do, I make house calls for $50/hr.
08-11-2003 | 06:07 PM
#6
Thread Starter
Pr0n King
iTrader: (3)
Joined: Nov 2002
Posts: 26,618
From: The Land of Rocks
Car Info: Turncoat Turbo
CLICK ME 2 BE SAFER for y'all lazy buggahs.
__________________
Best Car Insurance | Auto Protection Today | FREE Trade-In Quote
__________________
Best Car Insurance | Auto Protection Today | FREE Trade-In Quote
08-11-2003 | 06:10 PM
#7
Thread Starter
Pr0n King
iTrader: (3)
Joined: Nov 2002
Posts: 26,618
From: The Land of Rocks
Car Info: Turncoat Turbo
More info as it's coming in on MS Blast:
__________________
Best Car Insurance | Auto Protection Today | FREE Trade-In Quote
Internet Security Systems Security Alert
August 11, 2003
"MS Blast" MSRPC DCOM Worm Propagation
Synopsis:
ISS X-Force has captured active samples of an automated Internet worm that
propagates via the MS RPC DCOM vulnerability documented in ISS X-Force
Alert titled "Flaw in Microsoft Windows RPC Implementation"
(http://xforce.iss.net/xforce/alerts/id/147). MS Blast is currently
propagating aggressively across the Internet.
Impact:
Any vulnerable desktop or server connected to the Internet may be
vulnerable to attack. All Windows 2000, Windows XP and Windows NT 4.0
computers that have not been patched are vulnerable to attack from the
automated worm, or manual attack. X-Force believes that hundreds of
thousands of computers may still be vulnerable. Unsuccessful propagation
attempts may crash vulnerable computers, or render them unstable.
Successful worm outbreaks have been known to cause significant localized
network latency, and widespread denial of service.
Description:
The MS Blast worm propagates by exploiting the vulnerability described
in Microsoft Security Bulletin MS03-026, titled, "Buffer Overrun In RPC
Interface Could Allow Code Execution". The worm exhibits the following
behaviors:
Spawn a new thread, checks system clock and launches a TCP-based denial
of service attack at windowsupdate.com if the date is on or after
the 16th.
Add itself to registry so the worm restarts upon a reboot.
Initializes the attack vector for Windows 2000 or Windows XP based on a
simple mathematical calculation. Each infected instance will only attack
Windows XP or Windows 2000. One out of five worm infections will attack
windows 2000, and the remaining four will target Windows XP.
There is a 40% probability that the worm picks a random IP and then scans
sequentially from the starting point. There is a 60% probability that
the worm scans sequentially from its own IP address.
If a vulnerable machine is found, the exploit is launched and the newly
infected machine connects back to the scanning machine via TFTP to obtain
the worm binary. The binary is executed and the process begins again.
Recommendations:
X-Force recommends that network operators monitor TCP port 135 and UDP
port 69 traffic on their networks. The worm will generate TCP port 135
traffic in its attempts to propagate and UDP port 69 traffic in attempts
to download the worm binary on newly infected computers.
August 11, 2003
"MS Blast" MSRPC DCOM Worm Propagation
Synopsis:
ISS X-Force has captured active samples of an automated Internet worm that
propagates via the MS RPC DCOM vulnerability documented in ISS X-Force
Alert titled "Flaw in Microsoft Windows RPC Implementation"
(http://xforce.iss.net/xforce/alerts/id/147). MS Blast is currently
propagating aggressively across the Internet.
Impact:
Any vulnerable desktop or server connected to the Internet may be
vulnerable to attack. All Windows 2000, Windows XP and Windows NT 4.0
computers that have not been patched are vulnerable to attack from the
automated worm, or manual attack. X-Force believes that hundreds of
thousands of computers may still be vulnerable. Unsuccessful propagation
attempts may crash vulnerable computers, or render them unstable.
Successful worm outbreaks have been known to cause significant localized
network latency, and widespread denial of service.
Description:
The MS Blast worm propagates by exploiting the vulnerability described
in Microsoft Security Bulletin MS03-026, titled, "Buffer Overrun In RPC
Interface Could Allow Code Execution". The worm exhibits the following
behaviors:
Spawn a new thread, checks system clock and launches a TCP-based denial
of service attack at windowsupdate.com if the date is on or after
the 16th.
Add itself to registry so the worm restarts upon a reboot.
Initializes the attack vector for Windows 2000 or Windows XP based on a
simple mathematical calculation. Each infected instance will only attack
Windows XP or Windows 2000. One out of five worm infections will attack
windows 2000, and the remaining four will target Windows XP.
There is a 40% probability that the worm picks a random IP and then scans
sequentially from the starting point. There is a 60% probability that
the worm scans sequentially from its own IP address.
If a vulnerable machine is found, the exploit is launched and the newly
infected machine connects back to the scanning machine via TFTP to obtain
the worm binary. The binary is executed and the process begins again.
Recommendations:
X-Force recommends that network operators monitor TCP port 135 and UDP
port 69 traffic on their networks. The worm will generate TCP port 135
traffic in its attempts to propagate and UDP port 69 traffic in attempts
to download the worm binary on newly infected computers.
Best Car Insurance | Auto Protection Today | FREE Trade-In Quote
08-11-2003 | 07:42 PM
#8
Originally posted by IS2Scooby
CLICK ME 2 BE SAFER for y'all lazy buggahs.
CLICK ME 2 BE SAFER for y'all lazy buggahs.
08-11-2003 | 08:14 PM
#9
Registered User
iTrader: (4)
Joined: Nov 2002
Posts: 3,462
From: Honolulu, HI
Car Info: 2008 MB C350S Chip/Exhaust 268whp
Richard: may that be why Road Runner's networks have been really really erratic and been pinging me the last few weeks? If I DMZ my router, every few minutes, the NT Authority worm via RR kicks in and gives that stupid message that shuts down my pc in 30 seconds.
08-11-2003 | 09:06 PM
#10
Registered User
iTrader: (7)
Joined: Dec 2002
Posts: 2,859
From: Flying on the H1 w/ 75 psi of compression on all 4 cyl
Car Info: PnP VF30 w/ STi injectors Perrin intake walbro fuel pump w/ a TXS TBE
thank you
wow i hope they don't have any problems down there. i have road runner and nothhing major yet with my system(knock on wood) and Richard thanks for the up date
08-11-2003 | 09:11 PM
#11
Thread Starter
Pr0n King
iTrader: (3)
Joined: Nov 2002
Posts: 26,618
From: The Land of Rocks
Car Info: Turncoat Turbo
You guys are welcome! 
Boom - that's EXACTLY why RR's networks have been so tempermental. Pop server cutting in and out in the midst of a message download, DNS service timing out, etc.
Mimail and this exploit have been wreaking havoc on the net for the last week and a half or so heavily here in Hawaii.
I see it on DSL (Verizon in particular) as well...
Ugly stuff.
I had a software proxy get choked so hard that it turned the page file on our NT server into so much mush. This of course crashed the server (which killed the 'net connection). The server didn't get "infected" per se, but it was brought down because the server couldn't "hang".
On some of the nerd forums I'm on I've seen some cheaper hardware routers have trouble with this buffer overflow as well. Ugly, I tell ya!
__________________
Best Car Insurance | Auto Protection Today | FREE Trade-In Quote
Boom - that's EXACTLY why RR's networks have been so tempermental. Pop server cutting in and out in the midst of a message download, DNS service timing out, etc.
Mimail and this exploit have been wreaking havoc on the net for the last week and a half or so heavily here in Hawaii.
I see it on DSL (Verizon in particular) as well...
Ugly stuff.
I had a software proxy get choked so hard that it turned the page file on our NT server into so much mush. This of course crashed the server (which killed the 'net connection). The server didn't get "infected" per se, but it was brought down because the server couldn't "hang".
On some of the nerd forums I'm on I've seen some cheaper hardware routers have trouble with this buffer overflow as well. Ugly, I tell ya!
__________________
Best Car Insurance | Auto Protection Today | FREE Trade-In Quote
08-11-2003 | 09:13 PM
#12
Thread Starter
Pr0n King
iTrader: (3)
Joined: Nov 2002
Posts: 26,618
From: The Land of Rocks
Car Info: Turncoat Turbo
Originally posted by palaban
Thanks for the heads up.
Very easy to mis-quote, but I'd rather not.
Thanks for the heads up.
Very easy to mis-quote, but I'd rather not.
__________________
Best Car Insurance | Auto Protection Today | FREE Trade-In Quote
08-11-2003 | 09:16 PM
#13
Registered User
Joined: Nov 2002
Posts: 737
Originally posted by IS2Scooby
P.S. DON'T get caught with your pants down!
P.P.S. If you do, I make house calls for $50/hr.
P.S. DON'T get caught with your pants down!
P.P.S. If you do, I make house calls for $50/hr.
oh yeah. good for the cheapos that didn't update their shiet or buy a router! hahaha
08-11-2003 | 09:20 PM
#14
Thread Starter
Pr0n King
iTrader: (3)
Joined: Nov 2002
Posts: 26,618
From: The Land of Rocks
Car Info: Turncoat Turbo
What can I say, I've got a good heart! Plus that was the "hot babe" price.
__________________
Best Car Insurance | Auto Protection Today | FREE Trade-In Quote
__________________
Best Car Insurance | Auto Protection Today | FREE Trade-In Quote
08-11-2003 | 10:53 PM
#15
Damn!!!!! I just had to batch crap up because of that some*****! I guess serves me right for not updating Windows. I kept getting shut down repeatedly. Good thing my friend is a computer god and was able to guide me through over the phone to fix it up. Good luck to anyone that gets attacked by this.