Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2003-08-09 InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

More RPC DCOM - SDBot News

Published: 2003-08-09
Last Updated: 2003-08-09 04:13:54 UTC
by Handlers (Version: 1)
0 comment(s)
RPC DCOM Update: sdbot variant

If you didn't patch and you're rooted by anything, then Rebuild.

As the information about file hiding in the e-mail post to Unisog below shows, for critical systems, you cannot rely on any vendors "cleaning tools" in a situation like this because;

The tools are not going to find everything from all of the variants and:

You're never going to be able to afford the forensic expense necessary to ensure all hidden files on your system are found.

So byte the bullet, rebuild and patch.

----- Original Message -----
From: "Andy Efting" <>
To: <>
Sent: Tuesday, August 05, 2003 6:53 AM
Subject: [unisog] Re:Unintended update

Here is more detail that I promised last night. This was written by our NT team:

After working with HP Services, Microsoft, and several departments on campus - we have found the following regarding the RPC exploitation.

This information is provided as-is, etc, etc...
This may not be exact across the board, but is what we have found.

There are several signs that will indicate the presence of the RPC exploit on a system that has not done a manual installation of the RPC exploit patch (KB823980).

All machines we have found to be exploited are running Windows 2000 &; 2003 Server.

In the root directory of the hacked server you will find the actual extracted files from the Microsoft patch (any MS patch will not leave the files sitting in the root). These files include:
update.exe (self-extracting archive)

There will also be an <drive>:\update directory from which the installer is called and it will contain the following files:

There is also some further proof that the server has been hacked. In the SYSTEM event log the following entry was found:

Event Type: Information
Event Source: NtServicePack
Event Category: None
Event ID: 4377
Date: 08/03/2003
Time: 11:18:02 AM
Windows 2000 Hotfix KB823980 was installed.

This entry in the log is usually followed by a server restart which will complete the hack.

Once the server has restarted it will no longer appear to be vulnerable to the RPC exploit on the common ports (135,139,445, and 593) and this was confirmed by scanning with several of the DCOM utilities available but it will now have a new port that is available for use by the hacker (port 33571). This port will only be found by issuing a NETSTAT -A command from the command prompt and it will reveal that the server is "listening" on this port. This port is only "listening" on the servers that were hacked.
The exploited server will also have two files HIDDEN on the <drive>:\WINNT\system32 directory. The files are CSRSRV.EXE and CSRSU.EXE. These files ARE NOT VISIBLE from the console of the server.

(The CSRSRV.DLL is a valid file and should not be removed from your system)

These two files can only be seen when connected to the server via an admin share across the network (C$, D$, WINNT$, etc.). These files are not detected by any antivirus programs since they contain valid program code.
NOTE: If the workstation you are using has also been hacked you will be unable to see these files on any
remotely connected machines as well as the local machine.

The hacker may also modify at least one registry entry in the HKLM\SYSTEM\ControlSet001\CSR*.

The CSRSRV.EXE (Path to Executable: C:\WINNT\system32\csrsu.exe) and CSRSU.EXE (Path to Executable: C:\WINNT\system32\csrsrv -k csrspx)files are listed in the Services MMC as Clipboard and CSRS Windows NT
services respectively. These services will fail to start once the files have been renamed from a remote computer. NOTE: If the workstation you are using has also been hacked you will be unable to see these files on any remotely connected machines as well as the local machine.

The removal process:
These files (CSRSRV.EXE and CSRSU.EXE) cannot be deleted remotely but they can be renamed. Once they have been renamed the services can be removed using the delsrv.exe resource kit tool (
and executing the following commands:

C:\TOOLS>delsrv csrspx
C:\TOOLS>delsrv csrswin1

The registry keys should be deleted and the server rebooted.

We have created and attached a self extracting patch that will remove the services and registry entries from your local machine. This was packed using WinRAR, and we cannot guarantee successful execution on every system. The patch should be applied AFTER you rename the two hidden files in the system32 directory and have restarted the machine.

The patch should be run locally from the affected machine.
Andrew P. Efting
Security Analyst
Emory University
Phone: 404-712-2213
Fax: 404-727-0817

0 comment(s)
Diary Archives