Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2003-08-01 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Widespread use of RPC DCOM Exploit

Published: 2003-08-01
Last Updated: 2003-08-04 14:58:05 UTC
by Handlers (Version: 1)
0 comment(s)

-- UPDATE ---

A trojan horse / irc bot has been found in the wild which uses this
vulnerability to 'recruit' systems:
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.irc.cirebot.html

-----
Ever since the announcement of the RPC DCOM vulnerability, the hacker community
has been busy refining exploits in order to make use of this issue.

Over the last two weeks, a number of exploits have been released. They are very
easy to use and have already been used to attack numerous systems.

Currently, more than 1/4 of the sensors participating in the Internet Storm
Center have detected scans for this vulnerability.

If successful, the exploit will be hard to detect. Only if the exploit failed, you will see a popup alert indicating that the RPC service died. Your machine may reboot by itself as a result.

Essentially all versions of Windows are vulnerable. The only exception is Windows ME. A patch has been made available by Microsoft as of July 16th 2003.

Recommendation:

- Patch your systems as fast as possible.

- apply firewall rules to block at least port 135, 139 and 445. RPC may use other ports as well depending on configuration. Do not use these limited rules in lieu of patches.

- if possible, disable DCOM. (this may break some functionality). To do so, use 'dcomcnfg.exe'. For details see: http://support.microsoft.com/default.aspx?scid=kb;en-us;825750

For further details, see the MSFT bulletin (MS03-026):

http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-026.asp
SNORT Rules:

alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC invalid bind attempt"; flow:to_server,established; content:"|05|"; distance:0; within:1; content:"|0b|"; distance:1; within:1; byte_test:1,&;,,,,1,0,relative; content:"|00|"; distance:21; within:1; classtype:attempted-dos; sid:2190; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCERPC invalid bind attempt"; flow:to_server,established; content:"|FF|SMB|25|"; nocase; offset:4; depth:5; content:"|26 00|"; distance:56; within:2; content:"|5c 00|P|00|I|00|P|00|E|00 5c 00|"; nocase; distance:5; within:12; content:"|05|"; distance:2; within:1; content:"|0b|"; distance:1; within:1; byte_test:1,&;,,,,1,0,relative; content:"|00|"; distance:21; within:1; classtype:attempted-dos; sid:2191; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|05|"; distance:0; within:1; content:"|0b|"; distance:1; within:1; byte_test:1,&;,,,,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 46|"; distance:29; within:16; reference:cve,CAN-2003-0352; classtype:attempted-admin; sid:2192; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|FF|SMB|25|"; nocase; offset:4; depth:5; content:"|26 00|"; distance:56; within:2; content:"|5c 00|P|00|I|00|P|00|E|00 5c 00|"; nocase; distance:5; within:12; content:"|05|"; distance:0; within:1; content:"|0b|"; distance:1; within:1; byte_test:1,&;,,,,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 46|"; distance:29; within:16; reference:cve,CAN-2003-0352; classtype:attempted-admin; sid:2193; rev:1;)
---------

Please send comments to isc@sans.org

Keywords:
0 comment(s)
Diary Archives