Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: RPC DCOM Update: sdbot variant - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
RPC DCOM Update: sdbot variant
Honeypots captured a number of attempts to install 'sdbot' variants via the
RPC DCOM vulnerability. In each case, 'dcom.c' was used to break in and issue
a tftp command to download the remainder of sdbot.

Sdbot is a very common 'IRC bot'. It allows remote control of infected machines
via IRC and provides a large set of functions like keystroke loggers, DDOS tools, and tools to scan and break into other machines.

In order to protect your systems against this threat, patch systems against the
RPC vulnerability. Possible firewall rules:

- block inbound port 135

- outbound/inbound port 69 (tftp)

- outbound 6667 (irc)

Note: in particular the IRC port is easily changed to a different port. TFTP should probably only be blocked at the perimeter of a private network (home network / small company), not by an ISP.

please notify about updates.

76 Posts
Aug 5th 2003

Sign Up for Free or Log In to start participating in the conversation!