Archief
- De topics van lang geleden
tcp/135 RPC worm
11-08-2003, 23:32 door Anoniem, 3 reacties
Ik zie sinds een uur of 7 vanavond een 1200% !!! stijging in het aantal SYN packets op port 135/TCP.
Netwerk-performance dondert langzaam in elkaar.
[snipza]
Handlers Diary August 11th 2003
Updated August 11th 2003 17:33 EDT
RPC DCOM
This RPC DCOM worm started spreading early afternoon EDT (evening UTC). At this point, it is spreading rapidly.
**********
NOTE: PRELIMINARY. Do not base your incidents response solely on this writeup. **********
Increase in port 135 activity: http://isc.sans.org/images/port135percent.png
Latest update: The worm may launch a syn flood against windowsupdate.com on the 16th. (unconfirmed)
The worm uses the RPC DCOM vulnerability to propagate. One it finds a vulnerable system, it will spawn a shell on port 4444 and use it to download the actual worm via tftp. The exploit itself is very close to 'dcom.c' and so far appears to use the "universal Win2k" offset only.
Infection sequence: 1. SOURCE sends packets to port 135 tcp with variation of dcom.c exploit to TARGET
2. this causes a remote shell on port 4444 at the TARGET
3. the SOURCE now sends the tftp get command to the TARGET, using the shell on port 4444,
4. the target will now connect to the tftp server at the SOURCE.
The name of the binary is msblast.exe. It is packed with UPX and will self extract. The size of the binary is about 11kByte unpacked, and 6kBytes packed:
MD5sum packed: 5ae700c1dffb00cef492844a4db6cd69 (6176 Bytes)
So far we found the following properties:
- Scans sequentially for machines with open port 135, starting at a presumably random IP address
- uses multiple TFTP servers to pull the binary
- adds a registry key to start itself after reboot
Name of registry key:
SOFTWAREMicrosoftWindowsCurrentVersionRun, name: 'windows auto update'
Strings of interest:
msblast.exe
I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!!
windowsupdate.com
start %s
tftp -i %s GET %s
%d.%d.%d.%d
%i.%i.%i.%i
BILLY
windows auto update
SOFTWAREMicrosoftWindowsCurrentVersionRun
Existing RPC DCOM snort signatures will detect this worm. The worm is based on dcom.c
[/snip happens]
Lijkt mij dat een paar dummies vergeten zijn te patchen.
Netwerk-performance dondert langzaam in elkaar.
[snipza]
Handlers Diary August 11th 2003
Updated August 11th 2003 17:33 EDT
RPC DCOM
This RPC DCOM worm started spreading early afternoon EDT (evening UTC). At this point, it is spreading rapidly.
**********
NOTE: PRELIMINARY. Do not base your incidents response solely on this writeup. **********
Increase in port 135 activity: http://isc.sans.org/images/port135percent.png
Latest update: The worm may launch a syn flood against windowsupdate.com on the 16th. (unconfirmed)
The worm uses the RPC DCOM vulnerability to propagate. One it finds a vulnerable system, it will spawn a shell on port 4444 and use it to download the actual worm via tftp. The exploit itself is very close to 'dcom.c' and so far appears to use the "universal Win2k" offset only.
Infection sequence: 1. SOURCE sends packets to port 135 tcp with variation of dcom.c exploit to TARGET
2. this causes a remote shell on port 4444 at the TARGET
3. the SOURCE now sends the tftp get command to the TARGET, using the shell on port 4444,
4. the target will now connect to the tftp server at the SOURCE.
The name of the binary is msblast.exe. It is packed with UPX and will self extract. The size of the binary is about 11kByte unpacked, and 6kBytes packed:
MD5sum packed: 5ae700c1dffb00cef492844a4db6cd69 (6176 Bytes)
So far we found the following properties:
- Scans sequentially for machines with open port 135, starting at a presumably random IP address
- uses multiple TFTP servers to pull the binary
- adds a registry key to start itself after reboot
Name of registry key:
SOFTWAREMicrosoftWindowsCurrentVersionRun, name: 'windows auto update'
Strings of interest:
msblast.exe
I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!!
windowsupdate.com
start %s
tftp -i %s GET %s
%d.%d.%d.%d
%i.%i.%i.%i
BILLY
windows auto update
SOFTWAREMicrosoftWindowsCurrentVersionRun
Existing RPC DCOM snort signatures will detect this worm. The worm is based on dcom.c
[/snip happens]
Lijkt mij dat een paar dummies vergeten zijn te patchen.
Reacties (3)
En wat hebben we nu geleerd ?
Geen fsck.
Op naar het volgende gapende gat, en passende worm, Trustworthy32/A.
Geen fsck.
Op naar het volgende gapende gat, en passende worm, Trustworthy32/A.
Handlers Diary August 11th 2003
Updated August 11th 2003 17:33 EDT
RPC DCOM
This RPC DCOM worm started spreading early afternoon EDT (evening UTC). At this point, it is spreading rapidly.
**********
NOTE: PRELIMINARY. Do not base your incidents response solely on this writeup. **********
Increase in port 135 activity: http://isc.sans.org/images/port135percent.png
Latest update: The worm may launch a syn flood against windowsupdate.com on the 16th. (unconfirmed)
The worm uses the RPC DCOM vulnerability to propagate. One it finds a vulnerable system, it will spawn a shell on port 4444 and use it to download the actual worm via tftp. The exploit itself is very close to 'dcom.c' and so far appears to use the "universal Win2k" offset only.
Infection sequence: 1. SOURCE sends packets to port 135 tcp with variation of dcom.c exploit to TARGET
2. this causes a remote shell on port 4444 at the TARGET
3. the SOURCE now sends the tftp get command to the TARGET, using the shell on port 4444,
4. the target will now connect to the tftp server at the SOURCE.
The name of the binary is msblast.exe. It is packed with UPX and will self extract. The size of the binary is about 11kByte unpacked, and 6kBytes packed:
MD5sum packed: 5ae700c1dffb00cef492844a4db6cd69 (6176 Bytes)
So far we found the following properties:
- Scans sequentially for machines with open port 135, starting at a presumably random IP address
- uses multiple TFTP servers to pull the binary
- adds a registry key to start itself after reboot
Name of registry key:
SOFTWAREMicrosoftWindowsCurrentVersionRun, name: 'windows auto update'
Strings of interest:
msblast.exe
I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!!
windowsupdate.com
start %s
tftp -i %s GET %s
%d.%d.%d.%d
%i.%i.%i.%i
BILLY
windows auto update
SOFTWAREMicrosoftWindowsCurrentVersionRun
Existing RPC DCOM snort signatures will detect this worm. The worm is based on dcom.c
Updated August 11th 2003 17:33 EDT
RPC DCOM
This RPC DCOM worm started spreading early afternoon EDT (evening UTC). At this point, it is spreading rapidly.
**********
NOTE: PRELIMINARY. Do not base your incidents response solely on this writeup. **********
Increase in port 135 activity: http://isc.sans.org/images/port135percent.png
Latest update: The worm may launch a syn flood against windowsupdate.com on the 16th. (unconfirmed)
The worm uses the RPC DCOM vulnerability to propagate. One it finds a vulnerable system, it will spawn a shell on port 4444 and use it to download the actual worm via tftp. The exploit itself is very close to 'dcom.c' and so far appears to use the "universal Win2k" offset only.
Infection sequence: 1. SOURCE sends packets to port 135 tcp with variation of dcom.c exploit to TARGET
2. this causes a remote shell on port 4444 at the TARGET
3. the SOURCE now sends the tftp get command to the TARGET, using the shell on port 4444,
4. the target will now connect to the tftp server at the SOURCE.
The name of the binary is msblast.exe. It is packed with UPX and will self extract. The size of the binary is about 11kByte unpacked, and 6kBytes packed:
MD5sum packed: 5ae700c1dffb00cef492844a4db6cd69 (6176 Bytes)
So far we found the following properties:
- Scans sequentially for machines with open port 135, starting at a presumably random IP address
- uses multiple TFTP servers to pull the binary
- adds a registry key to start itself after reboot
Name of registry key:
SOFTWAREMicrosoftWindowsCurrentVersionRun, name: 'windows auto update'
Strings of interest:
msblast.exe
I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!!
windowsupdate.com
start %s
tftp -i %s GET %s
%d.%d.%d.%d
%i.%i.%i.%i
BILLY
windows auto update
SOFTWAREMicrosoftWindowsCurrentVersionRun
Existing RPC DCOM snort signatures will detect this worm. The worm is based on dcom.c
Reageren
Deze posting is gelocked. Reageren is niet meer mogelijk.
Digital Designer
Ben jij een Grafisch vormgever, UI-designer, Game-artist of gewoon een ‘self-proclaimed creative genius’, die op zoek is naar een leuke en uitdagende baan waarin je al je creativiteit kwijt kan?Je werkt samen met onze developers en UI/UX-designer aan onze Gamified Cybersecurity Challenges welke jij voorziet van de mooiste designs.
Cyber Security Trainer
"You know that feeling after you have been to the cinema and seen an exciting movie? It's the same after this training. I can only say that this is probably the BEST TRAINING that I've ever done!!!”
Are you ready for a challenge?
Senior Full Stack Developer
Als full stack developer bij Certified Secure maak je de mooiste cybersecurity challenges die onze deelnemers wereldwijd uitdagen en inspireren. Alle challenges zijn gebaseerd op actuele kwetsbaarheden, je komt dus telkens nieuwe technieken tegen, van machine learning tot web assembly, van Swift UI tot GCP.