Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
Search
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Worm Exploits RPC Flaw in Windows

    By
    Dennis Fisher
    -
    August 11, 2003
    Share
    Facebook
    Twitter
    Linkedin

      A worm that exploits the recently discovered RPC DCOM vulnerability in Windows began spreading rapidly on the Internet Monday afternoon. The worm is targeting TCP port 135 and is causing some large spikes in traffic, but has yet to cause any real latency or network outages, experts said.

      The name of the binary containing the worm is “msblast.exe,” and it is packed with the UPX compression utility. It is self-extracting and is 11KB once it is unpacked, according to information posted on the Dshield.org site run by the SANS Institute. Once the worm locates a vulnerable machine, it spawns a shell on TCP port 4444 and uses that to download the worm itself through TFTP.

      SANS preliminary analysis of the worm, including a list of some of the TFTP servers the worm downloads from, is available here.

      Once the worm is resident on a machine, it immediately begins scanning the Internet for other vulnerable targets. One post on a security mailing list said the worm begins scanning at IP address 192.168.0.1. It also dumps a key in the registry to start itself after a reboot.

      A text string in the worms code reads: “I just want to say LOVE YOU SAN!! Billy gates why do you make this possible? Stop making money and fix your software!!”

      Experts who have seen copies of the worm say it works on some versions Windows 2000 and XP and that they are trying to confirm its effectiveness on other versions.

      “Weve gotten a bunch of different confirmations of this worm, and weve talked to network operators who say theyve seen customer machines going up and down,” said Dan Ingevaldson, engineering manager for the X-Force research team at Internet Security Systems Inc. in Atlanta. “This looks like the first attempt at automatically exploiting the DCOM problem.”

      Ingevaldson added that ISS has seen a 10-fold increase this afternoon in the number of scans of port 135 on the machines the company monitors for its managed security clients.

      ISS officials also said that the new worm is programmed to launch a denial-of-service attack against the Windows Update Web site on the 16th of each month. Windows Update is an automated service through which Microsoft customers can automatically retrueve security patches and other software updates. A successful DoS attack against the site would not prevent users from accessing patches, however, as those files can still be downloaded manually from other Microsoft sites. Each instance of the MS Blast worm, as its being called, attacks either Windows 2000 or Windows XP machines, not both. Twenty percent of the instances will attack Windows 2000 and 80 percent will look for Windows XP boxes, ISS said.

      The flaw that the worm exploits is found in a portion of the Remote Procedure Call (RPC) protocol that handles message exchanges over TCP/IP. The vulnerability, which arises because of incorrect handling of error messages, affects a particular Distributed Component Object Model interface with RPC and is found in every current version of Windows.

      The best way to avoid the worm is to patch Windows. Microsoft Corp., of Redmond, Wash., issued in July a patch for the vulnerability, which exists in NT 4.0, 2000, XP and Windows Server 2003.

      Avatar
      Dennis Fisher

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      Chris Preimesberger - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      eWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      Zeus Kerravala - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      Wayne Rash - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Information

      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×