An attack tool, also known as an autorooter, is being used to compromise Windows servers. The tool can take commands that are sent through Internet relay chat (IRC) channels and is capable of scanning for and compromising systems vulnerable to the highly publicized recent Windows remote procedure call (RPC) vulnerability.
This vulnerability affects almost all versions of Windows and could enable a remote attacker to place and run malicious code on affected machines, giving them total control over the systems according to Microsoft.
After examining a clobbered together exploit package called Worm.Win32.Autorooter, it is obvious where this type of worm is heading. Because it requires no user interaction it is being compared to the buffer overflow vulnerability in Microsoft's Internet Information Server (IIS) that was exploited by the Code Red worm in July of 2001.
The major difference that I see, is that Code Red infected Windows servers only, this exploit has the capability of infecting servers AND workstations alike. Now we are talking millions of potential systems and not thousands.
I have seen a significant level of recon or scanning, since the Distributed Component Object Model (DCOM) exploit was found in the wild on July 25th, which once again brings up my major gripe. The current patching system is broke. What consumers should demand is that software vendors "start writing more secure applications." Only intense pressure from buyers appliance vendors to do the right thing for their customers by taking responsibility for the flaws they are putting in our computers and on our networks. If the Department of Homeland Security wants to improve cyber security it should demand that its vendors deliver secure configurations and automatically deliver patches that work, or pay the costs of cleaning up the messes caused by their failure to do so.
In the mean time, please take these steps to protect your environment. Block TCP port 135 (Windows RPC service), TCP port 139 (Windows NetBIOS network communication) and port 445 (Windows Server Message Block) on your local firewall. And apply the Microsoft patch found in regards to Microsoft Security Bulletin MS03-026: https://www.microsoft.com/security/security_bulletins/ms03-026.asp
Got something to add? Send me email.
More Articles by Michael Desrosiers © 2009-11-07 Michael Desrosiers
If you just want to use the system, instead of hacking on its internals, you don't need source code. (Andrew S. Tanenbaum)