Re: reports of DCOM worm on the loose...Report #4

From: Marc Maiffret (marc_at_EEYE.COM)
Date: 08/12/03

  • Next message: Russ: "Re: reports of DCOM worm on the loose...Report #4a"
    Date:         Tue, 12 Aug 2003 08:36:45 -0700
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    "eEye's DCOM Checker incorrectly reports NT 4 machines as being vulnerable,
    despite the patch being positively verified"
    That was fixed in version 1.0.3 of the free scanner.

    Also some of the comments/points about the worm are incorrect, as they are
    on some other research sites. You can read our full analysis on the eEye
    website at http://www.eeye.com/html/Research/Advisories/AL20030811.html

    Also, as mentioned in our analysis, if your running Windows 2000 SP0, SP1,
    SP2, and disable DCOM (as a way to protect yourself until you install the
    patch) then DCOM is not "really" disabled and you are still vulnerable. We
    have seen this with a few customers of ours and also testing in our lab.
    Anyone else have the same experience? So the point being, in some cases,
    disabling DCOM is not a valid method of protection.

    Signed,
    Marc Maiffret
    Chief Hacking Officer
    eEye Digital Security
    T.949.349.9062
    F.949.349.9538
    http://eEye.com/Retina - Network Security Scanner
    http://eEye.com/Iris - Network Traffic Analyzer
    http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities

    | -----Original Message-----
    | From: Windows NTBugtraq Mailing List
    | [mailto:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM]On Behalf Of Russ
    | Sent: Tuesday, August 12, 2003 6:30 AM
    | To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    | Subject: Re: reports of DCOM worm on the loose...Report #4
    |
    |
    | Summary of information uncovered;
    |
    | 1. Windows 2000 SP2 can install MS03-026. Microsoft still isn't
    | supporting this configuration and insist you should test it, but
    | I have had numerous reports from people who have successfully
    | installed it. Windows 2000 SP2 systems have been successfully compromised.
    |
    | 2. Windows Update and most 3rd party patch management
    | applications will not offer you the ability to install MS03-026
    | on Windows 2000 SP2 systems. I have prepared an XML file for use
    | with HFNetchk or MBSACli which will both check for, and
    | recommend, MS03-026 on Windows 2000 SP2 systems.
    | Ergo;
    |
    | 7. Multiple copies of MSBlast.exe can run on the same victim.
    |
    | Uncorroborated Reports:
    | - Adds a user to the Administrators group
    | - Starts up NetBIOS services (if they aren't running)
    | - eEye's DCOM Checker incorrectly reports NT 4 machines as being
    | vulnerable, despite the patch being positively verified
    <snip>

    Cheers,
    Russ - NTBugtraq Editor

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!

    With a growth rate exceeding 110%, the TICSA security practitioner
    certification is one of the hottest IT credentials available. And now, for
    a limited time, you can save 33% off of the TICSA certification exam! To
    learn more about the TICSA certification, and to register as a TICSA
    candidate online, just go to

    http://www.trusecure.com/offer/s0100/

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!

    With a growth rate exceeding 110%, the TICSA security practitioner
    certification is one of the hottest IT credentials available. And now, for
    a limited time, you can save 33% off of the TICSA certification exam! To
    learn more about the TICSA certification, and to register as a TICSA
    candidate online, just go to

    http://www.trusecure.com/offer/s0100/

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo


  • Next message: Russ: "Re: reports of DCOM worm on the loose...Report #4a"