Re: reports of DCOM worm on the loose...Report #4

From: Marc Maiffret (marc_at_EEYE.COM)
Date: 08/12/03

  • Next message: Russ: "Re: reports of DCOM worm on the loose...Report #4a"
    Date:         Tue, 12 Aug 2003 08:36:45 -0700
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    "eEye's DCOM Checker incorrectly reports NT 4 machines as being vulnerable,
    despite the patch being positively verified"
    That was fixed in version 1.0.3 of the free scanner.

    Also some of the comments/points about the worm are incorrect, as they are
    on some other research sites. You can read our full analysis on the eEye
    website at http://www.eeye.com/html/Research/Advisories/AL20030811.html

    Also, as mentioned in our analysis, if your running Windows 2000 SP0, SP1,
    SP2, and disable DCOM (as a way to protect yourself until you install the
    patch) then DCOM is not "really" disabled and you are still vulnerable. We
    have seen this with a few customers of ours and also testing in our lab.
    Anyone else have the same experience? So the point being, in some cases,
    disabling DCOM is not a valid method of protection.

    Signed,
    Marc Maiffret
    Chief Hacking Officer
    eEye Digital Security
    T.949.349.9062
    F.949.349.9538
    http://eEye.com/Retina - Network Security Scanner
    http://eEye.com/Iris - Network Traffic Analyzer
    http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities

    | -----Original Message-----
    | From: Windows NTBugtraq Mailing List
    | [mailto:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM]On Behalf Of Russ
    | Sent: Tuesday, August 12, 2003 6:30 AM
    | To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    | Subject: Re: reports of DCOM worm on the loose...Report #4
    |
    |
    | Summary of information uncovered;
    |
    | 1. Windows 2000 SP2 can install MS03-026. Microsoft still isn't
    | supporting this configuration and insist you should test it, but
    | I have had numerous reports from people who have successfully
    | installed it. Windows 2000 SP2 systems have been successfully compromised.
    |
    | 2. Windows Update and most 3rd party patch management
    | applications will not offer you the ability to install MS03-026
    | on Windows 2000 SP2 systems. I have prepared an XML file for use
    | with HFNetchk or MBSACli which will both check for, and
    | recommend, MS03-026 on Windows 2000 SP2 systems.
    | Ergo;
    |
    | 7. Multiple copies of MSBlast.exe can run on the same victim.
    |
    | Uncorroborated Reports:
    | - Adds a user to the Administrators group
    | - Starts up NetBIOS services (if they aren't running)
    | - eEye's DCOM Checker incorrectly reports NT 4 machines as being
    | vulnerable, despite the patch being positively verified
    <snip>

    Cheers,
    Russ - NTBugtraq Editor

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!

    With a growth rate exceeding 110%, the TICSA security practitioner
    certification is one of the hottest IT credentials available. And now, for
    a limited time, you can save 33% off of the TICSA certification exam! To
    learn more about the TICSA certification, and to register as a TICSA
    candidate online, just go to

    http://www.trusecure.com/offer/s0100/

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!

    With a growth rate exceeding 110%, the TICSA security practitioner
    certification is one of the hottest IT credentials available. And now, for
    a limited time, you can save 33% off of the TICSA certification exam! To
    learn more about the TICSA certification, and to register as a TICSA
    candidate online, just go to

    http://www.trusecure.com/offer/s0100/

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo


  • Next message: Russ: "Re: reports of DCOM worm on the loose...Report #4a"

    Relevant Pages

    • So what uses DCOM anyway?
      ... What I'm looking for are things that are either built into the OS, an MS Server, or are very widely deployed. ... Warning, if you disable DCOM, may you may lose operating system functionality. ... Summer's Hottest Certification Just Got HOTTER! ... you can save 33% off of the TICSA certification exam! ...
      (NT-Bugtraq)
    • DCOM not disabled on Win2k SP0,1,2
      ... use the DCOM config tool and restart, your still vulnerable to the DCOM bug. ... | tested this today on Windows 2000, and even after disabling, removing ... Summer's Hottest Certification Just Got HOTTER! ... you can save 33% off of the TICSA certification exam! ...
      (NT-Bugtraq)