RPC worm finally strikes

A worm has emerged that takes advantage of the Windows RPC vulnerability. It's too early to say whether Blaster-A will be as pervasive as the last major network worm, SQL Slammer.

After nearly a month of waiting, a worm has emerged to take advantage of the Windows RPC-DCOM vulnerability. But experts say it's too early to tell just how widely it will spread.

Initial reports say Blaster-A can infect Windows NT, XP and Windows 2000 machines. It's unclear whether the worm could hit systems running Windows Server 2003.

Experts are hoping widespread reports about the vulnerability prompted users to patch their vulnerable systems. The vulnerability is not in the Remote Procedure Call (RPC) protocol, which allows heterogeneous systems to communicate with one another, but in how it's implemented in Windows.

Blaster-A isn't a technically advanced worm, though it has the potential to spread if enough people haven't patched their systems. "I would say it's a textbook example of how to exploit a vulnerability," said Vincent Gullotto, vice president of McAfee AVERT, or antivirus emergency response team. "It's not anything real complex."

Blaster-A is a network worm. It doesn't travel via e-mail or require any human intervention to infect a system. The worm scans for port 135, which it then used to exploit the RPC flaw. Once it infects a machine, the worm starts a Trivial File Transfer Protocol (TFTP) session and downloads an executable file, msblast.exe. When run, that file turns the computer into a Blaster spreader that scans for port 135 and begins the process again.

That downloading process could be the worm's Achilles heel, however. If the list of IP addresses it downloads the executable from is hard-coded into the worm, then it's likely to be short-lived because those sites could be simply shut down. There were some reports that the worm uses 28 static IP addresses from which to download the file. If so, the worm would die down very quickly, said Russ Cooper, surgeon general at TruSecure Corp., a Herndon, Va., managed security services provider.

However, if the worm can dynamically search for hosts, then the worm could be more successful because it won't have limited of sources to download the msblast executable.

Blaster doesn't have a destructive payload per se. It could cause localized or potentially wider spread network problems as infected systems cobble up bandwidth. "It could take out an entire company's network," said Charles Kaplan, information security officer at managed security services provider Guardent Inc., Waltham, Mass.

It could be a similar scenario to the SQL Slammer worm, which slowed some networks to a crawl in January. The sheer volume of non-destructive traffic could hamper clean-up efforts because companies have trouble downloading the necessary patches, Kaplan said.

FOR MORE INFORMATION:

SearchSecurity.com news exclusive: Windows RPC exploit code published

Featured Topic on the RPC vulnerability

Microsoft security bulletin MS03-026

Dig deeper on Malware, Viruses, Trojans and Spyware

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close