Article

RPC worm finally strikes

Edward Hurley, SearchSecurity.com News Writer

After nearly a month of waiting, a worm has emerged to take advantage of the Windows RPC-DCOM vulnerability. But experts say it's too early to tell just how widely it will spread.

Initial reports say Blaster-A can infect Windows NT, XP and Windows 2000 machines. It's unclear whether the worm could hit systems running Windows Server 2003.

Experts are hoping widespread reports about the vulnerability prompted users to patch their vulnerable systems. The vulnerability is not in the Remote Procedure Call (RPC) protocol, which allows heterogeneous systems to communicate with one another, but in how it's implemented in Windows.

Blaster-A isn't a technically advanced worm, though it has the potential to spread if enough people haven't patched their systems. "I would say it's a textbook example of how to exploit a vulnerability," said Vincent Gullotto, vice president of McAfee AVERT, or antivirus emergency response team. "It's not anything real complex."

Blaster-A is a network worm. It doesn't travel via e-mail or require any human intervention to infect a system. The worm scans for port 135, which it then used to exploit the RPC flaw. Once it infects a machine, the worm starts a Trivial File Transfer Protocol (TFTP) session and downloads an executable file, msblast.exe. When run, that file turns the computer into a Blaster spreader that scans for port 135 and begins the process again.

That downloading process could be the worm's Achilles

    Requires Free Membership to View

heel, however. If the list of IP addresses it downloads the executable from is hard-coded into the worm, then it's likely to be short-lived because those sites could be simply shut down. There were some reports that the worm uses 28 static IP addresses from which to download the file. If so, the worm would die down very quickly, said Russ Cooper, surgeon general at TruSecure Corp., a Herndon, Va., managed security services provider.

However, if the worm can dynamically search for hosts, then the worm could be more successful because it won't have limited of sources to download the msblast executable.

Blaster doesn't have a destructive payload per se. It could cause localized or potentially wider spread network problems as infected systems cobble up bandwidth. "It could take out an entire company's network," said Charles Kaplan, information security officer at managed security services provider Guardent Inc., Waltham, Mass.

It could be a similar scenario to the SQL Slammer worm, which slowed some networks to a crawl in January. The sheer volume of non-destructive traffic could hamper clean-up efforts because companies have trouble downloading the necessary patches, Kaplan said.

FOR MORE INFORMATION:

SearchSecurity.com news exclusive: Windows RPC exploit code published

Featured Topic on the RPC vulnerability

Microsoft security bulletin MS03-026


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: