News Stay informed about the latest enterprise technology news and product updates.

CERT warns RPC flaw being exploited in wild

Attackers are increasing scans of the Internet for Windows systems vulnerable to an exploit of a flaw in Remote Procedure Call and have begun exploiting the worm in the wild.

During the last week, experts have predicted the imminent risk of a worm that exploits a critical vulnerability in Windows RPC-DCOM. Now there are reports that attackers are manually exploiting the flaw.

The Computer Emergency Response Team at Carnegie Mellon University in Pittsburgh is warning that the vulnerability is being exploited in the wild. Attackers are scanning for port 135, which RPC uses, and by injecting the exploit code are able to gain a system level command shell on systems.

To some, predictions of an RPC worm smacks of Chicken Little -- in other words, warnings that the sky will fall if systems administrators don't immediately patch their systems. In fact, perhaps the attention paid to a forthcoming worm would inspire some attention-deprived script kiddie to write just such a worm, experts said.

Organizations can rise above the whole worm issue by taking preventive measures. Installing the patch from Microsoft would fix the flaw. If that isn't possible, then blocking external access of the following ports would help: TCP 135, UDP 135, TCP 139, UDP 139, TCP 445 and UDP 445.

Yet the fact remains that the vulnerability in how Remote Procedure Call (RPC) is implemented in Windows is worrisome. The protocol allows Windows systems to communicate with other operating systems. The utility is deeply embedded in Windows and is present in Windows NT, 2000 and XP, as well as Windows Server 2003.

The pervasiveness of the vulnerability heightens concerns about a potential worm. While the RPC-DCOM flaw is found in many versions of Windows, creating a worm that can infect multiple versions would be difficult. The code would need to be tweaked so it would work on different versions. For example, a specific exploit may work on Windows 2000 machines without a certain service pack installed, but it might not work if the system were updated.

That said, the exploit code is being refined, said Dan Ingevaldson, engineering director for Internet Security Systems Inc.'s X-Force security monitoring operation. There seems to be an effort going on to make a universal exploit that would affect all Windows 2000 machines or Windows XP machines. Out of all the susceptible platforms, those two are good targets if worm writers want a large pool of machines, he said.

Moreover, there are at least a few versions of exploit code for the vulnerability posted on the Internet. In theory, it would be fairly easy to create a worm by copying that code and pasting it into a template for propagation code, which can also be copied from the Web. By definition, all a worm would have to have is a way to spread.

"It would be so simple to wormify this exploit," said Gary Morse, president of Razorpoint Security Technologies Inc., which conducts penetration tests for companies. "Whether or not it makes it to the general public is another question."

Script kiddies may try slapping a worm together just for the cache of being able to say they authored the first version, Morse said. Others would then work out the bugs in the worm code and make refinements.

But even a basic worm isn't trivial to write.

"While there are malware-making programs that can assist in the development of malicious code, to take this building block exploit code and produce a worm is not as simple as cutting and pasting," said Robert Vibert, administrator of the Anti-Virus Information Exchange Network. For example, the writer would need to know the programming used in the exploit code so it functions properly in the worm.

More elite worm writers, however, will try to be more creative because they're motivated less by glory and more by spoils. A worm would just be an automated means of exploiting the flaw on a widespread basis. By doing so, they could build a substantial army of systems to be used in a distributed denial-of-service attack at a future date, Morse said.

The RPC-DCOM vulnerability can also be used in a blended threat worm, which then uses that flaw as just one attack vector. Creating such a worm would not be the domain of the newbie virus writer, said David Perry, Trend Micro Inc.'s global director of education. "For years, we have seen virus writing getting easier as script kiddies use Visual Basic scripts, but they are getting harder to write again," he said.

" I can't say for sure it will be exploited by a worm. There are vulnerabilities we have been waiting for years to be," he said. "But it has as good a chance as any we have seen lately."


Microsoft security bulletin MS03-026

Featured Topic: Critical Windows flaw news exclusive: "Windows RPC vulnerability high on list of flaws to watch" news exclusive: "Windows RPC exploit code published" news exclusive: "Microsoft patches critical RPC vulnerability in Windows" news exclusive: "Windows flaw ripe for worm, expert says"

FEEDBACK: Do you think a worm exploiting the RPC vulnerability is inevitable, and have you dropped everything and patched the flaw?
Send your feedback to the news team.

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.