Experts are warning that an attack tool is available for the latest RPC-DCOM vulnerabilities in Microsoft Windows and that it's likely just a matter of time before a worm will be created to exploit the flaws en masse.
The availability of the tool smacks eerily of the events leading up to the emergence of Blaster, the worm that exploited the first RPC-DCOM vulnerability. A couple of weeks before it arrived, the Computer Emergency Response Team (CERT) at Carnegie-Mellon University in Pittsburgh warned the first RPC-DCOM flaw was being exploited in the wild.
There are at least three exploits in the wild. The most widespread one, discovered by Reston, Va.-based security vendor iDefense Inc. yesterday, allows attackers to gain authenticated access to the RPC-DCOM vulnerabilities. When exploited, attackers can create user accounts with administrator-level privileges and open command shells. Both the source code and a Windows executable are available for download on the Internet.
That exploit works on unpatched Windows 2000 machines with service packs 3 and 4. Trojan writers are already using it to infect machines, said Ken Dunham, iDefense's malicious code intelligence manager.
Writing such an exploit isn't particularly easy, but modifying one is not very hard, Dunham said. Over the next few days, the various exploits will likely be tweaked and improved. For example, the exploit iDefense found creates a user account called "e" on infected machines. The exploit can be tweaked so the name is more obscure.
Dan Ingevaldson, team leader of Atlanta-based Internet Security Systems Inc., said that a Chinese hacker group known as Xfocus released an exploit last night. He said the exploit, like many coming from Xfocus, doesn't work very well. But, as with Blaster exploit code, the Xfocus exploit could be tweaked.
"They wrote the exploit that ended up turning into Blaster. All it took was a couple of hours by someone else before a working version was posted," Ingevaldson said. "This one does have some functionality. It can crash an RPC server."
Now that public exploit code is available, it will be easier to make a worm that exploits the flaws. Generally, creating the exploit code is the most challenging part of making a network worm. The actual delivery mechanism is easier to write. It can also be copied from sources on the Internet. For example, someone could just pop the new exploit into the source code for the Blaster worm, which is publicly available. "If someone did that, then we could see the worm today," said Mikko Hypponen, manager of antivirus research for Helsinki, Finland-based F-Secure Corp. He noted that it's impossible to predict when or even if a worm will be created to exploit a vulnerability.
Users of vulnerable systems should patch them as soon as possible. If patching isn't possible, then there are some ways to minimize exposure. For example, users can block UDP ports 135, 137, 138 and 445, as well as TCP ports 135, 139, 445 and 593 at the firewall. Also, disabling COM Internet Services (CIS) and RPC over HTTP, which listen on ports 80 and 443, would also protect against the flaws being exploited.
Such patching alternatives could come at a price for some companies, since software that relies on DCOM and RPC may be affected. But experts agree that it's just a matter of time before a worm will take advantage of the vulnerabilities. "There's no reason to believe it will be different this time," Dunham said.
FOR MORE INFORMATION:
FEEDBACK: Get out your crystal ball; when will another RPC worm emerge?
Send your feedback to the SearchSecurity.com news team.