Well, an exploit for last weeks new RPC/DCOM vulnerability has been released. Apparently a Chinese website has made a tool available for download that takes advantage of the vulnerability to give hackers control over remote desktops. Read the article from Security Focus The time between a vulnerability being discovered and the exploit being released is shrinking at an alarming rate!
On a slightly different note, I’m waiting to hear more about the OpenSSH vulnerability revealed yesterday. There is apparently an exploit circulating in the wild, but no one I know of has seen it yet. Don’t be the first to get your own copy of it the hard way.
A new OpenSSH vulnerability was disclosed today, and there is suspicion that an exploit may already exist in the wild. So go get patched!
You can get the patch at www.openssh.org
Well, it appears that I won’t have to do much research on disabling the DCOM service on Windows; it has already been done by the folks at NT Bug Traq. You can read the FAQ at http://www.ntbugtraq.com/dcomrpc.asp.
Basically, if you are the average user, turning off the service won’t affect you much if at all. There are a few programs that will experience problems and there might be some system oddities, but over all, nothing will break. And the programs that break are very unlikely to be on most computers, even the average server. This from a service that Microsoft said was an intergal part of Windows.
Microsoft does it again! Yes, they have revealed yet another RPC/DCOM vulnerability. This one is exploitable through port 80, since it is RPC over HTTP. What comes next? And to add insult to injury, this vulnerability is different enought from MS03-026 that you have to install a seperate patch and test to see how many of your applications this on breaks.
Microsoft has said that the RPC service are an intergal part of Windows and you can’t live without it. But a number people are shutting down the vulnerable services and finding that very few programs really rely on RPC/DCOM. As time allows, I will be researching this some on my own and finding out what breaks when you disable RPC. What gets me is that even the folks at Microsoft don’t fully understand the ramifications of this service.
Add this to my Crystal Ball list of exploits worthy of their own worm in the next 4-6 weeks. And I’m not the only one predicting the a new round of worms. Not that these predictions are all that hard to make. Can someone pass me the Tylenol? Or, as a coworker suggested, the Vodka.
Okay, it’s time to look in my crystal ball: I foresee that within the next month there will be a wave of virulent new malware (virus or worm) that targets one of the five vulnerabilities that Microsoft released last week. The malware will affect the legions of servers and workstations that have not been updated with the latest patches and affect thousands, if not millions, of systems worldwide. My vote is for MS03-037, a flaw in Visual Basic for Applications (VBA), but one of the other Microsoft Office application flaws may be the first victim.
I know that this isn’t going out on a limb on my part. I’m really getting sick of the ‘Windows Vulnerability of the Week’ game. And five vulnerabilities in one day was a little excessive.
Continue Reading »
I have to give the FBI some kudos for catching up to the writer of the MBlaster.b worm, but in all fairness, it wasn’t really all that hard of a catch. The script kiddie idiot who wrote the worm actually set it up to call home … his home! All the FBI had to do was a little research to find out where the computer the worm was calling back to was. Not a really difficult task in the scheme of things.
In case you don’t know what a script kiddie is, its someone who has no real, high-level, technical skills. Usually they use tools created by a true hacker, or in the case of this guy, take an existing tool (worm) and modify it slightly for their own use. In the case of ‘teekid’, he modified the worm to meet his needs without really understanding what the phone home option would mean to his future. Can you say ‘prison time’?
But that isn’t what really annoys me. It is the media portrail of the events that gets to me. I understand that the real technical details of the worm, how the FBI caught up with the hacker and similar issues are beyond the ken of most readers, but I would like it a lot more if they made it clear that teekid is not the writer of the original worm. All the FBI did was catch a clumsy copycat, not the hacker who originally created the worm. The hacker is still out there, and since the trail went cold in South Korea, he will probably be out there for quite some time.
Teekid, or Jeffery Lee Parsons, is really a small fish in the hacking pond. To give you a analogy, this would be like the police catching the guy on the corner of the street offering joints and saying they had captured a major drug lord. Or in this case, the media saying it. But I guess the truty is that sensationalism sells. Saying ‘Copycat Script Kiddie Caught’ doesn’t sound nearly as impressive as ‘Worm Writer Captured!’
Reading the headlines and write-up of a story that I’m familiar with really makes me question the stories where the media view is the only information I have. Not that this is a big change, since I tend to question information, no matter what the source. I hope I’m never in a news item, because I hate to think how I might be misrepresented or misquoted.