Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2003-10-15 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

new Windows RPC issue (race condition), RANDEX.Q virus

Published: 2003-10-15
Last Updated: 2003-10-15 21:48:41 UTC
by Handlers (Version: 1)
0 comment(s)
Large number of Windows Updates

Today, Microsoft published a number of advisories, 5 of which are classified as 'critical' (= allow remote execution of code). For a summary, see:
http://www.microsoft.com//technet/security/bulletin/winoct03.asp

Essentially all currently supported versions of Windows are affected.

The release of such a large number of vulnerabilities is due to Microsoft's implementation of a new "Security Bulletin Release Process". New security bulletins will now be released monthly. For details, see: http://www.microsoft.com/technet/security/bulletin/revsbwp.asp
Windows RCP race condition

for a few days, a possible new RPC DCOM vulnerability has been discussed on a number of vulnerability lists. Exploit code has been posted, but it is not widely accepted that this code exploits a new RPC vulnerability in order to obtain a remote shell. However, according to an ISS XForce advisory, a denial of service condition is possible even if the system is fully patched.

Recommendation:

* All Windows systems have to be fully patched. The new exploit may still work according to some reports. However, patching a system will prevent the older exploits and it will likely ease installation of any new patches.

* DCOM RPC should be disabled if possible.

* apply firewalls to prevent connections to vulnerable systems. Note that other vectors then the widely reported port 135 may exist. Apply firewall rules in accordance with local security policies. Some applications may require the use of RPC DCOM to communicate with remote systems. Consider moving these functions to a VPN.

Randex.Q

We have received reports of infections with the Randex.Q virus. This virus will spread via unprotected file shares or file shares with weak administrator password. Infected machines will connect to an IRC server to receive various commands.

Workaround: Current virus scanner signatures will recognize this virus. Do not connect systems with file sharing enabled to public networks. This virus can enter protected networks via mobile systems. Use strong passwords internally and consider establishing a procedure to scan external computers (e.g. laptops) before connecting them to the internal network.
Keywords:
0 comment(s)
Diary Archives