[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] smarter dcom worm

To: full-disclosure@lists.netsys.com
Subject: RE: [Full-Disclosure] smarter dcom worm
From: Joey <joey2cool@yahoo.com>
Date: Wed, 13 Aug 2003 14:08:18 -0700 (PDT)

...or AV/Firewall killing.

msblast is very sloppy. The fact that it uses the old code that reboots the computer ruined their hopes of spreading undetected. Now if you are unpatched, chances are(random IP generating taken into account), your computer will reboot at least once a day or more. Some people might just shut their computer off and call for repair, not realizing that the problem is because they are connected to the internet.

Overall i think microsoft is to blame for allowing the RPC service to be available on the internet. They are saying it was never meant to be on the internet, yet their NT line has always been designed for internet use. Even with the patch, port 135 is still open. You have no option to close that port if you are installing a fresh copy of windows. With other OSs(like linux) you have a complete list of packages that you can enable or disable, while microsoft hides most. They even force you to install their crappy Windows Messanger program(which also listens on ports). Now you need to first be disconnected from the internet while you enable the firewall so you wont get rooted automatically!

Hasn't Microsoft gotten wise that their products are full of security holes? What other OS/webserver/browsers have more buffer overflows with arbituary code execution than those developed by MS? I don't believe this trend will stop as their current policy on the RPC vulnerability and blaster worm was that the RPC service should never be exposed to the internet. Why doesn't it then at least be limitied to localhost or LAN connections?

Since the exploit was released for the most "important" service in windows that supposedly makes windows impossible to run if you disable it, I think microsoft has no credibility to say their OSs are secure or "most secure version of windows ever" because there is NO SECURITY. Their server line is joke as well because the exploit effected them too. Think of someone with a limited user account at a university or corporate windows 2000/2003 active directory managed network. With an unpatched DC, they would have the ability to have unrestricted access to everyone elses accounts ect by rooting it. Changing grades, stealing financial information ect.

Just my two cents.

--- gml <gml@phrick.net> wrote:
> Maybe even some polymorphic code and PE injection.
> <p><hr SIZE=1>
Do you Yahoo!?<br>
<a href="http://us.rd.yahoo.com/evt=10469/*http://sitebuilder.yahoo.com";>Yahoo! SiteBuilder</a> - Free, easy-to-use web site design software

Follow-Ups:
- Re: [Full-Disclosure] smarter dcom worm
  - From: Jeremiah Cornelius <jeremiah@nur.net>

References:
- RE: [Full-Disclosure] smarter dcom worm
  - From: "gml" <gml@phrick.net>

Prev by Date: RE: [Full-Disclosure] Microsoft MCWNDX.OCX ActiveX buffer overflow
Next by Date: [Full-Disclosure] NAV (or any AV tool) and MSBlast
Prev by thread: Re: [Full-Disclosure] Firewalls
Next by thread: Re: [Full-Disclosure] smarter dcom worm
Index(es):
- Date
- Thread