Yet ANOTHER freakin' worm!

gotpasswords · September 11, 2003, 5:44pm

Trimmed down a bit, here’s an alert I just got about yet another Microsoft security exploit. Even if you installed the patch last month, you WILL need another patch:
IMMEDIATE ACTION REQUIRED

NOTE This vulnerability IS different from that previously advised in Microsoft Security Bulletin MS 03-0026 and requires patching action.

Patching action required by: September 12, 2003

Microsoft Security Bulletin MS03-039 - RPCSS DCERPC Vulnerability - Patch Testing and Implementation
Information
On 10 September 2003, Microsoft released security bulletin MS03-039 announcing three vulnerabilities in their operating systems that could be exploited. Only one of these vulnerabilities was addressed in previous patching efforts in relation to Microsoft Security Bulletin MS 03-0026. The two remaining vulnerabilities, one providing remote system privileged access and the other crashing the RPC service, affect ALL systems previously affected and ARE NOT addressed by previous patching efforts.

These vulnerabilities pose significant threat to the Internet and <us> and our customers.

This vulnerability exists in the following Microsoft operating systems:

Windows NT 4.0
Windows NT 4.0 Terminal Server
Windows 2000
Windows XP
Windows Server 2003

NOTE: Windows 9x systems are not impacted by these vulnerabilities.

A “patch” is available from Microsoft, which has been successfully tested in the above operating systems by <us>.

The CIS Security Operations Center (SOC) believes that existing exploits and worms can easily be modified to take advantage of the newly discovered vulnerabilities, therefore the 3 week time lag that was present when the MS 03-0026 vulnerability was discovered to the release of the BLASTER worm DOES NOT EXIST. ** is extremely likely that a modified worm targeting these vulnerabilities will be developed and released within the next few days. **

Action Required
To insure continued “high” availability of our systems to customers, and the protection of <our> assets, the following actions must be taken:

BY END OF DAY, Friday September 12 , 2003

Determine the service pack level of all devices running any of the above operation systems.
Review the Microsoft security bulletin as there are specific service pack requirements listed in the security bulletin.
If any systems under your control do not have antivirus installed, INSTALL IT AS SOON AS POSSIBLE
Ensure antivirus signatures are up-to-date and auto-update is enabled to update signatures daily.
Have all devices patched as quickly as possible, and no later then Friday, September 12, 2003.

bayonet1976 · September 11, 2003, 5:59pm

Well, this is not a worm, yet, just a possible exploit for the next worm.

gotpasswords · September 11, 2003, 6:08pm

And what happend a couple days after Microsoft announced a possible exploit last month? Blaster came out just days after the announcement.

The key word in your reply is “yet”

bayonet1976 · September 11, 2003, 6:22pm

Actually, Microsoft announced the vulnerability on July 16, 2003 and the Blaster exploit surfaced on August 11, 2003 . That’s still pretty fast, faster than any other previous exploit surfaced IIRC, but there was a good month in between the two events.

Ximenean · September 11, 2003, 6:46pm

In addition to downloading the patch, I recommend using Steve Gibson’s DCOMbobulator. It includes a good, not too technical, explanation of the Windows’ DCOM vulnerability (which also allowed last month’s Blaster worm), and should protect you from similar exploits in future.

handy · September 11, 2003, 9:10pm

Someone created a new one, ‘Nachi’ Worm. What it does is it zaps the Blaster worm, however, it also take off the MS patch.

RealityChuck · September 11, 2003, 11:46pm

Incorrect about “Nachi” (also called Welchia). What the worm does is zap the Blaster worm, downloads the MS patch (though it doesn’t seem to do this all that well), and then overloads networks as it sends out pings searching for unpatched computers (trust me – I’ve been fighting it the past two weeks at the college where I work). It’s also supposed to turn itself off on 1/1/2004, but I wouldn’t trust it.

It was intended to be a “good” virus that fixed machines and removed Blaster. However, it’s ping procedure makes it a bigger pain in the neck than Blaster.

What is scary is that Blaster made a big mistake. It was designed to do a Distributed Denial of Services attack against Microsoft’s upgrade service. Fortunately, they used an old URL, so Microsoft was able to protect it and have the patch available. The next version of the worm with the new vulnerablity won’t make that mistake again.

Scarf-Ace · September 12, 2003, 11:29am

Hmmm I wonder how the virus writers discover the exploits in the first place…

Maybe because Microsoft avertise it on their web-page?

Mort_Furd · September 12, 2003, 12:10pm

You want may be some “security by obscurity?”

If I were a Windows user, I’d prefer for Microsoft to tell me when something is broken - and for them to hand me the fix while they were at it.

The best policy for security is honesty coupled with quick and effective corrective action.

RealityChuck · September 12, 2003, 12:41pm

Exactly. The virus creators would have discovered the hole sooner or later, and it’s better that Microsoft gets the word out so some machines are patched rather than have every computer vulnerable.

Ultimately, it’s the user’s responsibility to maintain their machines. Linux users do this automatically. The problem with Windows users is that it is designed for the mass market, and most users are not technologically savvy. Microsoft does what it can – I can’t tell you how often I found an infected machine with an icon saying “New updates are ready to install,” – but if the users don’t maintain their machines, they get infected with these exploits.

MS will be changing things so the updates are installed without any user intervention as default, and even those who object to software being installed without consent (like spyware) agree that this may be necessary (as long as the savvy user can turn off the feature).

handy · September 12, 2003, 3:11pm

RealityChuck, I have a site from the net whereby it states that the Nachi virus does indeed take the patch off, but I can’t find the URL for the site, so I don’t think I can post the quite, which is just as well as it doesn’t seem to be the same as what MS says. BTW, here is the ms instruction page about Nachi:
http://www.microsoft.com/security/antivirus/nachi.asp

RealityChuck · September 12, 2003, 4:59pm

Well, here’s what Symantec says:

N.B. Symantec call “nachi” “Welchia.”

"W32.Welchia.Worm (Also Known As: W32/Nachi.worm [McAfee],) does the following:

Attempts to download the DCOM RPC patch from Microsoft’s Windows Update Web site, install it, and then reboot the computer."

handy · September 12, 2003, 8:46pm

I found the quote, it was quite recent so it didn’t show up in search:
http://www.theksbwchannel.com/technology/2470508/detail.html

“The problem is it also removes the patch that protects computers from the “Blaster” virus.”