Information Technology Systems and Services at Stanford Link to ITSS Home
ITSS Information Security Services
Windows RPC Vulnerabilities & Exploits
Last modified 20-Nov-2003 13:02

Please check this page frequently for new information.

On 16 July 2003, Microsoft announced a critical update to a core component of the Windows operating system, responsible for managing communications between processes on networked computers. The ease with which this vulnerability could be exploited and the default installation of the vulnerable code on all versions of Windows operating systems later than Windows ME encouraged substantial effort in the hacker community to develop exploits and auto-propagating tools rapidly.

Stanford has experienced three waves of attacks based on this initial Microsoft Windows RPC vulnerability. The first wave began on or about 31 July. It impacted a relatively small number of machines, and installed well-known backdoor programs for subsequent access to the compromised machines. All operating systems affected by the RPC vulnerability are subject to this set of attacks. This exploit was subsequently labelled backdoor.hale by Symantec, is now detected and removed by Norton Anti-Virus.

The second set of attacks began on or around 2 August. This auto-propagating exploit specifically targets Windows 2000 machines and Windows 2003 servers (which are not yet widely deployed on the Stanford campus). Although it shares characteristics with the exploit labelled backdoor.winshell.50 by Symantec, it also has a couple of distinct differences. The "33571 exploit," as we've named it on campus, installs the patch for the MS03-026 vulnerability, protecting infected machines from further exploitation. And it installs a backdoor on TCP port 33571.

On 11 August the MS Blaster worm started its rampage across the Internet. This worm is characterized by its interference with the normal operation of the victim machine (often requiring a reboot to clear up an unusual slowdown in system performance due to interrupted RPC service) and the unusually high numbers of connection requests it initiates to other machines using the RPC protocol. Blaster was followed by variants, in the usual course of worm evolution.

On 18 August Welchia made its appearance on Stanford's network and throughout the Internet. In addition to infecting machines and aggressively scanning for potential victims, Welchia installs the MS03-026 patch, and is often detected when a user discovers that their machine has rebooted unexpectedly.

Stanford's efforts to cope with the MS03-026 "situation" have focused on getting vulnerable machines patched, repairing infected systems appropriately, and preparing for the return of faculty and students for the fall quarter. This effort has been complicated by the release on 10 September 2003 of MS03-039, a critical Windows update required to repair an additional three vulnerabilities in the RPC/DCOM interface.

Information Security Services provides this Web site as documentation of the vulnerabilities, the exploits we've seen on campus, recommended procedures for repairing infected machines, and further actions ITSS is taking or considering taking in light of the ongoing threat.

Acknowledgements

Information Security Services would like to thank Jay Stamps of ITSS for his huge contributions of material and edits; John Gerth for his persistent and detailed sleuthing and careful reading of these alerts; Bob Cowles from SLAC; Ricky Connell and Seth Master of the School of Medicine IRT; more Stanford system admistrators than I can list here, but especially Allen Smith and Stewart Kramer; Robert Hensing from Microsoft and other members of the Forum of Incident Response & Security Teams; and many attendees of the USENIX Security Conference in Washington DC, for their assistance in the preparation of this analysis.

Please send questions, comments and corrections to Tina Bird, tbird65@stanford.edu.

Last modified Thursday, 10-Jul-2008 14:32:47 PDT

© 2003, Stanford University. All rights reserved.
Comments about this document? Use the HelpSU submission form.
Need computing help? Visit HelpSU or call 5-HELP (650-725-4357).

 


NEED HELP?
Submit a HelpSU form
or call 5-HELP(4357)

Pages about WinRPC:
[overview/home]
Vulns/Patches/Exploits
Repairing Infected Machines
Stanford's Response

References

Staff Presentations on the Crisis
tbird: Attacks & Response (14 Aug 2003)
Jay Stamps: RPC Hell
(7 Oct 2003)


Related pages:
ITSS Security Alerts
Best Practices for Desktop Computing

Looking for something else?
ITSS Home
Stanford Home
Computing & Communication
Search