ITSS Information Security Services|
Windows RPC Vulnerabilities &
check this page frequently for new information.
On 16 July 2003, Microsoft announced a
critical update to a core component of the Windows operating
system, responsible for managing communications between
processes on networked computers. The ease with which
this vulnerability could be exploited and the default
installation of the vulnerable code on all versions
of Windows operating systems later than Windows ME encouraged
substantial effort in the hacker community to develop
exploits and auto-propagating tools rapidly.
Stanford has experienced three waves of attacks based
on this initial Microsoft Windows RPC vulnerability.
The first wave began on or about 31 July. It impacted
a relatively small number of machines, and installed
well-known backdoor programs for subsequent access to
the compromised machines. All operating systems affected
by the RPC vulnerability are subject to this set of
attacks. This exploit was subsequently labelled backdoor.hale
by Symantec, is now detected and removed by Norton
The second set of attacks began on or around 2 August.
This auto-propagating exploit specifically targets Windows
2000 machines and Windows 2003 servers (which are not
yet widely deployed on the Stanford campus). Although
it shares characteristics with the exploit labelled
backdoor.winshell.50 by Symantec, it also has
a couple of distinct differences. The "33571 exploit,"
as we've named it on campus, installs the patch for
the MS03-026 vulnerability, protecting infected machines
from further exploitation. And it installs a backdoor
on TCP port 33571.
On 11 August the MS Blaster worm started its
rampage across the Internet. This worm is characterized
by its interference with the normal operation of the
victim machine (often requiring a reboot to clear up
an unusual slowdown in system performance due to interrupted
RPC service) and the unusually high numbers of connection
requests it initiates to other machines using the RPC
protocol. Blaster was followed by variants, in the usual
course of worm evolution.
On 18 August Welchia made its appearance on
Stanford's network and throughout the Internet. In addition
to infecting machines and aggressively scanning for
potential victims, Welchia installs the MS03-026 patch,
and is often detected when a user discovers that their
machine has rebooted unexpectedly.
Stanford's efforts to cope with the MS03-026 "situation"
have focused on getting vulnerable machines patched,
repairing infected systems appropriately, and preparing
for the return of faculty and students for the fall
quarter. This effort has been complicated by the release
on 10 September 2003 of MS03-039, a critical Windows
update required to repair an additional three vulnerabilities
in the RPC/DCOM interface.
Information Security Services provides this Web site
as documentation of the vulnerabilities, the exploits
we've seen on campus, recommended procedures for repairing
infected machines, and further actions ITSS is taking
or considering taking in light of the ongoing threat.
Information Security Services would like
to thank Jay Stamps of ITSS for his huge contributions
of material and edits; John Gerth for his persistent
and detailed sleuthing and careful reading of these
alerts; Bob Cowles from SLAC; Ricky Connell and Seth
Master of the School of Medicine IRT; more Stanford
system admistrators than I can list here, but especially
Allen Smith and Stewart Kramer; Robert Hensing from
Microsoft and other members of the Forum
of Incident Response & Security Teams; and many
attendees of the USENIX Security Conference in Washington
DC, for their assistance in the preparation of this
Please send questions, comments and corrections
to Tina Bird, firstname.lastname@example.org.
Last modified Thursday, 10-Jul-2008 14:32:47 PDT|
© 2003, Stanford University. All rights reserved.
Comments about this document? Use the HelpSU submission form.
Need computing help? Visit HelpSU or call 5-HELP (650-725-4357).