Technology Integration Services by BrainWave Consulting Company, LLC - Because Good Technology Means Better Business
BrainWave Technology News

Home | Services | News | Search | Site Map | Feedback | Library | Document Archive | UltraTech KB

 

RPC Vulnerability


HOT LINKS
Why Security Is Important
Installing & Maintaining Windows Systems
Generating Diagnostics Logs

Home
Services
Vendors
Associations
Tech Providers
Other Links Document Archive
UltraTech KB

Last updated: 22 October 2006; Supplements this Knowledgebase Article.

Beware Of The Windows RPC/DCOM Vulnerability

On July 16th, 2003, a patch was released for an RPC Vulnerability in Windows. Exploit code for the vulnerability was released less than a week later.  This vulnerability operates via TCP 135 and other ports, and will allow a machine to be compromised by a remote attacker.  The patch for this vulnerability can be found at Microsoft's security site. (It was also distributed via Windows Update).

At least one trojan and one worm which exploit this vulnerability have already been found in wild. Since the afternoon of August 11th, 2003, the number of attacks has increased significantly. One of the exploit vehicles, the Blaster Worm, victimizes systems by remotely shutting them down. If your system is exploited, you will see something similar to the following:

Windows must now restart because the Remote Procedure Call (RPC) service terminated unexpectedly

If you are in receipt of this message, then it means three very important things:

1. Your firewall, if installed, is not properly configured.
2. You have not installed the patch for this vulnerability.
3. Your AntiVirus software is not up to date.

Please correct these deficiencies at your earliest convenience.  Symantec has provided a removal tool that you should run before attempting to patch your systems -- especially if they were infected.  Other Anti-Virus vendors have also provided stand-alone tools to identify infected machines, and remove any related trojans.

Also, contrary to popular opinion, being on dial-up will not protect you. ANY Internet connection, no matter how slow, is deadly to an unpatched system, and machines have been infected in as little as 30 seconds after going online.  As of January 2004, there are still millions of unpatched systems out there, and you never know when one or more of them is scanning systems in your subnet.

If you are using Windows XP, you can configure the built-in ICF firewall which will allow your system to remain up long enough to get this, and other, security patches installed.  You should also kill the MSBLAST.EXE process as soon as possible, using the following command:

TASKKILL /F /IM MSBLAST.EXE

XP users can abort the shutdown process with the following command:

SHUTDOWN /A

It is highly advisable that you prep these commands in a CMD window to make them easier to execute.

After installing the patch, be sure to update your antivirus software and scan your machine to make sure that the worm is not resident on your systems.

Keep the Internet Safe: Please Patch Your Systems!!

Go To Top

Patch Update

On September 10th, 2003, an updated patch (MS3-039) was released to address three (3) vulnerabilities in the RPCSS service.  This patch supersedes MS3-026 which was released on July 16th, and addresses the DCOM Denial of Service that Windows 2000 systems could experience.

Go To Top

Repairing a Compromised System

Many of the Anti-Virus vendors already have removal tools for this worm (see below).  Be sure that you disable System Restore before running the Removal Tool, or you will potentially re-infect your system if you return to a restore point that is later than the 11th of August.

In the event that you can not successfully clean your system, it is possible that you have been infected by multiple worms/viruses/trojans. One of the first things Blaster does is announce to the world that your machine is open and ready to host a party.  It is possible that by the time you go to clean up your system, that it has been exploited by other worms or by malicious individuals directly.  If this is the case, you may not have the luxury of cleaning up, as you cannot tell what these malicious programs have done to your system.

Under these circumstances, your best course of action will be:

  •  unplug your machine from the Internet
  •  reinstall your operating system
  •  install and configure your firewall
  •  fully patch your system
  •  restore your data from safe backups
  •  test your system with updated AntiVirus software

You may have to boot into Safe Mode or temporarily disable System Restore in order to get rid of some virus infections. Many times, however, attempting to clean a heavily compromised system is just not worth the effort. Here is a definitive guide to recovering your system from a compromise state.

Go To Top

Free RPC/DCOM Scanners and Worm Removal Tools

Go To Top

Known RPC/DCOM Exploits (Worms or Trojans)

Go To Top

Other Technical Advisories

Go To Top

Related Knowledgebase Articles

Go To Top
UltraTech -- Computer Solutions for Work and Play
Contact the WebMaster
Copyright (c) 1996-2007, BrainWave Consulting Company, LLC
All Rights Reserved
This site was last modified on August 12, 2007 at 08:00 PM
Technology Integration Services by BrainWave Consulting Company, LLC - Because Good Technology Means Better Business

Home | Services | News | Search | Site Map | Feedback | Library | Document Archive | UltraTech KB