Port 135 Spikes
Over the last few days, a number of networks detected a sharp, almost vertical, rise in port 135 (tcp) traffic and a subsequent exponential decay. Typically, these traffic bursts last for a few hours. From selected packet captures, it looks like these scans attempt to exploit the RPC DCOM vulnerability. Several possible sources have been suggested. It is likely that these scans are caused by botnets which are scanning given target networks for new, vulnerable hosts. Lovgate Virus A virus sample submitted to us on Monday is now identified as LovGate.R. In addition to spreading via e-mail, the virus uses the RPC DCOM vulnerability to spread and it will open file shares on infected systems. This virus is one suspected cause of the rise in port 135 traffic. McAfee: http://vil.nai.com/vil/content/v_101157.htm Symantec: http://securityresponse.symantec.com/avcenter/venc/data/w32.lovgate.r@mm.html Welchia.K Worm A new version of 'welchia' (aka Nachi) has been identified. This worm, which was first identified in the wake of blaster last august, is most noted for the ICMP echo requests that it sends. Welchia.K includes exploits for the following vulnerabilities: * RPC Locator * WebDAV (you will see URLs that start with 'SEARCH' in your web log) * RPC DCOM * MS Workstation Fixes for all these vulnerabilities were made available in 2003. Multiple worms and bots are currently scanning for these vulnerabilities. Trend Micro: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NACHI.K Mailbag: Cleanup Woes A reader asked why we recommend a complete rebuild of systems infected with 'sasser', given that 'sasser' is rather benign and easy to clean. The problem with 'sasser' is that it is an indicator exploit. The fact that you are infected with 'sasser' indicates that you were vulnerable to the LSASS exploit. Before sasser, a large number of bot variants exploited this same vulnerability. We find that many systems infected with 'sasser' are infected with one or more bots in addition to 'sasser'. Each day, we receive several distinct 'bot' samples. Antivirus signatures are typically not able to keep up with all versions, and many 'bots' include specific code to plant backdoors, disable firewalls and antivirus products, or to add additional system accounts. Antivirus software is not able to reliably detect and clean all of these bots. As a result, it is impossible to tell if any of these bots are left on your system. Only a thorough (and costly) forensics analysis by a trained specialist will provide some assurance. As a result, if you are infected by 'sasser', try to rebuild your system from scratch. For detailed instructions on setting up a new system safely, see http://www.sans.org/rr/papers/index.php?id=1298 (Windows XP: Surviving the first day). If you acquire a new system, assume it is not yet patched and use extreme care the first time you connect it to the network. Reading Room Recommendation Given all the Windows security news, don't neglect your UNIX / Linux systems. You may either want to consult the Center for Internet Security's benchmarks ( http://www.cisecurity.org ) or, for a quick checkup, see fellow handler Bill Stearn's paper: http://www.sans.org/rr/special/essential_host_security.php ------- Johannes Ullrich, jullrich_AT_sans.org I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022 |
Johannes 4479 Posts ISC Handler May 7th 2004 |
Thread locked Subscribe |
May 7th 2004 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!