[Dshield] DCOM morning after

Johannes Ullrich jullrich at euclidian.com
Tue Aug 12 14:02:19 GMT 2003

>  I'm trying to find out where we
>  are this morning.  InfoCon is still at yellow, 

Yes. not much new since last evening. The worm is more
or less 'stable' now, scanning around without infecting
too many new hosts. Got about 30k infected hosts so far,
but this number is not final. Our database is behind due
to the flood of reports from yesterday.

Many ISPs block port 135 now. Some extended this block
to 4444 (worm remote shell) and 69 (tftp).The amount
of traffic you are seeing will depend very much on how
these blocks are implemented. Many ISPs can not block
traffic between their subscribers, but only traffic 
to/from the outside.

>  I did notice that Trend has 
> another worm listed called Worm_RPCSDBOT 
> http://www.trendmicro.com/vinfo/ .  

Based on a quick glance, this looks like the older sdbot. Not
exactly a 'worm'. Various sdbot variants included the rpc
dcom exploit during the last couple weeks.

Couple notes:

We are currently monitoring the 'msblast.exe' files offered
by the infected hosts to look for mutations. If you have the
ability to do so, please join in. The MD5sum of the current
version is 5ae700c1dffb00cef492844a4db6cd69 .

Unless it mutates, we are likely going back to green early
tomorrow. I would like to keep vigilance up for today.

There will be a DDOS (port 80 synflood) from infected machines
on the 18th. Details are still a bit murky at this point. We
will likely go back to yellow on the 18th.



There are a few reasons for it. Most important:
- you may have been infected by the sdbots as well as the
  msblaster worm.
- there may be people that add additional backdoors to 
  msblaster infected machines (they are easy to find as they
  will go out and scan ;-) ).

Any simple cleanup instructions (delete msblast.exe, remove registry
key, patch, reboot) is likely to miss any of these other backdoors.

At this point, do not connect an unpatched Win2K or XP machine to
a network. Patch it first.

Johannes Ullrich                     jullrich at euclidian.com
pgp key: http://johannes.homepc.org/PGPKEYS
   "We regret to inform you that we do not enable any of the 
    security functions within the routers that we install."
         support at covad.net

More information about the list mailing list