[Dshield] Simultaneous MSBlaster and ??? attack?

Johannes B. Ullrich jullrich at sans.org
Wed Aug 13 15:47:42 GMT 2003

This message was converted from multipart/signed to ascii armored
Hash: SHA1

Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Wed, 2003-08-13 at 11:15, Micheal Patterson wrote:
> Does anyone have any information on any trojans that are utilizing the same
> DCOM exploit yet?

Well, trojans, bots and other toyZ using this exploit have been around
for at least two weeks now. There are too many variants to find them
all, as they are usually custom made and sometimes not easy to detect.

I think I said this before here. Just to reiterate:

If you find a machine that is infected by msblaster, I strongly
recommend a COMPLETE REBUILD. Do not just use any of the msblaster
cleanup tools. They will not remove any backdoors left by others.
Even for an expert, it is very hard to find all possible backdoors.

I recommend:

1 disconnect the machine from the network as fast as possible.
  Physically remove the network cable or phone line.
2 shut it down.
3 rebuild from scratch
4 apply patches (use a different computer to download them)
5 if you have WinXP, enable the build in firewall, or if you
  have a personal firewall, install it.
6 install an anti virus program and do a complete scan of the
  machine. Try to apply the latest virus definitions from CD
  (can be hard, depends on software)
7 connect back to the network.

If you have data on this machine, which you can not afford to
lose, insert these steps between (2) and (3)

a boot computer
b apply worm removal tool from CD. 
c install recent virus scanner with up to date definitions and
  do a complete scan. Even if you already had a virus scanner
  installed, reinstall the virus scanner.
d run a complete virus scan.
e backup the files you need. Or, get a new hard disk and keep the
  old one around as a backup (you can put it into a USB enclosure)

  After you got the system back online, clean and current on virus
definitions, run a complete virus scan on the backup again.

I know this is a long list and its not easy. But anything else may
cost you big time later. You will likely never find out about the
backdoor until your credit card is rejected by some merchant as
'over limit'.

>  I've got systems that were patched via the Win2k patch
> file, not via windows update, that have an apparent trojan on them. The main
> systems that are noticeable is the inability to pull up properties, see
> within the winnt folder and the control panel icons are all listed in a
> frame on the left, Add / Remove programs is empty with the fonts mangled.
> I'd seen mention of kaht2 root kit using the DCOM exploit, but it appears to
> have been overshadowed by msblaster.
> Thanks.
> --
> Micheal Patterson
> TSG Network Administration
> 405-917-0600
> Confidentiality Notice:  This e-mail message, including any attachments, is
> for the sole use of the intended recipient(s) and may contain confidential
> and privileged information. Any unauthorized review, use, disclosure or
> distribution is prohibited. If you are not the intended recipient, please
> contact the sender by reply e-mail and destroy all copies of the original
> message.
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
SANS - Internet Storm Center
PGP Key: http://isc.sans.org/jullrich.txt

Version: GnuPG v1.2.1 (GNU/Linux)



More information about the list mailing list