Get Smart about Business Spending
Bots exploiting Microsoft's latest RPC flaw
Several antivirus vendors are reporting on Monday a new round of exploitation of Microsoft's out-of-cycle security bulletin last month. The flaw in MS08-067, which affects how remote procedure calls (RPC) are handled in the Windows Server Service, has the potential to become a fast-spreading worm, according to Microsoft. But experts predict any exploitation will be bundled within an existing Trojan horse or botnet package because that's where criminals can make the most money from the malware code.
Ken Dunham of iSIGHT Partners said his company was looking at three samples of interest.
One is what F-Secure is calling Rootkit.Win32.KernelBot.dg; another is what Symantec calls W32.Wecorl. A third appears to be a weak variant of the Wecorl. "All appear to be related to bots, components for building a botnet, than the Gimmiv Trojan, one of the first to exploit the vulnerability in MS08-067 and was used to steal personal information.
Dunham said these samples of malware appear to be autorooters, malicious programs that are designed to automatically scan and attack targeted computers. He stressed that what we're seeing today are not worms, but autorooters, which are still a manual process but are nonetheless a major step toward automating the code.
The way the attack works is that the criminal points his computer at a target PC. The autorooter goes out to the Internet and pulls down exploit code for vulnerabilities including MS08-067. Once the target computer is compromised, the criminal then installs "code of choice." Dunham said so far he's seen a back door version of the eMule client application installed along with a few other files. This gives the criminal anonymous access and control to the compromised machine and makes it part of a larger botnet. So far the botnet has been used to create denial-of-service attacks on sites mostly in China, including Google.cn.
As CNET's resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security. Listen to his podcast at securitybites.cnet.com or e-mail Robert with your questions and comments. 
Here is the lesson that corporations should learn from this: PATCH IMMEDIATELY! Don't wait until 'your applications are tested', patch now! If anything breaks, don't get on Microsoft's case, get on the case of your software maker, because 99 times out of 100, it's their fault.
Also, screaming at the victim machines' owners for not patching fast enough is stupid - it's not like you can take down production computers (e.g. servers) without notice just to slather a patch on, and having to clean up after an introduced incompatibility is even worse than the risk at times.
Also, yelling at the software vendor or at MSFT is stupid either way because you're still stuck with the devil's choice: patch and have the machine's raison d'etre evaporate, or don't patch and lose a line of defense.
Fortunately, there are OSes out there that don't require a frickin' reboot (read: downtime) just to fix something as minor and ancillary as RPC. Unfortunately, Windows isn't one of those OSes.
/P
Even unpatched, this vulnerability is completely mitigated even by simply turning on Window's built-in software firewall (or don't turn it off to begin with, as it's on by default) or by any other firewall which may exist on the network.
The problem is, there are always clueless people who turn off firewalls and/or turn on file sharing services to the worldwide internet. On "production computers (e.g. servers)", frankly this RPC problem would be the least of their worries.
2. Assuming you have no firewalls protecting your servers, if on top that your production infrastructure and patch processes are so bad that you can't install a critical patch within say a month, then you also deserve to get hacked sooner or later.
3. If you hadn't failed to upgrade to Vista or Server 2008 then this issue is no longer critical, either, due to Vista's improved network partitioning design. Basically under Vista-based OSes, even if the firewall is turned off, RPC connections are still protected from remote exploits such as these.
4. Apple OS X continues to use the same old design as WinXP and has had a similar issue on its RPC implementation (CVE-2007-0736). And oh, the patch required a system restart. ;-)
http://www.frsirt.com/english/advisories/2007/1470
"Twenty-five vulnerabilities have been identified in Apple Mac OS X, which could be exploited by remote or local attackers to execute arbitrary commands, cause a denial of service, disclose sensitive information, or bypass security restrictions. [...]
The ninth vulnerability is caused by an integer overflow error in the RPC library when processing malformed requests sent to the portmap service, which could be exploited by remote attackers to cause a denial of service or execute arbitrary code with "daemon" privileges."
1) Please re-read what your knee jerked at - especially the part that reads " or don't patch and lose a line of defense". This implies that there are more than a single line of defense present (in this case the OS). That alone destroys your silly argument right then and there.
2) is based on a stupid assumption that you made in your first attempt at an argument.
3) Simply chucking in and putting in Win2k8 or Vista may have (though according to MSFT not definitely) removed the flaw, but you stupidly assume that an enterprise environment will simply cast aside their existing installation and upgrade blindly. Given the rejection of Vista at large by Enterprise customers, and the slow uptake of Win2k8 (for numerous good reasons), your argument there is hereby rejected by the real world.
4) OSX is a consumer OS, and wasn't even considered in the post. Linux OTOH (as an example) is considered an Enterprise OS... and before you say it, restarting xinetd (assuming any such flaw would exist in it) does not require restarting the server, or even networking for that matter. At least try to keep up, willya? ;)
So, when you're ready to discuss how things are in the Enterprise, cool - but at least try to sound like you know what you're talking about, 'k?
/P
"So, when you're ready to discuss how things are in the Enterprise, cool - but at least try to sound like you know what you're talking about, 'k?"
I think people are still waiting for you to do this yourself, Penguinisto. Perhaps if you left the childish comments and infantile behavior out of your postings you find people treat you with more respect. Currently however, your answer to mbenedict says far more about you as a 'professional' than anything anyone else could say.
I'm rather surprised that you would dismiss OS X as worthy of use in the business marketplace or for use as a server. Calling it a 'consumer OS' is a bit... disappointing. There are many professionals who use OS X daily and to have you dismiss their worth as mere 'consumer' attempts is insulting to Macintosh users.
- by mbenedict November 3, 2008 5:49 PM PST
- @penguinisto in a drunken state wrote:
- Reply to this comment
-
-
- by Vegaman_Dan November 3, 2008 5:54 PM PST
- Sjhhhh, you're embarassing him with reality. He doesn't take well to having his BS called as such.
-
-
(8 Comments)> OSX is a consumer OS, and wasn't even considered in the post.
CVE-ID: CVE-2007-0736 affected Mac OS X Server v10.3.9, Mac OS X Server v10.4.9.
> Linux OTOH (as an example) is considered an Enterprise OS
Which requires a reboot for, say, the RPC XDR vulnerability. Hint: some bugs are in glibc or even in the kernel itself (see for example, RHSA-2008:0885-10).
Anyway, when you're ready to discuss how things are in the Enterprise, cool - but at least try to sound like you know what you're talking about, 'k? ;-)