Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet Security.ca and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet Security.ca today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

Internet Security Industry News

Attack bot exploits Windows flaw

Save your company's valuable data with Proxy Sentinel™ from Internet Security. Click here for all the details.

August 4th, 2003

Las Vegas, Nevada - Online vandals are using a program to compromise Internet communications with Windows servers and remotely control them through Internet relay chat (IRC) networks, system administrators said Saturday.

The tool takes commands from an attacker through the IRC networks and can scan for and compromise computers vulnerable to the recently discovered flaw in Windows.

Files left behind on a compromised server by the worm were posted to a security mailing list. Computer security company Symantec analyzed the files and determined that what was first thought to be a worm was actually an attack program.

"Based on our analysis, the threat does not appear to be a worm," said Oliver Friedrichs, senior manager for Symantec's security response team. "It doesn't go and try to spread." Friedrichs was in Las Vegas attending the Black Hat Briefings and DefCon hacking conferences.

The ability to spread automatically is the hallmark of a computer worm. The collection of programs that Symantec analyzed is a tool that compromises computers and is referred to as an autorooter. It also acts like an IRC bot, listening to specific channels on the chat network and taking commands from attackers via IRC.

The initial post describing what security researchers thought might be a worm appeared at 10 a.m. PDT Saturday on the Full-Disclosure security list. The tool consists of six files that work together to find vulnerable systems and attack them. Ever since the Windows flaw was announced, security researchers widely expected a worm to be written to exploit it. The IRC bot is one step removed from a worm and less disruptive.

This bot compromises computers using a flaw that Microsoft warned the public about on July 16. The flaw is in the distributed component object model (DCOM) interface, a part of the OS that allows other computers to request the system to perform an action or service. The object, known as the remote procedure call (RPC) process, facilitates activities such as sharing files and allowing others to use the computer's printer. By sending too much data to the DCOM interface, an attacker can cause the system to grant full access to the computer.

A week ago, hackers from the Chinese X-Focus security group publicly posted a program to several security lists designed to allow an intruder to use the vulnerability to break into Windows computers. The Windows flaw has been characterized by some security experts as the most widespread ever found in Windows. In the past week, security researchers and hackers have been refining the exploit code. That program is one of the six that make up the tool.

The files include rpc.exe, rpctest.exe, tftpd.exe, worm.exe, lolx.exe and dcomx.exe. Although one of the programs sports the name "worm.exe," the resulting set of files is not a worm, because it doesn't spread automatically, Friedrichs said.

Symantec was still analyzing the files late Saturday, but judging from the names of the files the tool can search for vulnerable computers via RPC and when it finds a target, exploit the system with dcomx.exe. The Trivial FTP server, tftpd, allows files to be transferred to the new host, and lolx is likely to be a component that allows attackers to communicate with the system via IRC.

Article by Robert Lemos
Source: C-Net News


Save Internet Security.ca's URL to the list of your favorite web sites
in your Web browser by clicking here.

Back to the top of the page.         
Click here to order your Proxy Sentinel™ Internet security server today!

Proxy Sentinel™ is the most secure Internet proxy server on the market today. Click here for more information.
Site optimized by Pagina+™
Powered by Sun Hosting
Search engine keywords by Rank for Sales
Development platform by My Web Services
Internet Security.ca is listed in
Global Business Listing

| Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact |
Copyright © Internet Security.ca 2003    Terms of use    Privacy agreement    Legal disclaimer