Blaster Worm Remote Procedure Call (RPC) exploit

Exploit details:

There is a buffer overrun vulnerability in the RPC service. By default the RPC service listens on port 135 and by sending a special crafted message to this port, then it is possible to execute malicious commands within the context of the RPC service.

The following operating systems has this security hole:

• Windows 2000 SP1, SP2, SP3, SP4
• Windows XP SP1
• Windows 2003

This means that after having made a clean install of Windows 2000/XP/2003, and one connects to the Internet without a firewall activated, then one is vulnerable to attacks. The Blaster worm is the most common attacker.

More Info SecurityFocus.com (Exploit Sample Code)

Exploit side effects:

The RPC service is vital for the operation of Windows, so when vulnerable to attacks then it might crash and cause Windows to shutdown. One of the following messages are usually shown when the RPC Service crashes:

*This system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by NT AUTHORITY\SYSTEM

Windows must now restart because the Remote Procedure Call (RPC) service terminated unexpectedly.

The computer will be restarted - it has been initiated by the NT authority system because the remote procedure call (RPC service) terminated unexpectedly.

Generic Host Process for Win32 Services has encountered a problem and needs to close. We are sorry for the inconvenience

The program svchost.exe has generated errors and will be closed by Windows. You will have to restart the program*

The result of the attacks is usually that the system becomes infected with a virus, which take control of the CPU and the Internet bandwidth, and it is then used for attacking other machines on the Internet.

Solution to prevent exploit:

1. Consider enabling a firewall to prevent future attacks (Like Windows XP Firewall)
2. Download and install the Microsoft patch MS04-012 Cumulative Update for Microsoft RPC/DCOM (828741).
   • If unable to install the patch in normal mode, then boot in safemode and install it.
   • If installing the patch in safemode, then remember to reinstall the patch afterwards in normal mode. More Info MS KB818460
3. Download the newest virus database for your existing AntiVira Scanner and scan or use housecall.antivirus.com. (If using WinXP remember to turn off System Restore temporarily)
   • Microsoft have created their own Microsoft Windows Malicious Software Removal Tool (MS KB890830) because newly installed systems are easily infected. (Replaces MS KB833330)
   • McAfee have updated their Stinger to handle the most common infections caused by this exploit
   • Symantec have created their own W32.Blaster.Worm Removal Tool
4. Check Windows Update to see if there are other critical patches for your system

Note to stop WinXP/Win2k3 from shutting down within 60 secs (Will give time to download and install patch), press the Start-button and Run… this command:

Shutdown -a

Note another way to stop the shutting down within 60 secs, is to configure the RPC service to restart automatically:

1. Press Start-button and select Run… this command:

   services.msc /s

2. Double click the service Remote Procedure Call (RPC) (Not the Locator)
3. Select the Recovery-tab
4. Set First Failure, Second Failure, Subsequent Failure to Restart Service
5. Press Ok

Note it is possible to block the attacks without installing the patch by disabling DCOM for the RPC service. This can be useful incase one cannot acquire the security-patch without connecting to the Internet, with the unpatched machine that has no firewall:

1. Press the Start-button and Run… this command:

   Dcomcnfg.exe

2. If you are running Windows XP or Windows Server 2003, perform these additional steps:
3. Click the Component Services node under Console Root.
4. Open the Computers folder.
5. For the local computer, right-click My Computer, and then click Properties.
6. For a remote computer, right-click Computers folder, point to New, and then click Computer.
7. Type the computer name.
8. Right-click the computer name, and then click Properties.
9. Click the Default Properties tab.
10. Clear the Enable Distributed COM on this Computer check box.
11. Click Apply button and exit Dcomcnfg.exe
12. Restart the operating system for the changes to take effect

Exploiters:

More information about the RPC attackers:

• Exploit-DcomRpc
• Win32.Autorooter Backdoor.IRC.Cirebot Worm.Win32.Autorooter
• Different security firms have identified the blaster (MSBlast.exe):
  • Symantec: W32.Blaster.Worm
  • SANS: RPC DCOM WORM (MSBLASTER)
  • TrendMicro: WORM_MSBLAST.A
  • F-Secure Lovsan
• New variants of the Blaster:
  • Lovsan-B (Root32.exe)
  • Lovsan-C (penis32.exe)
  • Lovsan-D (mspatch.exe)
  • Lovsan-E (mslaugh.exe)
• Blaster Killing Worm: W32/Nachi.worm W32.Welchia.Worm
• Gaobot/Polybot/AgoBot/Phatbot
  • W32.Gaobot.AFC (wmiprvsw.exe)
  • W32.Gaobot.AFJ (msiwin84.exe)
  • W32.Gaobot.AFW (hkey.exe)
  • W32.Gaobot.AJD (wauclt.exe)