Page is a not externally linkable
MonkeeSage - 11:54 pm on Aug 11, 2003 (gmt 0)
MS DCOM RPC Worm [...] The DeepSight Threat Analyst Team encourages network administrators to: [...] The attacking host will issue 20 simultaneous connect() calls, each going to a unique IP address. The host will then use a select() call to determine which host have responded. Upon receiving a response the worm will attempt to exploit the host. The worm uses an algorithm based off the current local host IP address to find IP address to attack. Given the local host IP A.B.C.D. ‘D’ is set to zero. If C is greater than 20, a random number (less than 20) is subtracted from C. Once this semi random IP address has been calculated, the worm will continually increment the IP address, attacking in a sequential order. This means the local subnet will become saturated with port 135 requests prior to exiting the local subnet." Jordan
"DeepSight™ Threat Management
SystemThreat Alert
Version 1: August 11, 2003, 20:20 GMT
Version 5: August 11, 2003, 22:50 GMT
• Ensure that all available patches and feasible mitigating strategies provided in Microsoft Security Bulletin MS03-026 have been applied.
• Ensure that the following ports are filtered at the network perimeter and between all untrusted network segments: udp/135, udp/137, udp/138, tcp/135, tcp/445, tcp/593.
• Deploy the provided Snort signature to assist in the detection of exploitation attempts targeting this issue.