A highly-effective worm would be not be difficult to write for the reasons below. Residential ISP's should start blocking 445 and 135 immediately. Corporate networks should block these ports in both directions at every major gateway as soon as possible. It would only take one compromised node to turn a corporation's internal network to mush. Coupled with an email or web-based delivery system, a DCOM worm could easily start spawning itself in the center of even the most security-concious organizations. 1) There *are* universal return address for both Win2K and WinXP. No I am not going to post these anywhere, people can find them for themselves. The non-english versions may or may not work with these, I have not had the chance to test. 2) You can determine whether a host is 2K or XP using a number of different ways. The easiest method is by looking at the Native LanMan version you recieve when establishing a SMB session. I have heard that there are ways to identify a system through DCOM queries as well, but have no code in hand to prove it. 3) Since the easiest targets are Win2K and WinXP, simply scanning for 445, determining XP/2K, and exploiting 135 would be very simple to do. All systems with 445/tcp open are more than likely XP/2K. Any system with 445/tcp open more than likely has 135 open as well. -HD On Sunday 27 July 2003 12:09 pm, wirepair wrote: > I would imagine the worm would need to > be pretty advanced in finding the correct offsets prior to > exploitation, without crashing svchost.exe. Now I am in no way down > playing the threat of this vulnerability and I find it to probably > be the largest thing to ever hit windows. I just want to hear other > peoples thoughts on this subject. Or a worm could attack a single > operating system/sp but that wouldn't be nearly as damaging as a worm > that could attack all versions of windows (nt4-win2k3) and sp's. > > Any thoughts? > -wire
This archive was generated by hypermail 2b30 : Mon Jul 28 2003 - 13:40:27 PDT