<$BlogRSDUrl$>

Tuesday, August 12, 2003

MSBlast prevention and cure

http://zdnet.com.com/2100-1105_2-5062532.html

The script kiddies and IRC nerds all around the world unite to make windows admins look like microsoft approved idiots once again.
This special worm exploits a buffer overflow in the RPC (remote procedure call) service to install itself and target new windows computers. Nothing special really, it's just that it might cause real damage later on, DDOS will be possible easily once enough windows machines are infected. Right now the major anti virus companies use the hot days of August to analyze the worm itself and its occurence patterns.
While W32/Blaster.A targets thousands of new windows systems as we speak, the script kiddies themselves have fun shutting down XP/2000 computers by sending random, malicious packets through the web.
The worst part of it is probably that the RPC core itself was not bugged at all until Microsoft added its "extensions".

Solutions:
# Delete MSBlast itself ::: first step, basic... does not cure the MS bugs... errr... "features" in RPC of course.
# Windows Update / Hotfix / Bugfix ::: probably the easiest. however, as we are talking about Microsoft, this does not work for all users... eg. it does not install saying it requires "Microsoft Windows XP Service Pack 2. amen.
# Install a firewall, block all ports being used by RPC (UDP AND TCP) ::: this will do, however some of us actually require RPC to work.
# Using a router, with NAT and integrated firewall ::: good. just make sure you dont use DMZ for any of your network computers.
# Uninstalling DCOM / RPC services ::: I don't recommend this as quite a few (plus maybe some future) applications and system components depend on them.
# "Take no action" on RPC failures (Admin->Services) ::: you might want to try this so your system does not shut down in the process of updating/installing/etc. Be sure to change this back to default once you have a real solution.

For full info and MSBlast removal instructions, check any of the articles on Google News. It is easy enough to do it yourself, no need to download any "MSBlast remover" being advertised since yesterday. On a side note: Update your Virus scanner definitions :)