July 31, 2003 - Current Activity

The CERT/CC has received reports of systems being compromised by two recently discovered vulnerabilities in the Microsoft Remote Procedure Call (RPC) service. Additionally, the CERT/CC has received reports of widespread scanning for systems with open Microsoft RPC ports (135, 139, 445).

We are currently seeing reports involving two separate vulnerabilities. The first vulnerability is described in CA-2003-16 (VU#568148). The second denial-of-service vulnerability is described in CA-2003-19 (VU#326746). Microsoft is currently working on a patch to resolve this issue.

Sites are encouraged to block access from outside their network perimeter, specifically by blocking access to TCP and UDP ports 135, 139, and 445. This will limit exposure to attacks. However, blocking at the network perimeter would still allow attackers within the perimeter of the network to exploit the vulnerability.

The CERT/CC is tracking activity related to exploitation of the first vulnerability (VU#568148) as CERT#27479 and the second vulnerability (VU#326746) as CERT#24523. Relevant artifacts or activity can be sent to cert@cert.org with the appropriate CERT# in the subject line.

The CERT/CC has received reports of activity consistent with attempts to exploit the Cisco IOS Interface Blocked Vulnerabilities described in CERT Advisories CA-2003-15 and CA-2003-17. To date, we are unaware of any sites whose operations have been interrupted by these attempts. Sites are strongly encouraged to read these two advisories, and take any actions necessary to protect their networks.

• CERT Advisory CA-2003-15, "Cisco IOS Interface Blocked by IPv4 Packet"
  http://www.cert.org/advisories/CA-2003-15.html
• CERT Advisory CA-2003-17, "Exploit Available for the Cisco IOS Interface Blocked Vulnerabilities"
  http://www.cert.org/advisories/CA-2003-17.html

The CERT/CC has received reports of a variant of the Sobig mass-emailing worm, referred to as "W32/Sobig.E." It arrives as an attachment with a .zip extension. Within that .zip file is a file with either a .scr or .pif extension. Upon opening the attachment, the worm attempts to mail itself to all e-mail addresses it finds in files with a .wab, .dbx, .htm, .html, .eml, or .txt file extension. Additionally, this worm spoofs the "From" address, therefore it is likely that the sender address is not that of the infected user.

Upon execution, the worm places the following files in the "%Windir%" directory:

The following registry keys are created:

The worm also attempts to propogate by copying itself to the following folders:

The CERT/CC strongly encourages users to install anti-virus software, and keep its virus information files up-to-date.

Users may also wish to consider filtering email attachments with the extensions listed above.

You may also wish to visit the CERT/CC's computer virus resources page.

In recent weeks, there have been numerous accounts of activity surrounding TCP packets with a window size of 55808. Initial reports of this activity received by the CERT/CC indicate that the Selective Acknowledgement bit is set and the window scale option is set to 2. Selective Acknowledgments are described in more detail in RFC2018 "TCP Selective Acknowledgment Options"; the window scale field is described in RFC1323 "TCP Extensions for High Performance". The window scale value designates the number of bits that the window size value should be shifted in order to compute the actual window size. Thus, with a window size of 55808 and a scale of 2, the actual window size being requested is 223,232 bytes.

To date, there are several pieces of malicious code that have been identified capable of generating traffic with a window size of 55808. This includes the "Stumbler" malicious code reported by Internet Security Systems (ISS) and "55808 Trojan - Variant A" described by Intrusec on June 19, 2003. We have also received reports that a variant of a common IRC bot (sdbot) is capable of generating TCP packets with a window size of 55808. A previous variant of the sdbot malicious code was mentioned briefly in CA-2003-08.

Analysis indicates that while these various pieces of malicious code will generate TCP packets with a window size of 55808, not all of them set the window scale option. This is an important detail because it indicates that there may be multiple artifacts responsible for generating the reported traffic.

We are tracking this activity as incident CERT#26124, and are interested in receiving reports thereof. Relevant artifacts or activity can be sent to cert@cert.org with "CERT#26124" in the subject line.

The CERT/CC has received reports of a variant of the BugBear mass-emailing worm, referred to as "W32/BugBear.B", "W32/Kijmo" or "W32/Shamur". It arrives as an attachment with a .pif, .scr, or .exe extension. Upon opening the attachment, the worm attempts to mail itself to all e-mail addresses it finds in the current inbox and in files with a .dbx, .eml, .mbx, .mmf, .nch, .ocs, or .tbb file extension. Additionally, this worm has a built-in keylogger, a backdoor that listens on port 1080/tcp, and attempts to terminate numerous security product processes on the system.

The worm also attempts to propogate by copying itself to the following folders on the local machine as well as other machines that it has access to using a random file name:

The CERT/CC strongly encourages users to install anti-virus software, and keep its virus information files up-to-date.

Users may also wish to consider filtering email attachments with the extensions listed above and to monitor traffic destined for port 1080/tcp.

You may also wish to visit the CERT/CC's computer virus resources page.