TUCoPS :: Windows :: bt1413.txt

Microsoft RPC DCOM exploit descriptions 



----- Original Message -----
From: "Troy Murray" <murrayt5@msu.edu>
To: <MSUSEC@LIST.MSU.EDU>; <MSU-SECURITY@LIST.MSU.EDU>;
<bugtraq@securityfocus.com>
Sent: Tuesday, August 12, 2003 4:38 AM
Subject: RE: Microsoft RPC DCOM exploit descriptions


Internet Security Systems (http://www.iss.net) has released a scan tool to
check for the MS03-026 patch on Windows servers.  I've downloaded and run
this tool, command-line only, on my servers and it reports correctly that
they are patched.  Running a scan on the 35-10.40.x range though yields 5
systems that are not patched.  Not sure if there is a way to track down who
they belong to or not to get them patched.

You can grab the tool here:
http://www.iss.net/support/product_utilities/ms03-026rpc.php

-----------------------------------
Troy D. Murray
Michigan State University
College of Human Medicine
Department of Medicine
Immunohematology and Serology Laboratory
B228 Life Science Building
East Lansing, MI 48824-1034
(E) murrayt5@msu.edu
(P) 517.432.3545
(F) 517.353.5436
(W) http://msuhla.chm.msu.edu
MSN: troymurray@hotmail.com
AIM: troymurray72

-----Original Message-----
From: owner-msusec@list.msu.edu [mailto:owner-msusec@list.msu.edu] On Behalf
Of Joe Budzyn
Sent: Tuesday, August 05, 2003 8:56 AM
To: msusec@list.msu.edu
Subject: Microsoft RPC DCOM exploit descriptions


The following exploit descriptions are from the fine folks at Purdue
University.  These computers were hacked using the Microsoft RPC DCOM
vulnerability.

I have seen at lest one machine on our campus that matches Variant #1 so
far.  Please keep in mind that even if a computer does not match either
variant below, it may still be hacked.

As with any sort of post-hacking recovery, please use caution.  The
instructions involve steps which may damage an installed operating system. I
have not tried to recover a computer with these instructions and can make no
guarantees.

Joe Budzyn
--
Joe Budzyn
Michigan State University - Incident Response Team
Phone: (517) 355-4500 x162
http://www.security.msu.edu
abuse@msu.edu



Exploit Variants:
----------------------------------------------------------------------------
----
Variant 1

The following file is uploaded to vulnerable systems:

 %WINDIR%\system32\NX.EXE

This file is a Paquet Builder self-executing (SFX) file.
When executed on the compromised machine, the SFX creates the following file
structure:

 %WINDIR%\system32\qossrv
     - - v1.0D (Haley) -
     - aysshell.exe
     - cdir.txt
     - csrss.exe
     - FireDeamon.exe
     - libeay32.dll
     - mswinsck.ocx
     - pskill.exe
     - secure.exe
     - ServUPerfCount.dll
     - setup.bat
     - ssleay32.dll
     - wget.exe
     - WinExplorer.dll
     - winmgnt.exe

After uncompressing these files, the SFX file is instructed to launch the
file %WINDIR%\system32\qossrv\SETUP.BAT to install additional files and
services, as well as reconfigure DCOM.  Even though SETUP.BAT runs from the
command line, it is not seen by the user.

Using the UPX unpacker the content of these files is:

  winmgnt.exe -- Serv-U Mini-FTP server
  csrss.exe   -- pAdmin utility with H|TTP and DCC capabilities
  Secure.exe  -- Possibly a secure shell?  No good clues from strings
output.  Appears to reference VBA libraries

After SETUP.BAT executes, the following files can be found:

 %WINDIR%\system32
     - securedcom.reg
     - securedcom.reg.1
 %WINDIR%\system32\qossrv
     - aysinstlog.txt
     - securedcom.reg
     - secure.bat
     - go.bat
     - SystemUptimeLog.ocx

In addition, three services are installed using aysshell.exe. This is a
utility by Prism Microsystems called At Your Service that allows a user to
easily run almost any executable file or script as a service.  Information
on this product can be found at:

(http://www.prismmicrosys.com/atyourservice/atyourservice-index.htm)

This is used to launch csrss.exe, secure.exe, and winmgnt.exe as system
services.  The services can be viewed in the Services Console in Windows
2000 or Windows XP are as follows:

     "NTF"    (this is WINMGNT.EXE)
     "NTP"    (this is CSRSS.EXE)
     "NTS"    (this is SECURE.EXE)

WINMGNT.EXE is the executable for ServU-FTP.  ServU-FTP is popular for this,
as it is compact, and easily portable from machine to machine.  It listens
on ports 5555 and 48522.  Checking for connections on these ports is also
recommended.

What calls GO.BAT or SECURE.BAT is undetermined, but both of these batch
files simply import the securedcom.reg into the local registry.  This
disables the DCOM service.

After this is complete, the "Computer Browser" and "Server" services are no
longer running.  They can be manually started, but do not run as expected on
system boot up.

How to clean machines infected with variant 1:

Stop the Services:
     Net Stop "NTP"
     Net Stop "NTS"
     Net Stop "NTF"

Unregister the OCX Files:
     regsvr32 /u /s %WINDIR%\system32\qossrv\mswinsck.ocx
     regsvr32 /u /s %WINDIR%\system32\qossrv\systemuptimelog.ocx

Delete the Files:
     del %WINDIR%\system32\nx.exe
     del %WINDIR%\system32\securedcom.reg
     del %WINDIR%\system32\securedcom.reg.1
     del %WINDIR%\system32\qossrv\*.*

Remove the Directory:
     rd /s /q %WINDIR%\system32\qossrv

Delete the Registry Value:
     HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NTLDM

Delete the Registry Keys:
     HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NTF
     HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NTP
     HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NTS
     HKLM\SYSTEM\CurrentControlSet\Services\NTF
     HKLM\SYSTEM\CurrentControlSet\Services\NTP
     HKLM\SYSTEM\CurrentControlSet\Services\NTS

        Note :  Some registry entries may be installed with special
permissions so that only the SYSTEM has full control. To remove them, right
click on the entry, click permissions, and give everyone full control.  You
will then be able to delete them.

Modify the following Registry Key:
     HKLM\Software\Microsoft\Ole\EnableDCOM=Y

Restart the Services:
     NET START "Server"
     NET START "Computer Browser"

----------------------------------------------------------------------------
----

Variant 2

The services created by variant 2 are TCPIPenum, NTLMsDB, and IPconfig

Payload is installed in WINNT regardless of your actual Windows folder.
Administrators may wish to hand clean these folders as they may contain
essential items.  Also Note that the folders themselves have both the hidden
and system attributes. You may need deltree which is included in the cleanup
package in case you don't already have it.

The following files must be deleted:

C:\WINNT\system32\config\aysshell.exe
C:\WINNT\system32\dhcp\csrsslsrms.dll
C:\WINNT\system32\dhcp\explorer.exe
C:\WINNT\system32\dhcp\fport.exe C:\WINNT\system32\dhcp\igfxtray.exe
C:\WINNT\system32\dhcp\nc.exe C:\WINNT\system32\dhcp\ntlmconf.dll
C:\WINNT\system32\dhcp\pskill.exe C:\WINNT\system32\dhcp\pslist.exe
C:\WINNT\system32\dhcp\rar.exe C:\WINNT\system32\dhcp\reg.exe
C:\WINNT\system32\dhcp\rmns.exe C:\WINNT\system32\dhcp\service.exe
C:\WINNT\system32\dhcp\SystemUptimeLog.ocx
C:\WINNT\system32\dhcp\tlister.exe
C:\WINNT\system32\dhcp\wget.exe C:\WINNT\system32\dhcp\winexplorer.dll
C:\WINNT\system32\dhcp\home\tar.exe
C:\WINNT\system32\restore\binary.gif
C:\WINNT\system32\restore\compressed.gif
C:\WINNT\system32\restore\csrss.exe
C:\WINNT\system32\restore\del.gif C:\WINNT\system32\restore\dir.gif
C:\WINNT\system32\restore\folder.open.gif
C:\WINNT\system32\restore\image1.gif
C:\WINNT\system32\restore\image2.gif
C:\WINNT\system32\restore\movie.gif
C:\WINNT\system32\restore\MSWINSCK.OCX
C:\WINNT\system32\restore\pdf.gif C:\WINNT\system32\restore\pskill.exe
C:\WINNT\system32\restore\reg.exe C:\WINNT\system32\restore\script.gif
C:\WINNT\system32\restore\service.exe
C:\WINNT\system32\restore\sound2.gif
C:\WINNT\system32\restore\tar.gif C:\WINNT\system32\restore\text.gif
C:\WINNT\system32\restore\unknown.gif
%windir%\system32\securedcom.reg
%windir%\system32\wge.exe

The following registry entry must be removed:

Registry Value:

HKEY_LOCAL_MACHINE\software\microsoft\windows\current_version\run\QoSs
rv
$ (runs %windir%\system32\restore\csrss.exe)

Registry Keys:

HKEY_LOCAL_MACHINE\system\CurrentControlSet\Enum\root\legacy_tcpipenum
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Enum\root\legacy_ntlmsdb
HKEY_LOCAL_MACHINE\system\CurrentControlSet\services\ipconfig
HKEY_LOCAL_MACHINE\system\CurrentControlSet\services\TCPIPenum
HKEY_LOCAL_MACHINE\system\CurrentControlSet\services\NTLMsDB

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH