Security threats Toolkit

Remote tool attacks Windows servers

Published: 04 Aug 2003 08:55 BST

Online vandals are using a program to compromise Windows servers and remotely control them through Internet relay chat (IRC) networks, system administrators said on Saturday.

Several programs, including one that exploits a recent vulnerability in computers running Windows, have been cobbled together to create a remote attack tool. The tool takes commands from an attacker through the IRC networks and can scan for and compromise computers vulnerable to the recently discovered flaw in Windows.

Files left behind on a compromised server by the worm were posted to a security mailing list. Computer security company Symantec analysed the files and determined that what was first thought to be a worm was actually an attack program.

"Based on our analysis, the threat does not appear to be a worm," said Oliver Friedrichs, senior manager for Symantec's security response team. "It doesn't go and try to spread." Friedrichs was in Las Vegas attending the Black Hat Briefings and DefCon hacking conferences.

The ability to spread automatically is the hallmark of a computer worm. The collection of programs that Symantec analysed is a tool that compromises computers and is referred to as an autorooter. It also acts like an IRC bot, listening to specific channels on the chat network and taking commands from attackers via IRC.

The initial post describing what security researchers thought might be a worm appeared at 10 a.m. (PDT) on Saturday on the Full-Disclosure security list.

The tool consists of six files that work together to find vulnerable systems and attack them. Ever since the Windows flaw was announced, security researchers widely expected a worm to be written to exploit it. The IRC bot is one step removed from a worm and less disruptive.

This bot compromises computers using a flaw that Microsoft warned the public about on 16 July.

The flaw is in the distributed component object model (DCOM) interface, a part of the OS that allows other computers to request the system to perform an action or service. The object, known as the remote procedure call (RPC) process, facilitates activities such as sharing files and allowing others to use the computer's printer. By sending too much data to the DCOM interface, an attacker can cause the system to grant full access to the computer.

A week ago, hackers from the Chinese X-Focus security group publicly posted a program to several security lists designed to allow an intruder to use the vulnerability to break into Windows computers. The Windows flaw has been characterised by some security experts as the most widespread ever found in Windows. In the past week, security researchers and hackers have been refining the exploit code.

That program is one of the six that make up the tool. The files include rpc.exe, rpctest.exe, tftpd.exe, worm.exe, lolx.exe and dcomx.exe. Although one of the programs sports the name "worm.exe," the resulting set of files is not a worm, because it doesn't spread automatically, Friedrichs said.

Symantec was still analyzing the files late Saturday, but judging from the names of the files the tool can search for vulnerable computers via RPC and when it finds a target, exploit the system with dcomx.exe. The Trivial FTP server, tftpd, allows files to be transferred to the new host, and lolx is likely to be a component that allows attackers to communicate with the system via IRC.