[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3F4F8278.9030303@nur.net>
From: jeremiah at nur.net (Jeremiah Cornelius)
Subject: Authorities eye MSBlaster suspect
morning_wood wrote:
>It seems to me that it is each admins responsiblity, if
>they were affected ( infected ) not the coder. if this were the case the
>LastStage(of)Delerium would be the blamed party for developing and releasing the
>exploit, but alas.. they are not of USA orgin.
>
LSD presumably developed an exploit internally - never released anything
but a high-level white paper on the vulnerability in concurrent time
with the MS KB and patch.
It was the Chinese group that released the first exploit. Followed with
an improved version in precompiled form from various sources. - Donnie,
you were one of the first posters of the .exe to this list I think!
A pretty complete timeline of the public life of this vulnerability
until the first worm:
** 2003 Evolution of DCOM-RPC Exploit * *
For 16 days before the MSBlaster worm made its debut, semi-skilled
attackers were
already able to use this vulnerability at will.
*Timeline:*
**
*July 16*
Microsoft Security Bulletin MS03-026
MS Announces bulletin and availability of patches for vulnerability
discovered by LSD,
a Security Research group in Poland.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/M
<http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp>S03-026.asp
<http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp>
LSD makes public announcement of vulnerability, after withholding
disclosure on
agreement with Microsoft. The group witholds their exploit code, due to
the serious
implications of this as an exploit. A whitepaper on the vulnerability
is publicly
released this day.
http://lsd-pl.net/special.html
Announcement of the DCOM-RPC vulnerability is widely distributed in the
security and
blackhat communities, including the Full-Disclosure mailing list.
*July 17*
Official CERT advisory CA-2003-16 is published, formalizing the issue as
CERT VU#568148.
http://www.cert.org/advisories/CA-2003-16.html
The Mitre Corp CVE is updated to include this vulnerability as CVE
candidate CAN-2003-0352.
Network Associates makes their first published bulletin on DCOM-RPC
http://vil.nai.com/vil/content/v_100499.htm
Symantec provides an advisory
http://www.symantec.co.uk/avcenter/security/Content/8205.html
*July 18 - 24*
Discussion of possible methods for exploiting DCOM-RPC vulnerability
circulates on
numerous public discussion boards and mailing lists. Initial
non-functional
proof-of-concept code appears by various authors on the Full Disclosure
mailing list.
*July 21*
Early, working exploits are publicly leaked by various parties, and
circulate on mailing lists.
http://lists.netsys.com/pipermail/full-disclosure/2003-July/006851.html
*July 25*
A working exploit for DCOM-RPC is published for general availability by
Xfocus Team, a "grayhat" research group in the People's Republic of
China. Analysis of the exploit with working code is published on their
site.
http://www.cert.org/advisories/CA-2003-16.html
The Xfocus exploit is refined by HD Moore of the Metasploit Project - as
dcom.c This is the first exploit to give an attacker a working, remote
command shell with escalated privileges against multiple versions of
Windows. Code is published.
http://www.metasploit.com/tools/dcom.c
http://news.com.com/2100-1002_3-5055759.html?tag=fd_top
http://lists.netsys.com/pipermail/full-disclosure/2003-July/007092.html
*July 26*
Compiled, 'ready to run' versions of the Metasploit dcom.c code are made
available on the Internet.
http://lists.netsys.com/pipermail/full-disclosure/2003-July/007103.html
http://illmob.org/rpc/
*July 31*
Stanford University has several networks penetrated by hostile
attackers, probably making use of the Metasploit version of this
exploit. Approximately 2000 individual computers were compromised.
http://securecomputing.stanford.edu/alerts/windows-rpc-update-5aug2003.html
Concurrent attacks, of similar severity and breadth are announced by MIT
and UC Berkeley. CERT adds an advisory based on exploit and
denial-of-service activity.
http://www.cert.org/advisories/CA-2003-19.html
*August 11*
MSBlaster (W32/Lovesan.worm) makes its first public appearance, adding
unaided - self-replicating exploitation of vulnerable hosts.
http://www.trusecure.com/knowledge/hypeorhot/2003/tsa03011.shtml
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html
http://vil.nai.com/vil/content/v_100547.htm
--
Jeremiah Cornelius, CISSP, CCNA, MCSE
farm9.com Security
"Administration for Windows networks is similar to maintaining a 12-year
old GM Truck. Brand new, W2K+3 already has 190K miles of wear."
Powered by blists - more mailing lists