reply to NetWatchMan
Re: Defcon5? Impact if(when) Dcom worm released? I love numbers as they can tell a pretty good story about what is going to happen, so when I see someone say 20 - 40% of systems are vulnerable I have to check for myself so I scanned a number of systems at random from around the world to find out for myself about what percentage of systems are vulnerable using a simple eEye type scan.
Total Systems scanned (don't be surprised if my IP address shows up in myNetWatchman or DShield)
346 - 26.99%
738 - 57.57%
Total Not Vulnerable for other reasons (Windows 9x/ME, DCOM disabled, etc)
198 - 15.44%
It would appear that the far east is going to get whacked again as they tend to have the higher percentages of vulnerable systems (if your outsourcing anything in India might I suggest placing a call to them to see if they have patched against this impending attack as I would have my doubts).
Is this going to be bad when it goes out there, of course, but just how bad? It depends on who releases it and what their goal is. My fear is this vul has been published and enough is publicly known about it to let the psychos into the game so there is a higher chance that this worm could be more destructive then previous mass worms which tended to be more of a propagation threat then anything.
I published my prediction about this earlier here »Re: Experts see a Web Attack coming?
I should add that I did come across some ISPs which are already filtering TCP port 135.
Propagation speed of this worm is going to be in the area of 5 systems per second (a little slower then Opaserv), but given the number of vulnerable systems it will still tax the internet to the point where large areas of it will collapse (get the wire cutters ready again for the far east, Korea, China, Taiwan, India as they will bomb the rest of the internet with tons of traffic and will be slow to respond to the attack, etc so cutting the cable to the far east might be part of the global response plan).
[text was edited by author 2003-08-11 03:43:38]
>Total Not Vulnerable for other reasons (Windows 9x/ME
Are you sure about that? I have W98SE with port 135 suddenly open (has always been closed until about a week ago) due to something activating DCOM. I have closed the port each time I boot via the Process Viewer in Trojan Hunter (which I am trialing) by terminating RPCss.exe.
"Everything can be taken from a man or woman but one thing: the last of the human freedoms - to choose one's attitude in any given set of circumstances, to choose one's destiny." Victor Frankl - Man's Search for Meaning
quote: from »grc.com/default.htm
Around the Internet, system administrators report strange "rebooting" of their Windows systems as they are being taken over remotely, and many firewall watchers report a jump in scans for port 135.
there is some more info there also.
maybe it's time for that simple little nat router you always wanted
think about it....the democratic party wants to be your MOTHER.....the republicans want to be your FATHER
reply to Mele20
I also was concerned about RPCss.exe on my 98se machine. Several weeks ago I moved the file to My Documents and it doesn't show up as a running process. I don't know how wise this was but I have not experienced any problem with the move and it can be easily restored to the system folder if problems arise.