With all of the "new" RPC exploits surfacing, I thought I would share a few simple tips on how to protect yourself.

I will be pointing out how to prevent RPC port 135 from listening, by applying a few simple registry tweaks. I will also explain how to disable SMB port 445 from listening by disabling NetBT.

All of these tweaks are geared towards the average home user running WinXP Home. If you are unsure whether you need these services/ports to be running, then please just download the patch below. Also make sure that you make a backup of your registry before attempting these tweaks!

If you feel more comfortable, you may visit: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp to download the patch to correct this RPC Buffer Overflow Exploit. Also make sure that all other security patches have been downloaded. You can check which MS patches have been installed by navigating to the Control Panel>Add/Remove Programs and look for any HotFixes along with their HotFix Reference IDs that were installed. You may then do a search on Microsoft's site or on Google, to see which patches these HotFix codes correspond to.

Above all, the first step (if you haven't already) is to install a reliable firewall. Also, make sure that this firewall is properly configured. You can find numerous tutorials explaining how to do this here on AO, just conduct a search.

A properly configured firewall will protect you from a majority of attacks, but if all else fails (and I'm hoping it doesn't) these tweaks will insure that some of the more vulnerable ports are closed.

With all of this in mind, let's continue...

First open up regedit by going to Start>Run>and typing in regedit and clicking OK.

Next, backup your registry by going to File>Export>then type in an appropriate name and make sure the export range option is set to All. Then click on Save.

This first tweak will disable DCOM. Port 135 listens for remote activation requests
of COM objects. A lot of programs have support for Distributed Communication (DCOM), but scarcely ever use it.

Navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole

Look on the right-hand panel for a value named EnableDCOM. By default it should be set at Y, change this to N. This will disable DCOM.

WinXP Pro users may configure DCOM by simply going to Start>Run>and typing in C:\WinNT\System32\Dcomcnfg.exe and clicking OK.

This next tweak will prevent DCOM from using IP based RPC protocol sequences.

Next, navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc

Look on the right-hand panel for a value named DCOM Protocols. Do not modify the entire value, but instead only remove ncacn_ip_tcp from the DCOM Protocols value, and leave everything else untouched.

The next tweak will close port 445 by disabling NetBT.

Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters

Look on the right-hand panel for a value named TransportBindName. By default it should be set at \Device\. Delete the value named \Device\, so that TransportBindName remains empty.

Restart your computer after you have applied these tweaks. If something doesn't function properly, simply open up regedit and go to File>Import and import the backed-up registry file that you made earlier, and your registry will be returned to it's earlier state.

You can check which MS patches have been installed by navigating to the Control Panel>Add/Remove Programs and look for any HotFixes along with their HotFix Reference IDs that were installed. You may then do a search on Microsoft's site or on Google, to see which patches these HotFix codes correspond to.

I just wanted to add that if you go to Windows Update, under the Other Options menu on the left, you can click on View Installation History to get a list of installed fixes and what they fixed. This is easier than looking in Add/Remove Programs, then checking the MS web-site for fix info.

Good job peace_on_earth!!

Yeah, nice and informative.

Just to add for those of you who want to disable RFC a word of warning, I disabled it to see if I could get by without it and PGP could no longer work, as well as ICQLite, and I had to restore the services via editing the registry as the Win2k Services under control panel would not show me any properties.

If you have a microsoft OS that is still supported then you simply need to open windows update and anything not installed should appear when you scan for updates. If you happen to be using Win9x and I think both 98 and 98SE have been discontinued, then you have to manually check which hotfixes you have installed and download them. I've recently done work on a few WinME systems at my work and windows update is still supported for that so anything newer should still work. I forget where I read the actual time frames but they have the amount of time that windows update will continue to work, along with when they stop selling and I'm not sure but I believe they will stop giving customer service as well after a certain number of years.

Thanks peace_on_earth - very informative indeed.

easy fix: Linux.

Hi everyone,

There is also a very simple solution for systems not running as Servers. Disable the server service in controlpanel---->Administrative Tools---->Services.msc.
Note:You won't be able to monitor shares etc,if the server service is disabled.

also see CERT advisory CA-2003-20 and www.cert.org/tech_tips/w32_blaster.html

Opinions.

I think fire should be fought with sand. "its irritating to start with but solves the problem."

What about another worm that reaches its detination then seals the exploit by downloading and running the patch/update ??

Heh Heh! mark

I don't think sand is a good option for fire. The fire should not be there in the first place as
it would minimise the damages. Also your proposed worm will not do anything useful than choking bandwidth and hence performing DoS attack, hope you get it :D

Since I'm being scanned every few seconds here by varying IP addresses I take it this is now beyond a joke.

Since most of the people infected will presume that nothing is wrong and keep logging into the internet this will go on for ages.

If Someone who were to remain nameless were to write a non replicating script which checked IPs for the exploit then sealed the whole using another technique which shall remain nameless would this person be a hero or a criminal ?

Opinions please

Mark the point and opinion is that your are just being non practical and trying to push your thougths with sentiments and not reason. :D

The reason : Everyone is infected with some nasty turd of a virus. which is slowing down everything and Creating huge log files in all my firewalls.

My thoughts :

These people need help and help desks everywhere are jammed up with people to thick to google for it.

It would be easy to scan a range of IPs if someone were to put together a little tool to do so and check for the exploit and repair it where it is found.

Other Thoughts
Strawberry Cheese Cake Kicks Ass

hehe Warlock trying to use complex sentance structure and criticise my motives then mis spelling "Thoughts"

Closing Thought.
It was just an idea.







Forgot to mention

http://www.seton.co.uk/perl/product.pl?productid=106

Since you clearly didn't understand what I ment with the sand thing warlock. It was Metaphorical

P.P.P I know I misspelled "meant" but that was intentional honest

Mark want's to be the Cyber Robin Hood of sorts :) Sounds good to me but if it fixes the hole doesn't that limit it from propogating? Since we are discussing the hypothetical; cherry cheesecake over RuleZ. :D

mark >> this person would be somewhat likened to Batman. stopping crimes as/before they start, yet remaining nameless. someone would assume the person is doing a bad thing and attempting to DoS, or something. people get freaked out when that activity light on the cable modem blinks.

on the other hand, it would be extremely interesting, and good-will based. like helping old ladies across the street. a good guy hacker protecting against bad guy hackers.

Theoretically this would seal all top level IPs which would reduce the traffic being sent to me.

Not really robin hood. I'm just sick of my log file being longer than my , well something pretty long anyway.

Mark: While I am down with the idea I gotta say that looking at the practicalities it's not feasable.

MSBlaster.exe = 7kb and the scanning and downloading has made a noticable slow down in my region - lets talk logfiles..... :mad:

WINXP patch = 1.28mb...... Now that's what I call DENIAL OF SERVICE...... ;)

Mark its a very bad idea...I just spent (and will spend the rest of my day.) fixing the mess that the MS patch created.

Difference being that It only has to download once and all these people should be busy doing it itself.

Damn, I never thought of that. I know. It could connect to the machine remove the msblast and variants.

I could let it go and we could have a chimera vs balerafon type fight to see who wrote their code better.

No, Damn it thats just as bad. hmmm, What if I just patch the registry and leave a desktop shortcut to the download and a msg box telling them of the exploit signed The Cyberhood

OMG,ill thank god for m blaster.This way billsoft release some patch.Please keep on programming some worms for masses.that helps.

In the digital age there is a fine line between hero and criminal.

I'd like to see the aforementioned nameless person make a worm of that nature work without choking too much bandwidth. Would be nice to see.