MS04-011 fixed 14 different vulnerabilities but the two that have received most attention are the PCT and LSASS vulnerabilities. Both have publicly available exploit code and are fairly trivial to automate. You are most likely experiencing traffic caused by the LSASS vulnerability. To successfully exploit this vulnerability either locally or remotely, one has to acquire the handle of a running user session. Remote exploits and worms can only exploit the LSASS vulnerability anonymously by using a NULL session, which is retrieved over the microsoft-ds port 445. It has long been a good practice to disable NULL sessions, and Microsoft has documented how to accomplish this in several Knowledge Base articles: How to Use the RestrictAnonymous Registry Value in Windows 2000 http://support.microsoft.com/?kbid=246261 Restricting information available to anonymous logon users http://support.microsoft.com/?kbid=143474 RestrictAnonymous Access Enabled Lets Anonymous Connections Obtain the Password Policy http://support.microsoft.com/?kbid=129457 The RestrictAnonymous policy can have some impact on functionality in mixed-domain environments, in which case one can set the RestrictAnonymous value to 1 instead of 2, as detailed in the following Knowledge Base articles: The "RestrictAnonymous" Registry Value May Break the Trust to a Windows 2000 Domain http://support.microsoft.com/?kbid=296405 The RestrictAnonymous Value Breaks the Trust in a Mixed-Domain Environment http://support.microsoft.com/?kbid=296403 The PCT vulnerability is exploited over port 443 which have led many to believe that it was intrinsically linked with SSL - it is not, it is a separate protocol and can be separately disabled. (The PCT/SSL confusion gave a dilemma as some production servers naturally rely on SSL but could not implement the patch as it has several functionality regressions). When IIS receives a request for a secure communication channel over port 443 it tries several independent protocols in the following order: PCT 1.0, SSL 2.0, SSL 3.0 and TLS 1.0. Disabling the PCT protocol itself does not impact SSL functionality and can be accomplished by specifying a binary value of 00000000 in the following value: HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SC HANNEL\Protocols\PCT 1.0\ServerEnabled This has also been documented in Knowledge Base article 187498 Disable PCT 1.0, SSL 2.0, or SSL 3.0 on IIS http://support.microsoft.com/?kbid=187498 Regards Thor Larholm Senior Security Researcher PivX Solutions 24 Corporate Plaza #180 Newport Beach, CA 92660 http://www.pivx.com thor@pivx.com Stock symbol: (OTCBB:DRIL) Phone: +1 (949) 231-8496 PGP: 0x5A276569 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569 PivX defines a new genre in Desktop Security: Proactive Threat Mitigation. <http://www.pivx.com/qwikfix> -----Original Message----- From: Tony Abell [mailto:TonAbe@osgtool.com] Sent: Thursday, April 29, 2004 9:45 AM To: 'bugtraq@securityfocus.com' Subject: New Worm??? - High level of activity on port 445 Since late yesterday 4/28/04 afternoon around 4pm our firewall started throwing alarms on netprobes. We are seeing a large amount of probes coming from one machine that is probing random IPs on port 445. The source port is random as well. We traced it back to a Japanese Win2K machine w/SP4 installed. No idea if it's fully patched or not, I have no desire to put it back on my network to patch it until I get this figured out. I scanned the machine in safe mode as well as booting normally using SAV 8.1 with 4/28/04 Rev 38 defs and came up with nothing. Is anyone else seeing anything like this? Tony Abell Network Administrator OSG Tap & Die
