Just to add to what Tim is saying:
It is quite common to run into applications that are loaded as
hidden that will not be picked up by antivirus software because
they're actually legitimate applications that can be used to
backdoor systems. It is also trivial to bypass most antivirus
software by altering the applications to mask particular
signatures.
There are likely many systems out there that were exploited,
plugged the RPC hole by shutting it off or installing the patch,
and then loading backdoors for future use. The exploit was in
known circulation for about a week before MSU started filtering
RPC traffic from the Internet, and filtering from within campus
didn't happen until a couple weeks later. Plenty of time for
many many systems to be backdoored in various ways, not
necessarily by viruses and worms.
There's plenty to be looking for including open ports that
shouldn't be, and user accounts with elevated privileges
(even on single-user systems) to name a few.
-Russell
Skutt, Tim wrote:
> I've ran that particular scan tool on some hosts over here in the College of
> business. I found in some cases that DCOM was disabled in the registry.
> (HKLM\software\microsoft\ole)
> EnableDCOM should be Y
>
> On some that came back I found trojans on the PC's as a result of the RPC
> vulnerability. Often they run processes that disable the ability for a
> system admin to connect to them remotely.
>
> I submitted some of the trojans found to Symantec.
>
> Tim
|