everybody who is interested and/or who cares about this latest msblast event knows that it is a worm that exploits the DCOM RPC vulnerability using TCP port 135.
a properly configured firewall, like the free version of zonealarm, will stealth port 135 and protect the user against this worm even if the user was not wearing the microsoft security patch.
here is what steve gibson's shield's up site has to say about port 135....
**********************************
Port Authority Database
Port 135
Name:dcom-scm
Purpose:DCOM Service Control Manager
Description:
Microsoft's DCOM (Distributed, i.e. networked, COM) Service Control Manager (also known as the RPC Endpoint Mapper) uses this port in a manner similar to SUN's UNIX use of port 111. The SCM server running on the user's computer opens port 135 and listens for incoming requests from clients wishing to locate the ports where DCOM services can be found on that machine.
Related Ports:111
Background and Additional Information:
Port 135 is certainly not a port that needs to be, or should be, exposed to the Internet. Hacker tools such as "epdump" (Endpoint Dump) are able to immediately identify every DCOM-related server/service running on the user's hosting computer and match them up with known exploits against those services.
Any machines placed behind a NAT router (any typical residential or small business broadband IP-sharing router) will be inherently safe. And any good personal software firewall should also be able to easily block port 135 from external exposure. That's what you want.
In addition, many security conscious ISPs are now blocking port 135 along with the notorious "NetBIOS Trio" of ports (137-139). So even without any of your own proactive security, you may find that port 135 has been blocked and stealthed on your behalf by your ISP.
Going Further: Closing port 135
The widespread exposure and insecurity of this port has generated a great deal of concern among PC gurus. This has resulted in several approaches to shutting down the Windows DCOM server and firmly closing port 135 once and for all. Although applications may be "DCOM enabled" or "DCOM aware", very few, if any, are actually dependent upon the presence of its services. Consequently, it is usually possible (and generally desirable if you're comfortable doing such things) to shut down DCOM and close port 135 without any ill effects. (The fewer things running in a Windows system, the fewer things to suck up RAM and slow everything else down.)
********************************
grc.com |
