Ads

Aug 102003
 

Related Questions:

  1. Why is LSASS.exe shutting down my computer after 60 seconds?
  2. Why is svchost.exe crashing my computer?
  3. Why is dllhost.exe taking 100% of my CPU time?

A buffer overrun is the cause of an issue affecting many versions of Windows to include NT, 2000, XP and 2003. The main indication of this is a 60 second shutdown counter just after connecting to the internet or “right after” an attack attempt. “Strange” network activity while you are not downloading or surfing is another key factor.

Upon examination of my firewall log files, I discovered that every two to five minutes, the vulnerable ports are being scanned. Since I am behind a firewall, I have not been affected by any of these problems. However, due to the firewall activity, I must assume that the Remote Procedure Call vulnerability information publicly released on July 16, 2003 and the LSASS vulnerability released April 13, 2004 are being exploited. The latest security patch described below (in the Third step) will solve all issues.

As I touched on with my configuration, by default, all incoming Remote Procedure Call traffic is blocked with all firewall’s to include Windows XP’s built in firewall. Being as though that is a general statement, I am sure I am going to get burned by it. But in all honesty, regardless if you are behind a firewall or not, the latest security patch should still be installed as it is the most critical one recently released and affects such a mass amount of systems.

ABSOLUTLY DO NOT disable the Remote Procedure Call Service using any Registry Patches or Hardware Profiles no matter who told you or why!

Remote Procedure Call is a vital core process that is required for your system to function properly and install the security patch. If you have already disabled it somehow and looking for help, I have a way to try and fix it.

The following is steps that you can take to protect yourself from this vulnerability:

Note: If you do not have a firewall or use something other than Windows XP, skip the first step.

First

In an effort to ensure that your system will not be attacked while attempting to solve the problem, disconnect the computer from the internet.

Block inbound (from the internet) and outbound (from your computer) TCP and UDP ports 135, 137, 138, 139, 445 and 593 at your firewall and ensure your firewall is active. This will stop Remote Procedure Call and LSASS.exe inbound traffic from the internet reaching your computer.

You can enable the built in Internet Connection Firewall with Windows XP by doing the following:

With the default Category Control Panel:

  1. Head to Start
  2. Select Control Panel
  3. Select Network and Internet Connections
  4. Select Network Connections
  5. Right click your “internet” connection, whether it is dial-up (your modem) or local area network (your network card if using broadband)
  6. Select the Properties option in the popup menu
  7. Select the Advanced tab
  8. Check the box next to “Protect my computer and network by limiting…
  9. Select the Ok button to apply the settings

With the Classic Control Panel:

  1. Head to Start
  2. Select Control Panel
  3. Select Network Connections
  4. Right click your “internet” connection, whether it is dial-up (your modem) or local area network (your network card if using broadband)
  5. Select the Properties option in the popup menu
  6. Select the Advanced tab
  7. Check the box next to “Protect my computer and network by limiting…
  8. Select the Ok button to apply the settings

This action will start the Internet Connection Firewall Service.

Second

You can stop a computer from automatically rebooting during the 60 second countdown by doing the following:

  1. Head to the Start button
  2. Select Run…
  3. type shutdown -a in the popup window
  4. Select the Ok button to issue the command
Image 1.1: (45KB .jpg)

You can “stop” the Remote Procedure Call Service from shutting down the system after 60 seconds each time the attack is attempted. This does not apply to LSASS.exe. I absolutely do not condone this action as a “fix,” but it could be used to stop the system from rebooting while you are attempting to repair the issue and scan your computer for vulnerabilities if you have not already activated your firewall. In an effort to ensure that your system will not be attacked while attempting to solve the problem, disconnect the computer from the internet:

  1. Head to the Start button
  2. Select Run…
  3. type services.msc in the popup window
  4. Select the Ok button to issue the command
  5. Select the Remote Procedure Call Service from the list by double clicking it
  6. Select the “Recovery” tab
  7. The default for this service is “Restart the Computer” for all failures
  8. Change each one to “Restart the Service
  9. Select the Ok button to apply the settings

Again, this should not be done to fix the reboot issue, only to ensure that you have the proper amount of time to correct the problems.

Third

Ensure that all security patches are currently downloaded and installed. Before troubleshooting your computer any further, this step needs to be complete to be positive that this particular security issue is not being exploited and causing your problems.

Take note: Cryptographic Services in Windows XP and 2003 needs to be placed on automatic and/or started before installing security patches. Cryptographic Services requires the Remote Procedure Call Service. Again, do not disable Remote Procedure Call! It is required to install the patch! They both are placed on automatic by default.

Remote Procedure Call Information:

A security patch for Windows NT, 2000, XP and 2003 with additional information about the previous vulnerability is located here:

http://support.microsoft.com/?kbid=823980 (superceded by the latest update)

A security patch for Windows NT, 2000, XP and 2003 with additional information about the latest vulnerability, which includes the previous update, is located here:

http://support.microsoft.com/?kbid=824146

A Microsoft Security Bulletin MS03-026 was posted about the first issue:

https://technet.microsoft.com/library/security/ms03-026

A Microsoft Security Bulletin MS03-039 was posted about the latest vulnerability:

https://technet.microsoft.com/library/security/ms03-039

LSASS.exe Information:

A Microsoft Security Bulletin MS04-011 was posted about the latest vulnerability and includes details on where to get the patch to fix it:

http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

Fourth

Scan your computer with the latest virus definitions. If your computer has already been attacked, any number of problems can arise from this:

  • A new user account could have been created with administrator privileges.
  • A trojan or worm could have been installed to attempt infection with other malicious code either to the local system or internet connected computers.

Exploits have already been circulating around the internet to include:

However, just because you have been hit with an attack against the Operating System vulnerability does not mean that you are automatically infected with anything.

Fifth

As far as I feel, if a system has been compromised, the only way to go would be to unplug the computer from the network and completely format the hard drives, turn off the computer, and then fire it back up and reinstall Windows clean. As far as I am concerned, that is the only way to ensure that all malicious code has been removed from the system in question. Understandably, this solution is not possible for everyone. However, if you patch the security hole and scan your computer for viruses, you should be closer to a safe system again.

Revision History

  • August 10, 2003:
    • Initial release.
  • August 11, 2003:
    • Added log file information.
    • Included information about possible virus and trojan infections with examples.
    • Added information on how to stop the Remote Procedure Call Service from rebooting the computer.
  • August 12, 2003:
  • August 13, 2003:
  • August 22, 2003:
    • Adjusted order of actions, placing activation of the firewall first.
  • September 10, 2003:
  • May 1, 2004:
    • Updated information to include latest LSASS.exe issue.