Re: MSBLAST virus portable to Linux?

From: Bill Unruh (unruh_at_string.physics.ubc.ca)
Date: 08/14/03

• Next message: mostuff: "problems running koffice"
• Previous message: Bill Unruh: "Re: Linux file system is unstable"
• In reply to: Robert Heller: "Re: MSBLAST virus portable to Linux?"
• Next in thread: Xyerp: "Re: MSBLAST virus portable to Linux?"
• Reply: Xyerp: "Re: MSBLAST virus portable to Linux?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

Date: Thu, 14 Aug 2003 03:44:32 +0000 (UTC)

Robert Heller <heller@deepsoft.com> writes:

] "Mats" <spamenot.mog.pettersson@telia.com>,
] In a message on Wed, 13 Aug 2003 18:42:10 GMT, wrote :

]"> Since the MSBLAST virus uses an exploit in Windows RPC which is drived from
]"> the OSF protocol (Open Software Foundation), is there any risk of getting a
]"> virus ported to Linux/*NIX systems or is the exploit only in available in
]"> the MS Windows binary? I mean, they might have *borrowed* some OSF code?
]">
]"> I quote Microsoft below:
]">
]"> ----8<---
]"> Remote Procedure Call (RPC) is a protocol used by the Windows
]"> operating system. RPC provides an inter-process communication
]"> mechanism that allows a program running on one computer to
]"> seamlessly execute code on a remote system. The protocol itself
]"> is derived from the OSF (Open Software Foundation) RPC protocol,
]"> but with the addition of some Microsoft specific extensions.
]">
]"> There is a vulnerability in the part of RPC that deals with
]"> message exchange over TCP/IP. The failure results because of
]"> incorrect handling of malformed messages. This particular
]"> vulnerability affects a Distributed Component Object Model (DCOM)
]"> interface with RPC, which listens on TCP/IP port 135. This
]"> interface handles DCOM object activation requests sent by client
]"> machines (such as Universal Naming Convention (UNC) paths) to the
]"> server.
]"> ---8<---

]Reading this closely, it is not a problem with RPC itself, but of a
]MS-Windows specific software entity: DCOM, which is NOT an OSF.

And even if it were, buffer overflows are very very very specific-- to
the compiler used, to the libraries, etc. And the program that then gets
run is also in general specific to the OS (DLLs, etc)

---

• Next message: mostuff: "problems running koffice"
• Previous message: Bill Unruh: "Re: Linux file system is unstable"
• In reply to: Robert Heller: "Re: MSBLAST virus portable to Linux?"
• Next in thread: Xyerp: "Re: MSBLAST virus portable to Linux?"
• Reply: Xyerp: "Re: MSBLAST virus portable to Linux?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

Relevant Pages Re: MAPI vs IMAP4 ... uses RPC over HTTP.... ... Service Provider Interface -+ ... Server Server Modem Server Server ... That's a protocol question, not a client question. ... (microsoft.public.exchange.admin) MSBLAST virus portable to Linux? ... Since the MSBLAST virus uses an exploit in Windows RPC which is drived from ... they might have *borrowed* some OSF code? ... Remote Procedure Call (RPC) is a protocol used by the Windows ... (comp.os.linux.misc) Re: RPC Binding ... The RPC Bindings that a server offers is dependant on the rpc ... ClientProtocols registry subkey contains entries that determine the ... registry subkey determines if the operating system supports that protocol. ... (microsoft.public.exchange.connectivity) Re: MSBLAST virus portable to Linux? ... they might have *borrowed* some OSF code? ... "> Remote Procedure Call (RPC) is a protocol used by the Windows ... "> is derived from the OSF (Open Software Foundation) RPC protocol, ... (comp.os.linux.misc)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(16)