Many Internet worms such as MSBlaster take advantage of Windows 2000- and Windows XP-based workstations by using a little used and little known feature of these operating systems known as DCOM. Even though Microsoft has released many patches for DCOM, many systems remain unpatched and vulnerable to DCOM attacks. Here’s how you can quickly find out if your workstation is subject to attack by using DCOMbobulator.
DCOM stands for Distributed Component Object Model. Because Windows itself is based on objects, Microsoft thought it would be a good idea to create objects that could be distributed, i.e., reused by computers across a network. This would allow computers to more easily share resources across a network, making the overall network more powerful. Using RPC (Remote Procedure Calls) over TCP/IP port 135, Computer A could use DCOM to execute applications on Computer B, freeing Computer A’s storage and processor resources for other things, while taking advantage of the preinstalled program on Computer B.
The only drawback to this strategy was that very few programs actually make use of DCOM. If your users are using standard office or Internet applications, they’ll never make use of DCOM. Unfortunately however, Microsoft turned DCOM on by default in Windows 2000 and Windows XP. This fact, along with several vulnerabilities in DCOM, leaves your system wide open to hacker attack. The same components meant to share your computer with legitimate network users can be used by hackers to take over your machine.
Microsoft released updates and patches that were supposed to make DCOM more secure. Hopefully you’ve deployed the patches on your workstation. Even so, if DCOM is still available, even if patched, it can become a target. To make your network more secure, you should disable DCOM. DCOMbobulator can help.
What does DCOMbobulator do and how do I get it?
DCOMbobulator tests a workstation for the presence of DCOM, DCOM’s status on the system, and whether or not DCOM has been patched. It’s a freeware program by Steven Gibson, the author of SpinRite and the famous Shields Up! Web site.
You can obtain DCOMbobulator from the DCOMbobulator Web site. In an age of multimegabyte programs, long downloads, and Setup Wizards, DCOMbobulator is amazing. When you click the Download link, you’ll download a tiny 29 KB program. You can choose to save it to your hard drive, and from there distribute it to others, or you can just run it directly from the Web site.
When DCOMbobulator starts, you’ll see three tabs and an information pane in the middle of the screen. DCOMbobulator’s information window displays everything you ever wanted to know about DCOM’s vulnerabilities and what you should do about it. To test your system, click the Am I Vulnerable tab and then click Load DCOM Test. When you do, you’ll see the results as shown in Figure A.
|DCOMbobulator tests your system’s DCOM status.|
As you can see in the figure, this machine is vulnerable to attack. DCOMbobulator will point you to the appropriate Microsoft Web site to obtain patches for a vulnerable system.
Even if all of the patches have been applied, you may want to disable DCOM. To do so, click the DCOMbobulate Me tab. Click Disable DCOM to turn DCOM off. If you find that you later need DCOM, you can rerun the program and click Enable DCOM on this same tab.
You’ve been DCOMbobulated
That’s all there is to it. Once you’ve applied the patches to your system, or better yet, simply disabled DCOM, you’re done. Your system is then immune to DCOM-based attacks like the MSBlaster worm.