DCOM Exploit Attack - Can't Stop It

[dombrorj]

I'm on Windows 7, 64-bit and for about the past week I've been receiving the following warning message every hour or two:

Network Shield: blocked "DCOM Exploit" - Attack from 74.214.11:135/tcp

The ip varies, but this was the latest message I received. I've read through all the other threads regarding this topic and have done the following:

- Ensured Windows is up-to-date
- Ensured Windows Firewall in enabled
- Ran a thorough virus and Ad-Aware scan, with nothing malicious found
- Ran DCOMbobulator
- Disabled DCOM through Windows Component Services and verified it was disabled in Regedit

Even after disabling and rebooting, I'm still receiving the errors. I also rant the DCOMbobulator "Remote Port 135 Test" again after all of the steps above, and am still receiving a warning message that the port is open.

As far as security goes, I have the latest version and updates for Avast, Ad-Aware and just using the Microsoft Firewall included with Win 7.

Any help you can provide is appreciated!

[Pondus]

check your computer for malware with

MBAM http://filehippo.com/download_malwarebytes_anti_malware/
update and run quick scan, click the button "remove selected" to quarantine anything found and restart

SAS http://filehippo.com/download_superantispyware/

Are cookies really spyware and are they dangerous?
http://www.superantispyware.com/supportfaqdisplay.html?faq=26

come back and tell us if it worked and post your scan logs here

[dombrorj]

Thanks for the quick reply. Malwarbytes found 1 bad entry...

Malwarebytes' Anti-Malware 1.44
Database version: 3643
Windows 6.1.7600
Internet Explorer 8.0.7600.16385

1/27/2010 12:47:32 AM
mbam-log-2010-01-27 (00-47-22).txt

Scan type: Quick Scan
Objects scanned: 101908
Time elapsed: 2 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[Pondus]

you did not remove it, your log says " no acton taken" you have to click the button "remove selected" after the scan to quarantine the infection
did it solve your problem?

[dombrorj]

Hey Pondus,

I did remove it. I just download the log before taking the action. So far it seems like it may have solved the problem, but will post back if not.

Thanks!

[DavidR]

DCOM exploits are external, random and speculative and may end as quickly as they started. Your firewall should really get in on the act first, but consider the avast Network Shield another line of defence, why it happens to get in before the Vista Firewall I don't know.

Vista in itself isn't vulnerable to the DCOM exploit, though that doesn't stop the random, speculative attempts in the hope of hitting a system that is vulnerable.

The IP reported in the attack belongs to SOUTHEAST TELEPHONE INCORPORATED, I presume that is your ISP or they provide the connection for the ISP. They personally aren't attacking you but most likely one of their customers system is infected and trying to infect others.

[dombrorj]

Hi DavidR,

Thanks for the info and checking identifying the ip. I find it strange that Windows 7 Firewall isn't stopping it either.

As for removing the critical item above, that was a bad idea. I later rebooted my pc and ended up having to do a system restore because I couldn't access any applications, including the command prompt, task manager, and control panel. I should have Googled it first because others are saying this is a false positive.

Now that I've restored to the previous state, I'm guessing the alert will come back but will let you know.

[DavidR]

Oops, sorry thought you were using Vista

You can enter the MBAM Quarantine area and restore it.
For some that setting could be an indication of malicious intent, for others it is a setting that they want, unfortunately scanners can't determine intent, that is down to a user to decide.  If it does happen to come back, now you know you can add it to the Ignore list.

[dombrorj]

Well the bad news is the DCOM Exploit problem continues. Any other suggestions on what to do here?

Isn't it strange that I've disabled the DCOM service and port 135 is still open?

[DavidR]

As I said it is external, random and speculative.
Disabling the service as far as I'm aware doesn't close the port and in general you don't want to physically close a port, just not respond to contact by external traffic that didn't originate from your system as that just tells them that there is something there as the port is closed.

Do you have a router that also has a firewall (as that may have the port open ?
What is actually telling you that port 235 is open ?

Check out ShieldsUp at grc.com which checks if your system is stealthed.

[dombrorj]

Oh! I figured disabling the service would have stopped it.

I'm using a Linksys Wireless G router, but no ports have been manually opened. But if you say I don't want to close it, then I won't mess with it. The alerts are just more of an annoyance than anything else.

I used 'Remote Port 135 Test' in DCOMbobulator (http://www.grc.com/freeware/dcom.htm), which shows the port is open to the public internet. Oddly, I have another PC that I work on simulatneously throughout the day... same operating system, identical setup in terms of firewall and ant-virus. The other computer does not receive these warnings. I also tried the DCOMBobulator remote port test on that PC, and it indicates that port 135 is closed.

Thanks for pointing me to ShieldsUp. I'll give that a shot and post back.

Edit: I should have mentioned earlier that on the PC experiencing this trouble, I use a private VPN service. I've used this service for about 5 months now with no problems though, but might have something to do with the issue here.

[dombrorj]

Well there we have it! Looks like it is the VPN service that is causing the problem. When I rant the ShieldsUp test, there were a few alerts about port 135, 139, 445 being open. When I disabled VPN and ran the test again, everything looked good.

Is this something I should be concerned about?

Thanks again for all the help.

[DavidR]

I don't use a VPN so I can't say, if you need it I would say that you could enable the VPN before use.