Persistent DCOM Attacks

[ver CO]

Good day! Newbie here and I totally need your help please.

Last week, I've had a rash of DCOM attacks. Good thing is, avast! is blocking those instances; I didn't really take note of the IP addresses though. I did some research and learned that these attacks are usually stopped by the firewall, and that I can close my DCOM ports.

I installed ZoneAlarm and used it in lieu of the Windows firewall. I also ran a boot time scan, installed Spybot and had HijackThis check my notebook. Result was: notebook is clean.

The thing is, even with what I've done, I'm still getting attacked! Like at least once a day. Did I miss or overlook anything?

Thanks in advance!

[Pondus]

Have you tried a forum search ?   " DCOM "   it may give you the info you want !

[DavidR]

DCOM Attacks are speculative, not targeted and tries to exploit a vulnerability in out of date OS, if your OS is up to date then you aren't vulnerable to the exploit. That doesn't stop them (usually someone from the same ISP with an infected computer) trying to see if it can infect others.
 
Your firewall should be the first line of defence in this, but avast also monitors common attack ports using the Network Shield, ideally the firewall should block it and avast wouldn't know about it, but for whatever reason avast is first in line over your firewall.

[Lisandro]

Messages like:
Network Shield: blocked "DCOM Exploit" - attack from 81.178.115.162:135/tcp
are due to the RPC/DCOM exploit, which is a vulnerability that allows an attacker to gain access to the destination machine by sending a malformed packet to the DCOM service. It uses the RPC TCP port 135.

Which firewall do you use?
And, most important, is your operational system updated?

You could get this free program from Steve Gibson's site.  This small program will test your PC to see if it's vulnerable.  The link below also explains what DCOM is all about.

Microsoft's DCOM security patch leaves DCOM running...
http://www.grc.com/freeware/dcom.htm

[DavidR]

The attacks aren't due to any exploit as they are speculative in the hope that a users system is vulnerable and not because of it.

The OP reported ZA as his firewall.

Using DCOMbobulator won't stop the speculative attacks just attempt to close the port and that doesn't stop them trying the fact that it won't get through won't stop the attempts.

[ver CO]

Thanks DavidR!

I have tried disabling DCOM using regedit and dcomcnfg.exe; still getting notices from avast! net shield. I didn't use the DCOMbobulator because I didn't think it'll help; thanks for confirming!

Neither the Windows 7 fw nor ZA are of any help. I have installed all the updates as they come (save those for IE because I don't use it.)

I just installed and ran a scan using MBAM and it says nothing is infected.

Is there anything else I can do?

[Asyn]

1. I just installed and ran a scan using MBAM and it says nothing is infected.
2. Is there anything else I can do?

1. Because you are not infected, that's an attack from the outside to your machine.
2. If you know the IP of the attacker, report it to the refering ISP.
asyn

[ver CO]

Thanks, asyn!

I still don't understand though why it's avast! blocking it and not my firewall. Can anyone please enlighten me on this matter?

[Lisandro]

Maybe some problem in Zone Alarm?

[DavidR]

Thanks DavidR!

I have tried disabling DCOM using regedit and dcomcnfg.exe; still getting notices from avast! net shield. I didn't use the DCOMbobulator because I didn't think it'll help; thanks for confirming!

Neither the Windows 7 fw nor ZA are of any help. I have installed all the updates as they come (save those for IE because I don't use it.)

I just installed and ran a scan using MBAM and it says nothing is infected.

Is there anything else I can do?

I said it wouldn't make any difference as applying a local solution to try and prevent an external attack attempt won't work. The external attacks will continue as the external source doesn't give a stuff what is on your system the random (as in your IP address is randomly assigned by the ISP), speculative (in that they hope your system isn't up to date and vulnerable), exploit attempts will continue. Given they are random they should after a while subside or stop, but they could be back or continue.

We don't know why avast's network shield is getting in first, that isn't something that I would expect with a third party firewall installed. Normally the firewall would be first and block it silently, but if the network shield sees it then it would have to assume it has bypassed your firewall and alert.

[Asyn]

Thanks, asyn!

1. I still don't understand though why it's avast! blocking it and not my firewall.
2. Can anyone please enlighten me on this matter?

You're welcome..!
1. Me neither, as your FW should block it.
2. Not really. A solution would be to use another free FW. (Comodo, PCTools, etc...)
asyn

[ver CO]

Thanks DavidR and asyn!

Last question please: should I then keep both Spybot and MBAM,or uninstall one of them?

[Lisandro]

Last question please: should I then keep both Spybot and MBAM,or uninstall one of them?

Spybot does not worth the effort anymore.
Keep only MBAM.

[DavidR]

Thanks DavidR and asyn!

Last question please: should I then keep both Spybot and MBAM,or uninstall one of them?

You're welcome.

I too feel that spybot hasn't kept pace (but it does still have a reasonable detection), but allied to that there have been a few posts in the forums were it looks like spybot had been causing some issues with avast.

If you feel that having another anti-spyware I would suggest SUPERantispyware (SAS). On-Demand only in free version.
Don't worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie. One of the useful features in SAS is that it has a number of Repair functions to recover from some common registry problems.

[Asyn]

Thanks DavidR and asyn!

Last question please: should I then keep both Spybot and MBAM,or uninstall one of them?

You're welcome..!
Drop Spybot and keep Mbam...
asyn