Remote Procedure Call and Automatic Shutdowns
Why is Remote Procedure Call shutting down my computer after 60 seconds?
Why is LSASS.exe shutting down my computer after 60 seconds? Why is
svchost.exe crashing my computer? Why is dllhost.exe taking 100% of my CPU
time?
A buffer overrun is the cause of an issue affecting many versions of Windows
to include NT, 2000, XP and 2003.
The main indication of this is a 60 second
shutdown counter just after connecting to the internet or "right after" an
attack attempt.
"Strange" network activity while you are not downloading or
surfing is another key factor.
Upon examination of my firewall log files, I discovered that every two to
five minutes, the vulnerable ports are being scanned.
Since I am behind a
firewall, I have not been affected by any of these problems.
However, due to the
firewall activity, I must assume that the
Remote Procedure Call
vulnerability information publicly released on July 16, 2003 and the LSASS
vulnerability released April 13, 2004 are being exploited.
The latest security
patch described below (in the Third step) will solve all issues.
By default, all incoming
Remote Procedure Call
traffic is blocked with all firewall's, including Windows XP's built in
firewall.
However, regardless if you are behind a firewall or
not, the latest security patch should still be installed as it is the most
critical one recently released and affects such a mass amount of systems.
ABSOLUTLY DO NOT disable the
Remote Procedure Call
Service using any Registry Patches or Hardware Profiles no matter who told
you or why!
Remote Procedure Call
is a vital core process that is required for your system to function properly
and install the security patch.
The following is steps that you can take to protect yourself from this
vulnerability:
Note: If you do not have a firewall or use something other than
Windows XP, skip the first step.
First
In an effort to ensure that your system will not be attacked while attempting
to solve the problem, disconnect the computer from the internet.
Block inbound (from the internet) and outbound (from your computer) TCP and
UDP ports 135, 137, 138, 139, 445 and 593 at your firewall and ensure your
firewall is active. This will stop
Remote Procedure Call
and LSASS.exe inbound traffic from the internet reaching your computer.
You can enable the built in
Internet Connection Firewall with Windows XP by doing the following:
With the default Category Control Panel:
- Head to Start
- Select Control Panel
- Select Network and Internet Connections
- Select Network Connections
- Right click your "internet" connection, whether it is dial-up (your modem)
or local area network (your network card if using broadband)
- Select the Properties option in the popup menu
- Select the Advanced tab
- Check the box next to "Protect my computer and network by
limiting..."
- Select the Ok button to apply the settings
With the Classic Control Panel:
- Head to Start
- Select Control Panel
- Select Network Connections
- Right click your "internet" connection, whether it is dial-up (your modem)
or local area network (your network card if using broadband)
- Select the Properties option in the popup menu
- Select the Advanced tab
- Check the box next to "Protect my computer and network by
limiting..."
- Select the Ok button to apply the settings
This action will start the
Internet Connection Firewall Service.
Second
You can stop a computer from automatically rebooting
during the 60 second countdown by doing the following:
- Head to the Start button
- Select Run...
- type shutdown -a in the popup window
- Select the Ok button to issue the command
You can "stop" the
Remote Procedure Call Service from shutting down the system after 60 seconds
each time the attack is attempted.
This does not apply to LSASS.exe.
I
absolutely do not condone this action as a "fix," but it could be used to stop
the system from rebooting while you are attempting to repair the issue and scan
your computer for vulnerabilities if you have not already activated your
firewall.
In an effort to ensure that your system will not be attacked while
attempting to solve the problem, disconnect the computer from the internet:
- Head to the Start button
- Select Run...
- type services.msc in the popup window
- Select the Ok button to issue the command
- Select the Remote Procedure Call Service from the list by
double clicking it
- Select the "Recovery" tab (Image 1.1)
- The default for this service is "Restart the Computer"
for all failures
- Change each one to "Restart the Service"
- Select the Ok button to apply the settings
Again, this should not be done to fix the reboot
issue, only to ensure that you have the proper amount of time to correct the
problems.
Third
Ensure that all security patches are currently downloaded and installed.
Before troubleshooting your computer any further, this step needs to be complete
to be positive that this particular security issue is not being exploited and
causing your problems.
Take note: Cryptographic
Services in Windows XP and 2003 needs to be placed on automatic and/or
started before installing security patches.
Cryptographic Services requires the
Remote Procedure Call
Service. Again, do not disable
Remote Procedure Call!
It is required to install the patch! They both are placed on automatic by
default.
Remote Procedure Call Information:
A security patch for Windows NT, 2000, XP and 2003 with additional
information about the previous vulnerability is located here:
http://support.microsoft.com/?kbid=823980
(superceded by the latest update)
A security patch for Windows NT, 2000, XP and 2003 with additional
information about the latest vulnerability, which includes the previous update,
is located here:
http://support.microsoft.com/?kbid=824146
A Microsoft Security Bulletin MS03-026 was posted about the first issue:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp
A Microsoft Security Bulletin MS03-039 was posted about the latest
vulnerability:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-039.asp
LSASS.exe Information:
A Microsoft Security Bulletin MS04-011 was posted about the latest
vulnerability and includes details on where to get the patch to fix it:
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
Fourth
Scan your computer with the latest virus definitions.
If your computer has
already been attacked, any number of problems can arise from this:
- A new user account could have been created with administrator privileges.
- A trojan or worm could have been installed to attempt infection with other
malicious code either to the local system or internet connected computers.
Exploits have already been circulating around the internet to include:
However, just because you have been hit with an attack against the Operating
System vulnerability does not mean that you are automatically infected with
anything.
Fifth
If you really want to be sure, if a system has been compromised, the only way to go would
be to unplug the computer from the network and completely format the hard
drives, turn off the computer, and then fire it back up and reinstall Windows
clean.
As far as I am concerned, that is the only way
to ensure that all malicious code has been removed from the system in question.
Understandably, this solution is not possible for everyone.
However, if you
patch the security hole and scan your computer for viruses, you should be closer
to a safe system again.
Features:
Windows Service Configurations!
Includes explanations of each service and advice on which services you can
safely disable.
|