--- "Soldatov, Sergey V." <SVSoldatov@tnk-bp.com> wrote:
Our NS 7.0 detects tons of MSRPC_SuspiciousEncryption events from one
desktop to another.
Suspicious UUID that I see is 000001a0-0000-0000-c000-000000000046.
So, my questions are:
- Where can I find description of
000001a0-0000-0000-c000-000000000046 interface (now I know only that its
name is ISystemActivator)?
- Where is this interface used? Can it be used in Microsoft
Network Printing? What for it was developed?
- Can this interface be used between two workstations (not between
workstation and server)? On what conditions? In which cases?
The interface is one of those used in the Blaster worm. Newer attack tools for
that old vulnerability will try to encrypt the data in order to evade the IDS.
ISS currently believes that no legitimate use of the ISystemActivator interface
would use encryption, but that could be in error.
The interface is used in Microsoft's DCOM to initiate communication between two
applications. Do you have DCOM applications running on those workstations that
are supposed to talk to each other?
There should be more "event details" with the event that might shed some light
on the matter.
____________________________________________________________________________________
Bored stiff? Loosen up...
Download and play hundreds of games for free on Yahoo! Games.
http://games.yahoo.com/games/front
_______________________________________________
ISSForum mailing list
ISSForum@atla-mm1.iss.net
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo/issforum
To contact the ISSForum Moderator, send email to mod-issforum@iss.net
The ISSForum mailing list is hosted and managed by Internet Security Systems,
6303 Barfield Road, Atlanta, Georgia, USA 30328.
