Nothing ceases to amaze me anymore. Those of us that have relied on system manufacturers to provide us with clean systems, servers, and components “out of the box” now have a new wrinkle to iron out. If you have spent any money on a Dell server these days you may want to check your model… and receipt. It seems Dell has shipped some of their replacement motherboards for PowerEdge R410 Rack Servers with malware code in the flash storage on the motherboard.
A user on the Dell Forums posts:
Immediately following the post is a reply from DELL-Matt M:
Further reading reveals that not all the customers that have received service motherboards are affected and this only applies to a small set of customers. It is also stated in the image above that Non Windows systems are not affected. The vulnerabliltiy is not present in factory shipped servers and is limited to service motherboards for PowerEdge R310, PowerEdge R410, PowerEdge R510 and PowerEdge T410. “The maximum potential exposure is less than 1% of these server models. “
The vulnerability was discovered to be W32.Spybot Worm: (from Symantec’s Website)
W32.Spybot.Worm is a detection for a family of worms that spreads using the Kazaa file-sharing network and mIRC. This worm can also spread to computers that are compromised by common back door Trojan horses and on network shares protected by weak passwords.
W32.Spybot.Worm can perform various actions by connecting to a configurable IRC server and joining a specific channel to listen for instructions. Newer variants may also spread by exploiting the following vulnerabilities:
- Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability (BID 8205) using TCP port 135.
- Microsoft Windows LSASS Buffer Overrun Vulnerability (BID 10108).
- Microsoft SQL Server 2000 or MSDE 2000 audit (BID 5980) using UDP port 1434.
- Microsoft Windows WebDAV Buffer Overflow Vulnerability (BID 7116) using TCP port 80.
- Microsoft UPnP NOTIFY Buffer Overflow Vulnerability (BID 3723).
- Microsoft Workstation Service Buffer Overrun Vulnerability (BID 9011) using TCP port 445.
Windows XP users are protected against this vulnerability if the patch in Microsoft Security Bulletin MS03-043 has been applied. Windows 2000 users must apply the patch in Microsoft Security Bulletin MS03-049.
- Microsoft Windows SSL Library Denial of Service Vulnerability (BID 10115).
- VERITAS Backup Exec Agent Browser Remote Buffer Overflow Vulnerability (BID 11974).
- Microsoft Windows Plug and Play Buffer Overflow Vulnerability (BID 14513).
- Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874).
- Microsoft .NET Framework PE Loader Remote Buffer Overflow Vulnerability (BID 24778)
- Symantec Client Security and Symantec AntiVirus Elevation of Privilege (BID 18107).
- Recent variants of the Spybot worm family exploit several known vulnerabilities, including a SAV 10/SCS 3 vulnerability (SYM06-010), reported in May 2006. A patch for this vulnerability was made available at that time. Symantec highly recommends that users of the affected products patch their systems as soon as they are able to help avoid the spread of this particular Sybot worm family. If systems are infected with any Spybot variant and this security patch has not been applied please read the document, Attempting to migrate from 10.x to a newer version fails after becoming infected with a worm which exploits SYM06-010.
- IPS signatures against all known and unknown exploits of SYM06-010 were released on May 26, 2006.
- Excessive network traffic caused by an infection may result in a significant degradation of network performance.
- Please note that this detection is modified on a daily basis and as such it is recommended that virus definitions be updated frequently.
An email statement from Forrest Norrod, vice president and general manager of server platforms was later released:
Dell is aware of the issue and is contacting affected customers. The issue affects a limited number of replacement motherboards in four servers – PowerEdge R310, PowerEdge R410, PowerEdge R510 and PowerEdge T410 – and only potentially manifests itself when a customer has a specific configuration and is not running current anti-virus software. This issue does not affect systems as shipped from our factory and is limited to replacement parts only. Dell has removed all impacted motherboards from its service supply chain and new shipping replacement stock does not contain the malware. Customers can find more information on Dell’s community forum.