RPC Firewall Dubbed 'Ransomware Kill Switch' Released to Open Source

cryogent

cryogent

Level 7
Thread author
Verified
Well-known
Oct 1, 2016
310
Content source
https://www.securityweek.com/rpc-firewall-dubbed-ransomware-kill-switch-released-open-source
Today at Black Hat London, Zero Networks announced the release of its RPC firewall – also dubbed the ‘ransomware kill switch’ – into open source. The tool provides granular control over RPC, capable of blocking the use of lateral movement hacker tools and stopping almost all ransomware in its tracks.

Microsoft’s Remote Procedure Call (MS-RPCE) lies at the heart of Windows. It effectively manages the relationship between clients and servers – if a client requests from a server, it goes through RPC; This happens both locally and between remote devices.

RPC was introduced into Windows back in the days of Windows 2000 and has been ever-present since then. This has two effects. Firstly, RPC was built with little or no security. While there is a documented Event for a remote RPC call, it hasn’t been implemented. Further, the Event Tracing for Windows (ETW) option will likely result in millions of RPC client/server events every hour, but doesn’t tell you where the call came from, nor which user was concerned.

Secondly, RPC use has spread over time into every aspect of Windows computing. “There is almost nothing you can do without RPC -- whether to get information or change information. Everything is done via RPC,” explains Benny Lakunishok, co-founder and CEO at Zero Networks, and another product of Israel’s IDF conveyor belt.
Click to expand...
 
Last edited by a moderator:
  • Like
  • +Reputation
Reactions: Thigas, simmerskool, Gandalf_The_Grey and 4 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
simmerskool said:
more info here. @Andy Ful might want to take a look at this, ref a tool for win10 / win11, or not??

github.com

GitHub - zeronetworks/rpcfirewall

Contribute to zeronetworks/rpcfirewall development by creating an account on GitHub.
github.com github.com
Click to expand...
No info available. It probably works on all Windows versions.

The following services depend on the RPC service:

  • Background Intelligent Transfer Service
  • COM+ Event System
  • Distributed Link Tracking Client
  • Distributed Transaction Coordinator
  • Fax Service
  • Indexing Service
  • IPSec Policy Agent
  • Messenger
  • Network Connections
  • Print Spooler
  • Protected Storage
  • Removable Storage
  • Routing Information Protocol (RIP) Listener
  • Routing and Remote Access
  • Task Scheduler
  • Telephony
  • Telnet
  • Windows Installer
  • Windows Management Instrumentation
 
  • Thanks
Reactions: simmerskool
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • Like
Mozi malware botnet goes dark after mysterious use of kill-switch
Replies
1
Views
839
News Archive
ForgottenSeer 97327
F
Gandalf_The_Grey
    • Wow
    • Like
    • HaHa
Ransomware gangs abuse Process Explorer driver to kill security software
Replies
15
Views
2,719
News Archive
Trident
Trident
Victor M
Security News Volt Typhoon attacks infrastructure of SOHOs
Replies
0
Views
1,615
Security News
Victor M
Victor M

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top