Educause Security Discussion mailing list archives

Re: FW: W32/Blaster on Abilene

From: SECURITY SECURITY <SECURITY () MAIL MCG EDU>
Date: Fri, 15 Aug 2003 13:26:06 -0400

We set up a test environment in the lab, to include a PC infected with the W32.Blaster worm.  We tried to get the 
windowsupdate.com part of the worm to launch by changing the date stamp on the PC to the 16th and rebooting.  We were 
unsuccessful to get this to work.  Has anyone been successful in a lab environment on getting this to work?  Thanks

James Van Meter
Manager, Network Security
Medical College of Georgia

mbruhn () INDIANA EDU 8/12/2003 2:42:07 PM >>>

The list of sourcing site that Doug mentions below will include
Abilene-connected campuses as well as those other campuses that are
generating a lot of worm traffic to Abilene-connected campuses.  

-- 
Mark S. Bruhn, CISSP, CISM

Chief IT Security and Policy Officer
Associate Director, Center for Applied Cybersecurity Research --
cacr.iu.edu

Office of the Vice President for Information Technology and CIO
Indiana University
812-855-0326

Incidents involving IU IT resources: it-incident () iu edu 
Complaints/kudos about OVPIT/UITS services: itombuds () iu edu 




-----Original Message-----
From: renisac 
Sent: Tuesday, August 12, 2003 12:27 PM
To: SECURITY () LISTSERV EDUCAUSE EDU 
Subject: W32/Blaster on Abilene


As you're all probably painfully aware by now, a worm exploit of the
Microsoft
DCOM RPC vulnerability, W32/Blaster, was unleased on Monday August 11.
Details
regarding the vulnerability and exploit can be found at the references
provided
below.

Worm traffic on Abilene is very high, peaking at 7%+ of all packets on
the
network. We're performing an analysis of Abilene netflow data, and early
this
afternoon will provide a private communication to sites that are
sourcing a
large amount of worm traffic.

Recommendations for network border filtering are included the CERT
W32/Blaster
advisory, http://www.cert.org/advisories/CA-2003-20.html. Filters should
be
defined as input and output - to protect yourselves and to protect from
infecting others.

References:

Microsoft DCOM RPC:
        http://www.cert.org/advisories/CA-2003-16.html 
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0352 

W32/Blaster:
        http://www.cert.org/advisories/CA-2003-20.html 


Regards,

Doug Pearson
Director, REN-ISAC
Indiana University

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

FW: W32/Blaster on Abilene Bruhn, Mark S. (Aug 12)
- <Possible follow-ups>
- Re: FW: W32/Blaster on Abilene SECURITY SECURITY (Aug 15)
- W32/Blaster on Abilene Doug Pearson (Aug 17)