Re: Blaster: will it spread without tftp?

["Matthew Murphy" <mattmurphy () kc rr com>]

"Maarten" <subscriptions () hartsuijker com> writes:

> I was wondering about the following scenario:
>
> Lots of corporate network are protected by firewalls and users are forced
to
> use a proxy server to connect to the internet. Because of the firewalling,
> the worm will not be able to infect the clients directly from the
Internet.
> Of course there are always servers that are building bridges between the
> corporate network and the internet or laptop users that get infected by
> using their dial-up/DSL @ home.
>
> But if the worm enters the network through for instance an infected
laptop,
> can it still spread around on the network? By analyzing the threads on
this
> list and reading the info provided by anti-virus vendors I tend to draw
the
> following conclusion.
>
> - A worm can enter the network through an infected laptop/workstation or a
> vulnerable server connected to the internet.
> - these infected machines can exploit the vulnerability on other
vulnerable
> systems on the Internal network causing them to reboot (and reboot, and
> reboot)
> - since these other vulnerable systems are using a proxy server to connect
> to the internet and a firewall prevents all other connections, tftp
servers
> on the Internet can not be accessed
> - since tftp servers can not be accessed, msblaster.exe can not be
> downloaded
> - since msblaster.exe can not be downloaded these other systems will not
> start to infect other systems...
>
> Am I correct on these last two points? Or is this only true in case
someone
> puts an infected laptop on the network (that is not able to connect to the
> internet using tftp, while a webserver might be when it is located in a
> misconfigured DMZ environment)?

Incorrect, for most setups.  Some firewalls at the router (NAT, for
instance) block packets into/out of the LAN.  This means that machines from
the internet cannot communicate with the LAN, and visa versa.  However,
machines on the LAN can communicate with *each other* (thus the ability to
connect to the proxy server).  So, if an infected system is introduced, it
*can* spread to the LAN, but infections of systems on the internet will
fail, as they cannot TFTP back to the firewalled box.

> Of course this is only one worm variant
> exploiting this vulnerability and we might have a totally different case
on
> the next one, but I am still curious if I am on the right track
> understanding the impact of the worm.

Yes, indeed.  Had the worm author been more skilled, we probably would have
seen a Code Red style worm, with the entire worm transmitted as shellcode in
the initial packet exchange over 135/tcp.  This would eliminate the efficacy
of blocking TFTP (69/udp) or 4444/tcp.

> I also read something about SP0|1|2 on W2K not being vulnerable to
msblaster
> (probably because of the "universal" offsets used). Is there anyone that
can
> confirm this finding?

I can refute this finding.  Windows 2000 (all service packs) is being
actively exploited by this worm.  Compromised Windows 2000 boxes have been
probing fairly consistently.  eEye's official write-up specifically mentions
W2K Gold-SP2 as vulnerable.  By "Universal" offset, they weren't kidding --
one offset works on Windows 2000 Gold-SP4, all languages, and one offset
works on Windows XP Gold/SP1 32-bit, all languages.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html