RE: RE: DCOM RPC exploit

["Steve W. Manzuik" <steve () entrenchtech com>]

> Compare the number of boxes that have the bug Slapper 
> exploited with the number of boxes that have DCOM open to the 
> world....

Do you have a stat on the number of boxes with DCOM open?  Do you really
think that the number of organizations still not filtering 135 etc outnumber
those running IIS.  Yes, you can exploit this via IIS -- IF IT IS ENABLED
(read: not default).

> And of course, anybody who's got half a clue and writes a 
> worm is going to have it drop off a trojan/backdoor... And 
> then those boxes get used as spam relays, front-end boxes for 
> porn websites, keyboard sniffers, etc etc.  Gonna take a LONG 
> time to clean that mess up.

Sure, but have there actually been any "good" worms yet? 

> Hell, we're *still* seeing Code Red traffic.  And what we've 
> *NOT* seen in the last 2 years is a CERT advisory of this 
> magnitude against a Microsoft product that didn't spawn a 
> "Holy Shit" scale worm.

Don't forget Nimda as well.  But seriously, does Code Red or Nimda actually
cause you connectivity issues?  I see a ton of Code Red/Nimda like traffic
on various logs and yet the effect is pretty much zero.
 
> Unfortunately, we've gotten so lulled by the "Just another 
> damned worm"
> scenario that maybe it's NOT a big deal anymore.   And that's 
> just as scary as
> the actual worm.

If your boxes are patched, Firewalls configured properly, IDS tuned and
running -- why would this new worm be so scary?  The only reason that yet
another worm is going to be scary is that people don't patch their boxes or
configure them to be "secure".  Perhaps I am missing something but I think
Code Red and the likes did everyone a huge favor -- forced people to patch
systesm, put script kiddies and consultants alike out of business.

Hell, maybe I will write one myself.   ;-)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html