Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Zotob Worm Remover

From: James Tucker <jftucker () gmail com>
Date: Mon, 22 Aug 2005 22:08:24 +0100
It seems to me that the attack was less than a week old from the start date. Default settings on a relatively unchanged box would provide a suitable window of opportunity given the availability of the worm to the deployer. This is more important than network connectivity, which is not of security concern as this is not the exploited layer. Disconnecting networks is what you suggest when you're in trouble, not when you're trying to maintain the daily balance of cost vs function. Moreover, wireless is recieving the blame - however this will only continue whilst your laptop is the device you are using. Eventually will you blame the mobile phone companies for allowing "dangerous traffic" to flow through the repeaters? What about sattelite links - should we filter those and knock the latency up another notch? No, it's the software, once again. Connectivity increases exposure, it doesn't decrease security - the two are not one and the same. 1000 laptops in a city centre network becoming infected less than a week from update release would be unsuprising (read: defaults are once a week at 3). The security of these laptops was not compromised by the wireless presence, it was a medium of travel only. Now lets say, we go back in time and remove all of the wireless NIC's. Now, there are only 750 laptops cause we can't generate as much revenue (joke), and of these they're all still connected, just with a different medium. The medium is (specification)centralised and routable in the same manner (ah, so the medium can have 'implications' ;) - the infection rate is the same. Why? because they are all connected. It's BEING CONNECTED not BEING WIRELESS that's the issue here. Yes you may argue, pointlessly however, that wireless has increased average connectivity, however once again, this is only a medium. It's business/personal drive that requires connectedness, not the technology itself. 

Todd Towles wrote:

This is correct for the first day, maybe two. Then unpatched laptops
leave the corporate network, hit the internet outside the firewall and
then bring the worm back right to the heart of the network the very next
day, bypassing the firewall all together. Firewall is just one step..it
isn't a solve all. Patching would be the only way to stop this threat in
all vectors. That was my point.

If you aren't blocking 445 on the border of your network, you have must
worse problems with Zotob.



-----Original Message-----
From: Ron DuFresne [mailto:dufresne () winternet com] Sent: Monday, August 22, 2005 3:15 PM 
To: Todd Towles
Cc: n3td3v; full-disclosure () lists grok org uk
Subject: RE: [Full-disclosure] Zotob Worm Remover

On Mon, 22 Aug 2005, Todd Towles wrote:
Wireless really isn't a issue. You can get a worm from a
cat 5 as easy
as you can from wireless. The problem was they weren't patched. Why weren't they patched? Perhaps Change policy slowed them
down, perhaps
it was the fear of broken programs..perhaps it was the QA group..it doesn't really matter. They go the worm because they were 

not patched.

And because they didn't properly filter port 445 is my understanding.
Unpatched systems behind FW's that fliter 445 were untouched.

Thanks,

Ron DuFresne
--
"Sometimes you get the blues because your baby leaves you. Sometimes you get'em 'cause she comes back." --B.B. King 
       ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.





_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: