Security Incidents mailing list archives
RE: Blaster Recurrence
From: "James C Slora Jr" <Jim.Slora () phra com>
Date: Mon, 2 Feb 2004 13:06:29 -0500
E. Jimmy Allotey wrote Friday, January 30, 2004 12:55
I am seeing some new occurences on reformatted machines on my network. They appeared on machines which were reformatted and connected to the network before installation of patches and anti-virus software (idiots!!!!) We have checked all the other machines here which were unaffected and they are fine.
Either your users found an oddball infection vector (not too likely on multiple new builds), or something on your network is still infected. Sniff the LAN for Blaster traffic. It is the only way to be confident you have caught everything. If you are in a switched environment, it might be easiest to sniff at a router or just inside the firewall. Ideally, keep on sniffing forever. The list of _possible_ infection vectors is pretty long. Common possibilities: Some printers and copiers run embedded Windows NT or 2000 that can be infected. Wireless connections. Visitors' computers. Employees' home computers "temporarily" connected at work. Builds being performed at home. Machines that appear patched may not actually be. A machine was just plain missed in the patch records. Lesser possibilities: Infected ghost images. Hostile web sites. Hostile user. Hostile email. VPN connections (what's the RFC for BoI - Blaster over IPSec?) :-) . Etc etc. --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Blaster Recurrence E. Jimmy Allotey (Feb 02)
- RE: Blaster Recurrence James C Slora Jr (Feb 02)
- Re: Blaster Recurrence Neil Anderson (Feb 02)
- RE: Blaster Recurrence Dave Paris (Feb 03)
- Re: Blaster Recurrence Nick FitzGerald (Feb 03)
- RE: Blaster Recurrence E. Jimmy Allotey (Feb 03)
- <Possible follow-ups>
- RE: Blaster Recurrence Henderson, Dennis K. (Feb 02)