Re: DShield and Symantec report MSBlast in wild

[Jim Moore <jhmfa () RIT EDU>]

To get a quality check on communication, or to determine if there is
more than 1 variant.  ISS reports the percentages on the offset as being
60-40.

Jim
-----Original Message-----
From: Marty Hoag [mailto:Marty.Hoag () NDSU NODAK EDU] 
Sent: Tuesday, August 12, 2003 2:35 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] DShield and Symantec report MSBlast in wild


    We've had some annecdotal reports of systems crashing and doing
other weird stuff since yesterday. In at least one case this was
"corrected" when they finally patched the RPC vulnerability (they
thought they had done that a couple weeks ago but...).

    Anyway, we have been blocking TFTP (UDP port 69) for
a long time and I wonder if the remote shell is stalling
when it tries to fire that up tftp to get msblast and this causes
instabilities. (In other words the RPC vulnerability is being used to
set up the remote shell on port 4444 to execute the tftp command).

    But I also read on the Symantec analysis that there
is an 80% chance of the worm using the XP offset and
20% using 2000.  So what happens when it tries to
compromise "the other" system. Does it just fail?
Does it cause a problem on the attacked system?
(I guess I'm assuming the offset is in the exploit
being sent to port 135 but I'm not sure).  The
Symantec info is at
https://tms.symantec.com/members/AnalystReports/030811-Alert-DCOMworm.pd
f

    marty

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.