Educause Security Discussion mailing list archives
Re: DShield and Symantec report MSBlast in wild
From: Jim Moore <jhmfa () RIT EDU>
Date: Tue, 12 Aug 2003 14:56:06 -0400
To get a quality check on communication, or to determine if there is more than 1 variant. ISS reports the percentages on the offset as being 60-40. Jim -----Original Message----- From: Marty Hoag [mailto:Marty.Hoag () NDSU NODAK EDU] Sent: Tuesday, August 12, 2003 2:35 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] DShield and Symantec report MSBlast in wild We've had some annecdotal reports of systems crashing and doing other weird stuff since yesterday. In at least one case this was "corrected" when they finally patched the RPC vulnerability (they thought they had done that a couple weeks ago but...). Anyway, we have been blocking TFTP (UDP port 69) for a long time and I wonder if the remote shell is stalling when it tries to fire that up tftp to get msblast and this causes instabilities. (In other words the RPC vulnerability is being used to set up the remote shell on port 4444 to execute the tftp command). But I also read on the Symantec analysis that there is an 80% chance of the worm using the XP offset and 20% using 2000. So what happens when it tries to compromise "the other" system. Does it just fail? Does it cause a problem on the attacked system? (I guess I'm assuming the offset is in the exploit being sent to port 135 but I'm not sure). The Symantec info is at https://tms.symantec.com/members/AnalystReports/030811-Alert-DCOMworm.pd f marty ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- DShield and Symantec report MSBlast in wild Phil Rodrigues (Aug 11)
- <Possible follow-ups>
- Re: DShield and Symantec report MSBlast in wild Marty Hoag (Aug 12)
- Re: DShield and Symantec report MSBlast in wild Jim Moore (Aug 12)
- Re: DShield and Symantec report MSBlast in wild Phil Rodrigues (Aug 13)
- Re: DShield and Symantec report MSBlast in wild Marty Hoag (Aug 13)
- Re: DShield and Symantec report MSBlast in wild Doug Sandford (Aug 13)
- Re: DShield and Symantec report MSBlast in wild Michelle Mueller (Aug 14)